Analysis
-
max time kernel
141s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2024, 04:07
Static task
static1
Behavioral task
behavioral1
Sample
2494521b41bd0dff6ba4c82491913ba0_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2494521b41bd0dff6ba4c82491913ba0_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
2494521b41bd0dff6ba4c82491913ba0_JaffaCakes118.exe
-
Size
27KB
-
MD5
2494521b41bd0dff6ba4c82491913ba0
-
SHA1
590568ea63863466fba2eb46a7277df251232964
-
SHA256
478632a5e115ed74a3104b9627333eabbd2565976a2c7402f8b9b976f6eee22b
-
SHA512
22af5ba52df6e7ac1bfc6dbcd6195d74cdcbb6c7700575107e7aee304e5a4c68f39ee11823e8521322d8bf61f7614d6a80b2c9e1a2649e1cef4fab433f244239
-
SSDEEP
768:+IJpFHSLyupC2/kB5cy+2f1B4FuUD83w84xSHXMHx:+IJpFHSOuopPcy+2HgnywfxSHcHx
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral2/memory/4792-14-0x0000000000400000-0x0000000000425000-memory.dmp modiloader_stage2 behavioral2/memory/4840-17-0x0000000000400000-0x0000000000425000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 4840 winwm.exe -
Loads dropped DLL 2 IoCs
pid Process 4840 winwm.exe 4840 winwm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4840 winwm.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4792 wrote to memory of 4840 4792 2494521b41bd0dff6ba4c82491913ba0_JaffaCakes118.exe 83 PID 4792 wrote to memory of 4840 4792 2494521b41bd0dff6ba4c82491913ba0_JaffaCakes118.exe 83 PID 4792 wrote to memory of 4840 4792 2494521b41bd0dff6ba4c82491913ba0_JaffaCakes118.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\2494521b41bd0dff6ba4c82491913ba0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2494521b41bd0dff6ba4c82491913ba0_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\RECYCLER\winwm.exeC:\RECYCLER\winwm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4840
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD52494521b41bd0dff6ba4c82491913ba0
SHA1590568ea63863466fba2eb46a7277df251232964
SHA256478632a5e115ed74a3104b9627333eabbd2565976a2c7402f8b9b976f6eee22b
SHA51222af5ba52df6e7ac1bfc6dbcd6195d74cdcbb6c7700575107e7aee304e5a4c68f39ee11823e8521322d8bf61f7614d6a80b2c9e1a2649e1cef4fab433f244239
-
Filesize
32KB
MD574a955712209327a1ad86ff7b861749e
SHA16befaf150a1cf05a6b675eb83a942c4dcd893a39
SHA256a132927a5ba160ed7047a6caa2abd6bac9ab8c5a58d2acfcc1f1709a9279f1b7
SHA512d730b18ef4b4176e34f7ae584631c7d88aa5f0dd6c25ceaad0aea946385a6295920722f9b7bf13c8e6d9a63aa48e4de2aad8de3d660e98ee9db6c46457390979