Analysis
-
max time kernel
132s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2024, 02:24
Static task
static1
Behavioral task
behavioral1
Sample
2450c1179cc94387067c9d8b87fb0d00_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
2450c1179cc94387067c9d8b87fb0d00_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
2450c1179cc94387067c9d8b87fb0d00_JaffaCakes118.exe
-
Size
639KB
-
MD5
2450c1179cc94387067c9d8b87fb0d00
-
SHA1
add9bb05f1da5f72186ee7777a89daf9f936212f
-
SHA256
e8a0e3a54f0d08a826ef04b40bd21af012f47703038b9ae09e07b0e30aecdc68
-
SHA512
8f893294d155af4aa20078db318693fb73d93ab0d5c13c3c9a4a7d49ccc8d3a028d0274217d89d0d021bb16c3cced44958adb7b6078f2d8f64c188ce5961e764
-
SSDEEP
12288:KoBIj0KaqVo7PWbash7ZexveJe28GeytF3Z4mxxVJPBS4EtQHySuBJoL4oTgNWA:J+jEq6g7ZeB52BtQmXWouUMoTgNWA
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral2/memory/2456-42-0x0000000000400000-0x0000000000517000-memory.dmp modiloader_stage2 behavioral2/memory/3592-45-0x0000000000400000-0x0000000000517000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 3592 rejoice46.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\_rejoice46.exe rejoice46.exe File opened for modification C:\Windows\SysWOW64\_rejoice46.exe rejoice46.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3592 set thread context of 2436 3592 rejoice46.exe 86 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat 2450c1179cc94387067c9d8b87fb0d00_JaffaCakes118.exe File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice46.exe 2450c1179cc94387067c9d8b87fb0d00_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice46.exe 2450c1179cc94387067c9d8b87fb0d00_JaffaCakes118.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 2336 2436 WerFault.exe 86 3844 3592 WerFault.exe 85 -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2456 wrote to memory of 3592 2456 2450c1179cc94387067c9d8b87fb0d00_JaffaCakes118.exe 85 PID 2456 wrote to memory of 3592 2456 2450c1179cc94387067c9d8b87fb0d00_JaffaCakes118.exe 85 PID 2456 wrote to memory of 3592 2456 2450c1179cc94387067c9d8b87fb0d00_JaffaCakes118.exe 85 PID 3592 wrote to memory of 2436 3592 rejoice46.exe 86 PID 3592 wrote to memory of 2436 3592 rejoice46.exe 86 PID 3592 wrote to memory of 2436 3592 rejoice46.exe 86 PID 3592 wrote to memory of 2436 3592 rejoice46.exe 86 PID 3592 wrote to memory of 2436 3592 rejoice46.exe 86 PID 3592 wrote to memory of 3800 3592 rejoice46.exe 88 PID 3592 wrote to memory of 3800 3592 rejoice46.exe 88 PID 2456 wrote to memory of 2284 2456 2450c1179cc94387067c9d8b87fb0d00_JaffaCakes118.exe 94 PID 2456 wrote to memory of 2284 2456 2450c1179cc94387067c9d8b87fb0d00_JaffaCakes118.exe 94 PID 2456 wrote to memory of 2284 2456 2450c1179cc94387067c9d8b87fb0d00_JaffaCakes118.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\2450c1179cc94387067c9d8b87fb0d00_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2450c1179cc94387067c9d8b87fb0d00_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice46.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice46.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵PID:2436
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 124⤵
- Program crash
PID:2336
-
-
-
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"3⤵PID:3800
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 7003⤵
- Program crash
PID:3844
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat""2⤵PID:2284
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3592 -ip 35921⤵PID:4704
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2436 -ip 24361⤵PID:2588
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD5dd966e47069fc16a2e685baf9544d290
SHA1924649cb0706d8c3bb7267c13b438d29af2a9726
SHA256b946a1ea94ca615d1669620eedc72c5334fe453a0e0409174960c093d1ade55c
SHA51274ddb2c3f5b3f8fc94ddf196ebd1f32c7fa3a95557755fe84c3d9f91a568f4209e8eeee2c8b9f1efea584a90186d0b4215ad194f9c0d90d7977e301f9586b498
-
Filesize
639KB
MD52450c1179cc94387067c9d8b87fb0d00
SHA1add9bb05f1da5f72186ee7777a89daf9f936212f
SHA256e8a0e3a54f0d08a826ef04b40bd21af012f47703038b9ae09e07b0e30aecdc68
SHA5128f893294d155af4aa20078db318693fb73d93ab0d5c13c3c9a4a7d49ccc8d3a028d0274217d89d0d021bb16c3cced44958adb7b6078f2d8f64c188ce5961e764