Analysis
-
max time kernel
41s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2024, 05:27
Static task
static1
Behavioral task
behavioral1
Sample
24c80dc0f04d5cb42bdae99e8227da27_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
24c80dc0f04d5cb42bdae99e8227da27_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
24c80dc0f04d5cb42bdae99e8227da27_JaffaCakes118.exe
-
Size
617KB
-
MD5
24c80dc0f04d5cb42bdae99e8227da27
-
SHA1
5000232be787e5f4d702ec2fc3c3bb80e2403d25
-
SHA256
168f32f2c3853fcceb4607efbedeb0cac01f8333dc7c75a87ccf8eabcbb68892
-
SHA512
f66399e0aee1c1f06c01eb66e2466eb1262928342d5841f2b2977e95389d23b977533d34278b29d7ea8b4bca63ef0126e1c52e2ab0875eb2dcb1e28d7a9882cf
-
SSDEEP
12288:Cj3eGwoHaqlxR+c0chWH/XpqmvXtF3Z4mxxtSXE3ygk6nOF2tjMq:E38oHvxh0chm/btQmXIXE3ygSFsj
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral2/memory/2808-28-0x0000000000400000-0x000000000050C000-memory.dmp modiloader_stage2 behavioral2/memory/2144-30-0x0000000000400000-0x000000000050C000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 2144 rejoice47.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\_rejoice47.exe rejoice47.exe File opened for modification C:\Windows\SysWOW64\_rejoice47.exe rejoice47.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2144 set thread context of 3592 2144 rejoice47.exe 82 -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice47.exe 24c80dc0f04d5cb42bdae99e8227da27_JaffaCakes118.exe File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice47.exe 24c80dc0f04d5cb42bdae99e8227da27_JaffaCakes118.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 3116 3592 WerFault.exe 82 1588 2144 WerFault.exe 81 -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2808 wrote to memory of 2144 2808 24c80dc0f04d5cb42bdae99e8227da27_JaffaCakes118.exe 81 PID 2808 wrote to memory of 2144 2808 24c80dc0f04d5cb42bdae99e8227da27_JaffaCakes118.exe 81 PID 2808 wrote to memory of 2144 2808 24c80dc0f04d5cb42bdae99e8227da27_JaffaCakes118.exe 81 PID 2144 wrote to memory of 3592 2144 rejoice47.exe 82 PID 2144 wrote to memory of 3592 2144 rejoice47.exe 82 PID 2144 wrote to memory of 3592 2144 rejoice47.exe 82 PID 2144 wrote to memory of 3592 2144 rejoice47.exe 82 PID 2144 wrote to memory of 3592 2144 rejoice47.exe 82 PID 2144 wrote to memory of 1956 2144 rejoice47.exe 84 PID 2144 wrote to memory of 1956 2144 rejoice47.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\24c80dc0f04d5cb42bdae99e8227da27_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\24c80dc0f04d5cb42bdae99e8227da27_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice47.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice47.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵PID:3592
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 124⤵
- Program crash
PID:3116
-
-
-
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"3⤵PID:1956
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 6763⤵
- Program crash
PID:1588
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2144 -ip 21441⤵PID:2772
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3592 -ip 35921⤵PID:64
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
617KB
MD524c80dc0f04d5cb42bdae99e8227da27
SHA15000232be787e5f4d702ec2fc3c3bb80e2403d25
SHA256168f32f2c3853fcceb4607efbedeb0cac01f8333dc7c75a87ccf8eabcbb68892
SHA512f66399e0aee1c1f06c01eb66e2466eb1262928342d5841f2b2977e95389d23b977533d34278b29d7ea8b4bca63ef0126e1c52e2ab0875eb2dcb1e28d7a9882cf