Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2024, 01:53
Behavioral task
behavioral1
Sample
243ccf40e26ccdc463f6a62286996562_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
243ccf40e26ccdc463f6a62286996562_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
243ccf40e26ccdc463f6a62286996562_JaffaCakes118.exe
-
Size
390KB
-
MD5
243ccf40e26ccdc463f6a62286996562
-
SHA1
099d672f5a4480dee97baef6a842c7c138a20bb0
-
SHA256
b793083ab5281b73a36233a97b4d01079f37526892c91a03e215df43697246da
-
SHA512
685c6486de4a7193bbed8401c05e8aac8a4376580433e4d59579cda5665dc5dc55e0a0e2bb379a9acf26f82f3324e8ee5541eba401e457846e8bac730f5f45c2
-
SSDEEP
12288:YzWhxgpPP6JOJ8jpY4Vj+qp2XYathGumd1:EyWP6OJ8jpY0DcJ2Z/
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral2/memory/4968-4-0x0000000011000000-0x0000000011061000-memory.dmp modiloader_stage2 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4968 set thread context of 732 4968 243ccf40e26ccdc463f6a62286996562_JaffaCakes118.exe 81 -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4968 wrote to memory of 732 4968 243ccf40e26ccdc463f6a62286996562_JaffaCakes118.exe 81 PID 4968 wrote to memory of 732 4968 243ccf40e26ccdc463f6a62286996562_JaffaCakes118.exe 81 PID 4968 wrote to memory of 732 4968 243ccf40e26ccdc463f6a62286996562_JaffaCakes118.exe 81 PID 4968 wrote to memory of 732 4968 243ccf40e26ccdc463f6a62286996562_JaffaCakes118.exe 81 PID 4968 wrote to memory of 732 4968 243ccf40e26ccdc463f6a62286996562_JaffaCakes118.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\243ccf40e26ccdc463f6a62286996562_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\243ccf40e26ccdc463f6a62286996562_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Users\Admin\AppData\Local\Temp\243ccf40e26ccdc463f6a62286996562_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\243ccf40e26ccdc463f6a62286996562_JaffaCakes118.exe2⤵PID:732
-