Analysis

  • max time kernel
    140s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    04/07/2024, 06:17

General

  • Target

    24ea45716e1f4fe1eeb203637eb77f9f_JaffaCakes118.exe

  • Size

    597KB

  • MD5

    24ea45716e1f4fe1eeb203637eb77f9f

  • SHA1

    c1d9c0c1770c9d8192cdd397242b176901dd4714

  • SHA256

    e3d76d970541997e04cdeea6fdef66ee9955f50dc73cb50576aea670587bb2ed

  • SHA512

    831c82584dc2c3b869aab34afb881614f99b87be7f594ee6dd2cc0dce5b521037dde0e0113f6bfc561e3945d43b429b4e59e6daa606a28afc9d2cfc86195dcb1

  • SSDEEP

    12288:0uUuIk3sYOZy/P8FNiKJ+aq8uWmzxNWmbBqQQ3szCJ:0Rtk3lb/PVKJ3qNrnBTQcs

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • ModiLoader Second Stage 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\24ea45716e1f4fe1eeb203637eb77f9f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\24ea45716e1f4fe1eeb203637eb77f9f_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:1888
      • C:\program files\internet explorer\IEXPLORE.EXE
        "C:\program files\internet explorer\IEXPLORE.EXE"
        3⤵
          PID:2660
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 372
          3⤵
          • Program crash
          PID:2572

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

      Filesize

      561KB

      MD5

      8df047fd8e9c5657dd4ca86d40919995

      SHA1

      8cecf1b3b0a13f09e4fa3d5d6d69f07c51dfeaba

      SHA256

      ab4a5bb05b5c09a8b9e99caddd1f07583be6a77bb9ca4d3f0f7aa50d4b34b822

      SHA512

      c469ece17c940301e920ae7651e28d03eb0af7b3b32ee7094cfb73bbebc443edfa90e371631b871307db7631e0ed3f8837a680712286ec4f86be0a5cfcb15512

    • memory/840-10-0x0000000000A30000-0x0000000000B2F000-memory.dmp

      Filesize

      1020KB

    • memory/840-9-0x0000000000A30000-0x0000000000B2F000-memory.dmp

      Filesize

      1020KB

    • memory/1888-14-0x00000000004BD000-0x00000000004BE000-memory.dmp

      Filesize

      4KB

    • memory/1888-13-0x0000000000400000-0x00000000004FF000-memory.dmp

      Filesize

      1020KB

    • memory/1888-15-0x0000000000400000-0x00000000004FF000-memory.dmp

      Filesize

      1020KB

    • memory/1888-16-0x0000000000500000-0x00000000005FF000-memory.dmp

      Filesize

      1020KB

    • memory/1888-18-0x0000000000400000-0x00000000004FF000-memory.dmp

      Filesize

      1020KB

    • memory/1888-20-0x00000000004BD000-0x00000000004BE000-memory.dmp

      Filesize

      4KB

    • memory/1888-21-0x0000000000500000-0x00000000005FF000-memory.dmp

      Filesize

      1020KB