Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
03/07/2024, 23:46
Static task
static1
Behavioral task
behavioral1
Sample
23e47f3e6a5673d16fec3f7355465c98_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
23e47f3e6a5673d16fec3f7355465c98_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
23e47f3e6a5673d16fec3f7355465c98_JaffaCakes118.exe
-
Size
524KB
-
MD5
23e47f3e6a5673d16fec3f7355465c98
-
SHA1
81772f866d8cf99c67b036e54622ae1146d58988
-
SHA256
3e0b4eba967c1992240faede31468d52e61814b4926475bc4b13687c30d20b1d
-
SHA512
2cfd362e6c44588d5827934fa0128ac3a3b13c09d830ad59aa870667986504ee94c47ac4c2d1896721ce41c155bcd6de047bef1f86e9050e885c40bd9d8b8fa4
-
SSDEEP
12288:kYtY5Ebl0KvMaHs2LQI8xQLi9RSD5JQ2zYoP+RY/BtGn7AS2dIoFG48GdAPhqgE+:kcY5mTs2YxHR00peDG7ASS85o/+
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral1/memory/2148-9-0x0000000000400000-0x00000000004BC03E-memory.dmp modiloader_stage2 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2148 set thread context of 2364 2148 23e47f3e6a5673d16fec3f7355465c98_JaffaCakes118.exe 28 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\FieleWay.txt 23e47f3e6a5673d16fec3f7355465c98_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2148 wrote to memory of 2364 2148 23e47f3e6a5673d16fec3f7355465c98_JaffaCakes118.exe 28 PID 2148 wrote to memory of 2364 2148 23e47f3e6a5673d16fec3f7355465c98_JaffaCakes118.exe 28 PID 2148 wrote to memory of 2364 2148 23e47f3e6a5673d16fec3f7355465c98_JaffaCakes118.exe 28 PID 2148 wrote to memory of 2364 2148 23e47f3e6a5673d16fec3f7355465c98_JaffaCakes118.exe 28 PID 2148 wrote to memory of 2364 2148 23e47f3e6a5673d16fec3f7355465c98_JaffaCakes118.exe 28 PID 2148 wrote to memory of 2364 2148 23e47f3e6a5673d16fec3f7355465c98_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\23e47f3e6a5673d16fec3f7355465c98_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\23e47f3e6a5673d16fec3f7355465c98_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\system32\mstsc.exe"2⤵PID:2364
-