Analysis
-
max time kernel
51s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 18:58
Static task
static1
Behavioral task
behavioral1
Sample
08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe
-
Size
272KB
-
MD5
08df5ac7fd3bd42e22bdf272ae0dc510
-
SHA1
2308dcf1d2d589bf9f022e032bf9099a22a57733
-
SHA256
7659256a8fa1774b74d216bb0f9144ad0d74cdcab9cebcd11175aeb840686570
-
SHA512
9d6b3f34bb0c8178c7a3e68f7d968db089d40856c2dfdd77721e418d9af183f699e1467141492bbce612c3d85398308c58cc9c616b8697429ab2ff420dee6750
-
SSDEEP
6144:/Ctpd1FUOL8toGLsZW7hUCOb++Fbz8Xod0q3N+TJifgvg:/Ctpd16OLnOexKod9IYfgvg
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 4 IoCs
Processes:
resource yara_rule behavioral2/memory/5000-2-0x0000000000400000-0x0000000000503000-memory.dmp modiloader_stage2 behavioral2/memory/372-11-0x0000000000400000-0x0000000000503000-memory.dmp modiloader_stage2 behavioral2/memory/372-20-0x0000000000400000-0x0000000000503000-memory.dmp modiloader_stage2 behavioral2/memory/5000-22-0x0000000000400000-0x0000000000503000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
Processes:
SVCH0ST.EXEpid process 372 SVCH0ST.EXE -
Suspicious use of SetThreadContext 2 IoCs
Processes:
SVCH0ST.EXEdescription pid process target process PID 372 set thread context of 3548 372 SVCH0ST.EXE explorer.exe PID 372 set thread context of 3776 372 SVCH0ST.EXE svchost.exe -
Drops file in Program Files directory 3 IoCs
Processes:
08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exedescription ioc process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat 08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE 08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE 08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
Processes:
SVCH0ST.EXEdescription ioc process File created C:\Windows\_SVCH0ST.EXE SVCH0ST.EXE File opened for modification C:\Windows\_SVCH0ST.EXE SVCH0ST.EXE -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4884 3776 WerFault.exe svchost.exe 532 3548 WerFault.exe explorer.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exeSVCH0ST.EXEdescription pid process target process PID 5000 wrote to memory of 372 5000 08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe SVCH0ST.EXE PID 5000 wrote to memory of 372 5000 08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe SVCH0ST.EXE PID 5000 wrote to memory of 372 5000 08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe SVCH0ST.EXE PID 372 wrote to memory of 3548 372 SVCH0ST.EXE explorer.exe PID 372 wrote to memory of 3548 372 SVCH0ST.EXE explorer.exe PID 372 wrote to memory of 3548 372 SVCH0ST.EXE explorer.exe PID 372 wrote to memory of 3548 372 SVCH0ST.EXE explorer.exe PID 372 wrote to memory of 3548 372 SVCH0ST.EXE explorer.exe PID 372 wrote to memory of 3776 372 SVCH0ST.EXE svchost.exe PID 372 wrote to memory of 3776 372 SVCH0ST.EXE svchost.exe PID 372 wrote to memory of 3776 372 SVCH0ST.EXE svchost.exe PID 372 wrote to memory of 3776 372 SVCH0ST.EXE svchost.exe PID 372 wrote to memory of 3776 372 SVCH0ST.EXE svchost.exe PID 5000 wrote to memory of 2072 5000 08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe cmd.exe PID 5000 wrote to memory of 2072 5000 08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe cmd.exe PID 5000 wrote to memory of 2072 5000 08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE"C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵PID:3548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 124⤵
- Program crash
PID:532 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"3⤵PID:3776
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 124⤵
- Program crash
PID:4884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat""2⤵PID:2072
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3776 -ip 37761⤵PID:4380
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3548 -ip 35481⤵PID:3200
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD501f0a9d1f9a695adca7cc5a3aa9162d3
SHA16545471dfd642ad486e768f81f9940d2a63f7a92
SHA25693b3c17070812f7f78774b3f4559569b1d74dbe622db22adbebf05a186c1b52f
SHA51251d6c1972c7f61907bd4cce13cb1f78a5eea579adc4cfa9cd91a02715bf2b9d7b44844a3ecbb54bd5d92f88cea9b3a062ea65df3cd8f6d7bee7ccbbc61c0b1a9
-
Filesize
272KB
MD508df5ac7fd3bd42e22bdf272ae0dc510
SHA12308dcf1d2d589bf9f022e032bf9099a22a57733
SHA2567659256a8fa1774b74d216bb0f9144ad0d74cdcab9cebcd11175aeb840686570
SHA5129d6b3f34bb0c8178c7a3e68f7d968db089d40856c2dfdd77721e418d9af183f699e1467141492bbce612c3d85398308c58cc9c616b8697429ab2ff420dee6750