Analysis
-
max time kernel
142s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 18:58
Static task
static1
Behavioral task
behavioral1
Sample
08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe
-
Size
272KB
-
MD5
08df5ac7fd3bd42e22bdf272ae0dc510
-
SHA1
2308dcf1d2d589bf9f022e032bf9099a22a57733
-
SHA256
7659256a8fa1774b74d216bb0f9144ad0d74cdcab9cebcd11175aeb840686570
-
SHA512
9d6b3f34bb0c8178c7a3e68f7d968db089d40856c2dfdd77721e418d9af183f699e1467141492bbce612c3d85398308c58cc9c616b8697429ab2ff420dee6750
-
SSDEEP
6144:/Ctpd1FUOL8toGLsZW7hUCOb++Fbz8Xod0q3N+TJifgvg:/Ctpd16OLnOexKod9IYfgvg
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1740-2-0x0000000000400000-0x0000000000503000-memory.dmp modiloader_stage2 behavioral1/memory/2012-16-0x0000000000400000-0x0000000000503000-memory.dmp modiloader_stage2 behavioral1/memory/1740-32-0x0000000000400000-0x0000000000503000-memory.dmp modiloader_stage2 behavioral1/memory/2012-33-0x0000000000400000-0x0000000000503000-memory.dmp modiloader_stage2 behavioral1/memory/1740-43-0x0000000000400000-0x0000000000503000-memory.dmp modiloader_stage2 -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 3020 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
SVCH0ST.EXEpid process 2012 SVCH0ST.EXE -
Loads dropped DLL 7 IoCs
Processes:
08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exeWerFault.exepid process 1740 08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe 1740 08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe 2704 WerFault.exe 2704 WerFault.exe 2704 WerFault.exe 2704 WerFault.exe 2704 WerFault.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SVCH0ST.EXEdescription pid process target process PID 2012 set thread context of 1956 2012 SVCH0ST.EXE explorer.exe -
Drops file in Program Files directory 3 IoCs
Processes:
08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exedescription ioc process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat 08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE 08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE 08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
Processes:
SVCH0ST.EXEdescription ioc process File created C:\Windows\_SVCH0ST.EXE SVCH0ST.EXE File opened for modification C:\Windows\_SVCH0ST.EXE SVCH0ST.EXE -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2704 2012 WerFault.exe SVCH0ST.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exeSVCH0ST.EXEdescription pid process target process PID 1740 wrote to memory of 2012 1740 08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe SVCH0ST.EXE PID 1740 wrote to memory of 2012 1740 08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe SVCH0ST.EXE PID 1740 wrote to memory of 2012 1740 08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe SVCH0ST.EXE PID 1740 wrote to memory of 2012 1740 08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe SVCH0ST.EXE PID 2012 wrote to memory of 1956 2012 SVCH0ST.EXE explorer.exe PID 2012 wrote to memory of 1956 2012 SVCH0ST.EXE explorer.exe PID 2012 wrote to memory of 1956 2012 SVCH0ST.EXE explorer.exe PID 2012 wrote to memory of 1956 2012 SVCH0ST.EXE explorer.exe PID 2012 wrote to memory of 1956 2012 SVCH0ST.EXE explorer.exe PID 2012 wrote to memory of 1956 2012 SVCH0ST.EXE explorer.exe PID 2012 wrote to memory of 2704 2012 SVCH0ST.EXE WerFault.exe PID 2012 wrote to memory of 2704 2012 SVCH0ST.EXE WerFault.exe PID 2012 wrote to memory of 2704 2012 SVCH0ST.EXE WerFault.exe PID 2012 wrote to memory of 2704 2012 SVCH0ST.EXE WerFault.exe PID 1740 wrote to memory of 3020 1740 08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe cmd.exe PID 1740 wrote to memory of 3020 1740 08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe cmd.exe PID 1740 wrote to memory of 3020 1740 08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe cmd.exe PID 1740 wrote to memory of 3020 1740 08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE"C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵PID:1956
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 2803⤵
- Loads dropped DLL
- Program crash
PID:2704 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat""2⤵
- Deletes itself
PID:3020
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272KB
MD508df5ac7fd3bd42e22bdf272ae0dc510
SHA12308dcf1d2d589bf9f022e032bf9099a22a57733
SHA2567659256a8fa1774b74d216bb0f9144ad0d74cdcab9cebcd11175aeb840686570
SHA5129d6b3f34bb0c8178c7a3e68f7d968db089d40856c2dfdd77721e418d9af183f699e1467141492bbce612c3d85398308c58cc9c616b8697429ab2ff420dee6750
-
Filesize
212B
MD501f0a9d1f9a695adca7cc5a3aa9162d3
SHA16545471dfd642ad486e768f81f9940d2a63f7a92
SHA25693b3c17070812f7f78774b3f4559569b1d74dbe622db22adbebf05a186c1b52f
SHA51251d6c1972c7f61907bd4cce13cb1f78a5eea579adc4cfa9cd91a02715bf2b9d7b44844a3ecbb54bd5d92f88cea9b3a062ea65df3cd8f6d7bee7ccbbc61c0b1a9