Analysis
-
max time kernel
131s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
04/07/2024, 03:06
Static task
static1
Behavioral task
behavioral1
Sample
246b57d8bb1179700d5b43a7041678f7_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
246b57d8bb1179700d5b43a7041678f7_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
246b57d8bb1179700d5b43a7041678f7_JaffaCakes118.exe
-
Size
142KB
-
MD5
246b57d8bb1179700d5b43a7041678f7
-
SHA1
55792d38694025957e33db6abe19d63fc83db0ed
-
SHA256
8ef0a54da0d40ff470d02eb544e53deb420d3852bb63f8629c91b08c55e606c1
-
SHA512
515a9524a7540e90d3384cf935b8e5927cebfcd9bd3bd8673d122e065a5d4ac90744bda70bc63aa1b8ac1e738caa3c541931524d56262f682b40d1747facd2df
-
SSDEEP
3072:W8ZklwCspJyWJfuxzH8GKgTgvki+ya5vOzg2/nwIhVMMESj3HzckL+:VkKC0XfGzcGKgyJa5v32PBVoszl6
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral1/memory/2432-3-0x0000000000400000-0x0000000000455000-memory.dmp modiloader_stage2 behavioral1/memory/2612-194-0x0000000010410000-0x0000000010465000-memory.dmp modiloader_stage2 -
Deletes itself 1 IoCs
pid Process 2120 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2272 netservice.exe -
resource yara_rule behavioral1/memory/2612-188-0x0000000010410000-0x0000000010465000-memory.dmp upx behavioral1/memory/2612-194-0x0000000010410000-0x0000000010465000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2272 netservice.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2432 wrote to memory of 2120 2432 246b57d8bb1179700d5b43a7041678f7_JaffaCakes118.exe 29 PID 2432 wrote to memory of 2120 2432 246b57d8bb1179700d5b43a7041678f7_JaffaCakes118.exe 29 PID 2432 wrote to memory of 2120 2432 246b57d8bb1179700d5b43a7041678f7_JaffaCakes118.exe 29 PID 2432 wrote to memory of 2120 2432 246b57d8bb1179700d5b43a7041678f7_JaffaCakes118.exe 29 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31 PID 2272 wrote to memory of 2612 2272 netservice.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\246b57d8bb1179700d5b43a7041678f7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\246b57d8bb1179700d5b43a7041678f7_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\246b57d8bb1179700d5b43a7041678f7_JaffaCakes118.exe"2⤵
- Deletes itself
PID:2120
-
-
C:\Users\Admin\Favorites\netservice.exeC:\Users\Admin\Favorites\netservice.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe2⤵PID:2612
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
142KB
MD5246b57d8bb1179700d5b43a7041678f7
SHA155792d38694025957e33db6abe19d63fc83db0ed
SHA2568ef0a54da0d40ff470d02eb544e53deb420d3852bb63f8629c91b08c55e606c1
SHA512515a9524a7540e90d3384cf935b8e5927cebfcd9bd3bd8673d122e065a5d4ac90744bda70bc63aa1b8ac1e738caa3c541931524d56262f682b40d1747facd2df