Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
04/07/2024, 02:28
Behavioral task
behavioral1
Sample
24536f9ca1e6dfcf585b20739e345cc3_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
24536f9ca1e6dfcf585b20739e345cc3_JaffaCakes118.exe
-
Size
707KB
-
MD5
24536f9ca1e6dfcf585b20739e345cc3
-
SHA1
7f64ff8a32ca06a3c3c1c359b00a9cd45f459b18
-
SHA256
4621bffa6b27d56c7e14b171bc7f2495247addf54d5d97b136111feba32f7a50
-
SHA512
8df83254af40b5796daaec1cf21a42e6474f73a354ef4bb83046ac25149a674946bc09520238ac03138645e7ae80ad1e4ca8c5653d9f912a8f3a92d79fe6df32
-
SSDEEP
12288:IcAQjBba3OUcn2yJWd0MpfntYWfrm5ebNnBegd6eHRr1MUAUibdr1vokIOe:G33on2yJWX5nt28egpHRGFLd51
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 14 IoCs
resource yara_rule behavioral1/memory/2184-1-0x0000000000400000-0x00000000005A0000-memory.dmp modiloader_stage2 behavioral1/memory/2184-2-0x0000000000400000-0x00000000005A0000-memory.dmp modiloader_stage2 behavioral1/memory/2184-3-0x0000000000400000-0x00000000005A0000-memory.dmp modiloader_stage2 behavioral1/memory/2184-4-0x0000000000400000-0x00000000005A0000-memory.dmp modiloader_stage2 behavioral1/memory/2184-5-0x0000000000400000-0x00000000005A0000-memory.dmp modiloader_stage2 behavioral1/memory/2184-6-0x0000000000400000-0x00000000005A0000-memory.dmp modiloader_stage2 behavioral1/memory/2184-7-0x0000000000400000-0x00000000005A0000-memory.dmp modiloader_stage2 behavioral1/memory/2184-8-0x0000000000400000-0x00000000005A0000-memory.dmp modiloader_stage2 behavioral1/memory/2184-9-0x0000000000400000-0x00000000005A0000-memory.dmp modiloader_stage2 behavioral1/memory/2184-10-0x0000000000400000-0x00000000005A0000-memory.dmp modiloader_stage2 behavioral1/memory/2184-11-0x0000000000400000-0x00000000005A0000-memory.dmp modiloader_stage2 behavioral1/memory/2184-12-0x0000000000400000-0x00000000005A0000-memory.dmp modiloader_stage2 behavioral1/memory/2184-13-0x0000000000400000-0x00000000005A0000-memory.dmp modiloader_stage2 behavioral1/memory/2184-14-0x0000000000400000-0x00000000005A0000-memory.dmp modiloader_stage2 -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine 24536f9ca1e6dfcf585b20739e345cc3_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2184-0-0x0000000000400000-0x00000000005A0000-memory.dmp themida behavioral1/memory/2184-1-0x0000000000400000-0x00000000005A0000-memory.dmp themida behavioral1/memory/2184-2-0x0000000000400000-0x00000000005A0000-memory.dmp themida behavioral1/memory/2184-3-0x0000000000400000-0x00000000005A0000-memory.dmp themida behavioral1/memory/2184-4-0x0000000000400000-0x00000000005A0000-memory.dmp themida behavioral1/memory/2184-5-0x0000000000400000-0x00000000005A0000-memory.dmp themida behavioral1/memory/2184-6-0x0000000000400000-0x00000000005A0000-memory.dmp themida behavioral1/memory/2184-7-0x0000000000400000-0x00000000005A0000-memory.dmp themida behavioral1/memory/2184-8-0x0000000000400000-0x00000000005A0000-memory.dmp themida behavioral1/memory/2184-9-0x0000000000400000-0x00000000005A0000-memory.dmp themida behavioral1/memory/2184-10-0x0000000000400000-0x00000000005A0000-memory.dmp themida behavioral1/memory/2184-11-0x0000000000400000-0x00000000005A0000-memory.dmp themida behavioral1/memory/2184-12-0x0000000000400000-0x00000000005A0000-memory.dmp themida behavioral1/memory/2184-13-0x0000000000400000-0x00000000005A0000-memory.dmp themida behavioral1/memory/2184-14-0x0000000000400000-0x00000000005A0000-memory.dmp themida -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2184 24536f9ca1e6dfcf585b20739e345cc3_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2184 24536f9ca1e6dfcf585b20739e345cc3_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\24536f9ca1e6dfcf585b20739e345cc3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\24536f9ca1e6dfcf585b20739e345cc3_JaffaCakes118.exe"1⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2184