Analysis
-
max time kernel
140s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 18:53
Static task
static1
Behavioral task
behavioral1
Sample
08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exe
-
Size
544KB
-
MD5
08d531a7f7fff50d2b03fa906ab6a225
-
SHA1
61fad11ae22a07183d2e535c0ce915b38bfac22f
-
SHA256
4b4d5ff9c9a8ed6a202408872ca393c630ec364606963197a35292539322aa35
-
SHA512
b11a4e78874f5208f6eb759f63944a3f72d0adc3f6c94da2de3db58b1555714b2b322ddd3ed46b06767086f128372ae2c67c4cb7caabb01325444a00b467a551
-
SSDEEP
12288:JAhH7ss1wJoXK8nrl+CnfGew9G9OXKGS0gq9Eeq6R+JoHGVX04b7:JAhj1+8nTnfGe39cKGLH97q1oHGB04b
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1880-29-0x0000000000400000-0x000000000056B000-memory.dmp modiloader_stage2 behavioral2/memory/4048-31-0x0000000000400000-0x000000000056B000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
Processes:
ddos.exepid process 1880 ddos.exe -
Drops file in System32 directory 4 IoCs
Processes:
08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exeddos.exedescription ioc process File created C:\Windows\SysWOW64\ddos.exe 08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ddos.exe 08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ddos.exe ddos.exe File created C:\Windows\SysWOW64\Deleteme.bat 08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exedescription pid process target process PID 4048 wrote to memory of 1880 4048 08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exe ddos.exe PID 4048 wrote to memory of 1880 4048 08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exe ddos.exe PID 4048 wrote to memory of 1880 4048 08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exe ddos.exe PID 4048 wrote to memory of 1596 4048 08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exe cmd.exe PID 4048 wrote to memory of 1596 4048 08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exe cmd.exe PID 4048 wrote to memory of 1596 4048 08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\08d531a7f7fff50d2b03fa906ab6a225_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\ddos.exeC:\Windows\system32\ddos.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\Deleteme.bat2⤵PID:1596
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD5c511e432ebe0af9bf5ae47b27898fa10
SHA1a4ee66b061df03ade296448b0d4ce3a3fcd0cad8
SHA25611a0096a97c9438da8888d05c15c29e0a9c5669ba5f7887960983dec1f9d8ae4
SHA512ff78385419e823e44944cb564d1b7113838c8fde6f78c591ef42ee816e5183320b5fbc01e17648b61e6e11edc3ea08c220aa93d292ac205b9adf6698ff144e3c
-
Filesize
544KB
MD508d531a7f7fff50d2b03fa906ab6a225
SHA161fad11ae22a07183d2e535c0ce915b38bfac22f
SHA2564b4d5ff9c9a8ed6a202408872ca393c630ec364606963197a35292539322aa35
SHA512b11a4e78874f5208f6eb759f63944a3f72d0adc3f6c94da2de3db58b1555714b2b322ddd3ed46b06767086f128372ae2c67c4cb7caabb01325444a00b467a551