Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 20:01
Static task
static1
Behavioral task
behavioral1
Sample
095174c6e40909234aa8db843084b302_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
095174c6e40909234aa8db843084b302_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
095174c6e40909234aa8db843084b302_JaffaCakes118.exe
-
Size
57KB
-
MD5
095174c6e40909234aa8db843084b302
-
SHA1
2dbd14a647d3a7f57181652b0c0a4c94842154c3
-
SHA256
16e422f3893d4d5eb913d89e4de87a17eb61b291f0ca13664abef851b93751c1
-
SHA512
bd18e04e38b4340846f30f67f6a3d027ecdae0ce5ad9181be2800e5f850cfa48518457fcca96870ec0b5b14397625d18d40c641731d597e6392dc917c2048de5
-
SSDEEP
1536:nm7wjsVTJ+p3JrkGLawHE/E2j+EHwnOE1/o88t/T3lBv+:s+sVT45mn/bjnWo8sT1Bm
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1688-1-0x0000000000400000-0x000000000041F000-memory.dmp modiloader_stage2 behavioral1/memory/1688-4-0x0000000000400000-0x000000000041F000-memory.dmp modiloader_stage2 C:\Users\Admin\AppData\Local\Temp\temp.exe modiloader_stage2 -
Executes dropped EXE 2 IoCs
Processes:
temp.exetcpip.exepid process 2192 temp.exe 2540 tcpip.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2636 cmd.exe 2636 cmd.exe -
Drops file in System32 directory 4 IoCs
Processes:
temp.exetcpip.exedescription ioc process File created C:\Windows\SysWOW64\tcpip.exe temp.exe File opened for modification C:\Windows\SysWOW64\tcpip.exe temp.exe File created C:\Windows\SysWOW64\mmmmmmmm.bat temp.exe File created C:\Windows\SysWOW64\msiupdata.dll tcpip.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
095174c6e40909234aa8db843084b302_JaffaCakes118.exetemp.exetcpip.exepid process 1688 095174c6e40909234aa8db843084b302_JaffaCakes118.exe 1688 095174c6e40909234aa8db843084b302_JaffaCakes118.exe 2192 temp.exe 2192 temp.exe 2192 temp.exe 2192 temp.exe 2192 temp.exe 2540 tcpip.exe 2540 tcpip.exe 2540 tcpip.exe 2540 tcpip.exe 2540 tcpip.exe 2192 temp.exe 2192 temp.exe 2192 temp.exe 2192 temp.exe 2192 temp.exe 2192 temp.exe 2192 temp.exe 2192 temp.exe 2192 temp.exe 2192 temp.exe 2192 temp.exe 2540 tcpip.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
temp.exetcpip.exedescription pid process Token: SeDebugPrivilege 2192 temp.exe Token: SeDebugPrivilege 2540 tcpip.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
095174c6e40909234aa8db843084b302_JaffaCakes118.execmd.exetemp.exetcpip.exedescription pid process target process PID 1688 wrote to memory of 2636 1688 095174c6e40909234aa8db843084b302_JaffaCakes118.exe cmd.exe PID 1688 wrote to memory of 2636 1688 095174c6e40909234aa8db843084b302_JaffaCakes118.exe cmd.exe PID 1688 wrote to memory of 2636 1688 095174c6e40909234aa8db843084b302_JaffaCakes118.exe cmd.exe PID 1688 wrote to memory of 2636 1688 095174c6e40909234aa8db843084b302_JaffaCakes118.exe cmd.exe PID 2636 wrote to memory of 2192 2636 cmd.exe temp.exe PID 2636 wrote to memory of 2192 2636 cmd.exe temp.exe PID 2636 wrote to memory of 2192 2636 cmd.exe temp.exe PID 2636 wrote to memory of 2192 2636 cmd.exe temp.exe PID 2192 wrote to memory of 2660 2192 temp.exe cmd.exe PID 2192 wrote to memory of 2660 2192 temp.exe cmd.exe PID 2192 wrote to memory of 2660 2192 temp.exe cmd.exe PID 2192 wrote to memory of 2660 2192 temp.exe cmd.exe PID 2540 wrote to memory of 1200 2540 tcpip.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\095174c6e40909234aa8db843084b302_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\095174c6e40909234aa8db843084b302_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\temp.exe3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Users\Admin\AppData\Local\Temp\temp.exeC:\Users\Admin\AppData\Local\Temp\temp.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\system32\mmmmmmmm.bat5⤵PID:2660
-
C:\Windows\SysWOW64\tcpip.exeC:\Windows\SysWOW64\tcpip.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD55ec85a8cc55180c83a471e423fa582fc
SHA1b5819903dc81e8e37682566c49fc42072b4b5dfa
SHA256eef41e54a59d4bd70ccfcced60f10a58c75ee13827f629fb566eef2ce43c7af0
SHA51278f952ad04c1c5dca792a87deb9ed20a292364d8ffaf395cec95e0555c2c699dbd65af1e125b498f7cf35bbd796be69b74a87f7f56cc6973f1012cadf9a93c17
-
Filesize
136B
MD5bbb1363ff9d91459fafad63764db72a0
SHA139363d056769002ec16b5bd869d9a3548d5d131b
SHA2564313d66d27196d0fc03c77e21f2b6020adf3f8cf4b7ca6895151c92cf0136bb9
SHA51241bcbaefc2d018f93253202b5fe8864e28b232c3c9a7e7237d74b3a3078dec824fad25045dafc44d3a3faafc0a9bbf3d2d62df08628443a8a1a2fa375974b59a