Analysis
-
max time kernel
141s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/07/2024, 05:27
Static task
static1
Behavioral task
behavioral1
Sample
24c80dc0f04d5cb42bdae99e8227da27_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
24c80dc0f04d5cb42bdae99e8227da27_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
24c80dc0f04d5cb42bdae99e8227da27_JaffaCakes118.exe
-
Size
617KB
-
MD5
24c80dc0f04d5cb42bdae99e8227da27
-
SHA1
5000232be787e5f4d702ec2fc3c3bb80e2403d25
-
SHA256
168f32f2c3853fcceb4607efbedeb0cac01f8333dc7c75a87ccf8eabcbb68892
-
SHA512
f66399e0aee1c1f06c01eb66e2466eb1262928342d5841f2b2977e95389d23b977533d34278b29d7ea8b4bca63ef0126e1c52e2ab0875eb2dcb1e28d7a9882cf
-
SSDEEP
12288:Cj3eGwoHaqlxR+c0chWH/XpqmvXtF3Z4mxxtSXE3ygk6nOF2tjMq:E38oHvxh0chm/btQmXIXE3ygSFsj
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
resource yara_rule behavioral1/memory/2936-41-0x0000000000400000-0x000000000050C000-memory.dmp modiloader_stage2 behavioral1/memory/2880-42-0x0000000000400000-0x000000000050C000-memory.dmp modiloader_stage2 behavioral1/memory/2936-49-0x0000000000400000-0x000000000050C000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 2880 rejoice47.exe -
Loads dropped DLL 5 IoCs
pid Process 2936 24c80dc0f04d5cb42bdae99e8227da27_JaffaCakes118.exe 2936 24c80dc0f04d5cb42bdae99e8227da27_JaffaCakes118.exe 2640 WerFault.exe 2640 WerFault.exe 2640 WerFault.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\_rejoice47.exe rejoice47.exe File opened for modification C:\Windows\SysWOW64\_rejoice47.exe rejoice47.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2880 set thread context of 2580 2880 rejoice47.exe 29 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice47.exe 24c80dc0f04d5cb42bdae99e8227da27_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice47.exe 24c80dc0f04d5cb42bdae99e8227da27_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2640 2880 WerFault.exe 28 -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2936 wrote to memory of 2880 2936 24c80dc0f04d5cb42bdae99e8227da27_JaffaCakes118.exe 28 PID 2936 wrote to memory of 2880 2936 24c80dc0f04d5cb42bdae99e8227da27_JaffaCakes118.exe 28 PID 2936 wrote to memory of 2880 2936 24c80dc0f04d5cb42bdae99e8227da27_JaffaCakes118.exe 28 PID 2936 wrote to memory of 2880 2936 24c80dc0f04d5cb42bdae99e8227da27_JaffaCakes118.exe 28 PID 2880 wrote to memory of 2580 2880 rejoice47.exe 29 PID 2880 wrote to memory of 2580 2880 rejoice47.exe 29 PID 2880 wrote to memory of 2580 2880 rejoice47.exe 29 PID 2880 wrote to memory of 2580 2880 rejoice47.exe 29 PID 2880 wrote to memory of 2580 2880 rejoice47.exe 29 PID 2880 wrote to memory of 2580 2880 rejoice47.exe 29 PID 2880 wrote to memory of 2640 2880 rejoice47.exe 30 PID 2880 wrote to memory of 2640 2880 rejoice47.exe 30 PID 2880 wrote to memory of 2640 2880 rejoice47.exe 30 PID 2880 wrote to memory of 2640 2880 rejoice47.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\24c80dc0f04d5cb42bdae99e8227da27_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\24c80dc0f04d5cb42bdae99e8227da27_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice47.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice47.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵PID:2580
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 3003⤵
- Loads dropped DLL
- Program crash
PID:2640
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
617KB
MD524c80dc0f04d5cb42bdae99e8227da27
SHA15000232be787e5f4d702ec2fc3c3bb80e2403d25
SHA256168f32f2c3853fcceb4607efbedeb0cac01f8333dc7c75a87ccf8eabcbb68892
SHA512f66399e0aee1c1f06c01eb66e2466eb1262928342d5841f2b2977e95389d23b977533d34278b29d7ea8b4bca63ef0126e1c52e2ab0875eb2dcb1e28d7a9882cf