Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 18:53
Static task
static1
Behavioral task
behavioral1
Sample
08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exe
-
Size
544KB
-
MD5
08d531a7f7fff50d2b03fa906ab6a225
-
SHA1
61fad11ae22a07183d2e535c0ce915b38bfac22f
-
SHA256
4b4d5ff9c9a8ed6a202408872ca393c630ec364606963197a35292539322aa35
-
SHA512
b11a4e78874f5208f6eb759f63944a3f72d0adc3f6c94da2de3db58b1555714b2b322ddd3ed46b06767086f128372ae2c67c4cb7caabb01325444a00b467a551
-
SSDEEP
12288:JAhH7ss1wJoXK8nrl+CnfGew9G9OXKGS0gq9Eeq6R+JoHGVX04b7:JAhj1+8nTnfGe39cKGLH97q1oHGB04b
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
Processes:
resource yara_rule behavioral1/memory/3056-49-0x0000000000400000-0x000000000056B000-memory.dmp modiloader_stage2 behavioral1/memory/2680-60-0x0000000000400000-0x000000000056B000-memory.dmp modiloader_stage2 behavioral1/memory/3056-63-0x0000000000400000-0x000000000056B000-memory.dmp modiloader_stage2 -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2536 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
ddos.exepid process 2680 ddos.exe -
Loads dropped DLL 2 IoCs
Processes:
08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exepid process 3056 08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exe 3056 08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exe -
Drops file in System32 directory 4 IoCs
Processes:
08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exeddos.exedescription ioc process File created C:\Windows\SysWOW64\ddos.exe 08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ddos.exe 08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ddos.exe ddos.exe File created C:\Windows\SysWOW64\Deleteme.bat 08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exedescription pid process target process PID 3056 wrote to memory of 2680 3056 08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exe ddos.exe PID 3056 wrote to memory of 2680 3056 08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exe ddos.exe PID 3056 wrote to memory of 2680 3056 08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exe ddos.exe PID 3056 wrote to memory of 2680 3056 08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exe ddos.exe PID 3056 wrote to memory of 2536 3056 08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exe cmd.exe PID 3056 wrote to memory of 2536 3056 08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exe cmd.exe PID 3056 wrote to memory of 2536 3056 08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exe cmd.exe PID 3056 wrote to memory of 2536 3056 08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\ddos.exeC:\Windows\system32\ddos.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\system32\Deleteme.bat2⤵
- Deletes itself
PID:2536
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD5c511e432ebe0af9bf5ae47b27898fa10
SHA1a4ee66b061df03ade296448b0d4ce3a3fcd0cad8
SHA25611a0096a97c9438da8888d05c15c29e0a9c5669ba5f7887960983dec1f9d8ae4
SHA512ff78385419e823e44944cb564d1b7113838c8fde6f78c591ef42ee816e5183320b5fbc01e17648b61e6e11edc3ea08c220aa93d292ac205b9adf6698ff144e3c
-
Filesize
544KB
MD508d531a7f7fff50d2b03fa906ab6a225
SHA161fad11ae22a07183d2e535c0ce915b38bfac22f
SHA2564b4d5ff9c9a8ed6a202408872ca393c630ec364606963197a35292539322aa35
SHA512b11a4e78874f5208f6eb759f63944a3f72d0adc3f6c94da2de3db58b1555714b2b322ddd3ed46b06767086f128372ae2c67c4cb7caabb01325444a00b467a551