Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
04/07/2024, 05:52
Static task
static1
Behavioral task
behavioral1
Sample
24d8f7dc35ca07ccc3018024e62de0eb_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
24d8f7dc35ca07ccc3018024e62de0eb_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
24d8f7dc35ca07ccc3018024e62de0eb_JaffaCakes118.exe
-
Size
26KB
-
MD5
24d8f7dc35ca07ccc3018024e62de0eb
-
SHA1
8f5f9190889da6f58d96ee43fe8faf3543c9510f
-
SHA256
61818da6e0159663add4426d80401a4a84ce776d440660d6bb0a9d8826c4bdeb
-
SHA512
bd2042efc5d7e1d1f5375288aca6045c108e6349b87fd7fee440025b1d51904c327da7c7e9c9e71d1ee57d3f977557169ec0b799434a815f3961f126266279db
-
SSDEEP
384:WbLm+8TpFywSLQjzu/RQ+mLyvXYu5+z0Y3hyvL0/CIBkAVDuamhPa0Nyc46jZFm1:WbaJpFHSLyupC2/kzbqIBBAElc4yF9o
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
resource yara_rule behavioral1/memory/1868-0-0x0000000000400000-0x0000000000425000-memory.dmp modiloader_stage2 behavioral1/memory/2516-12-0x0000000000400000-0x0000000000425000-memory.dmp modiloader_stage2 behavioral1/memory/1868-11-0x0000000000400000-0x0000000000425000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 2516 wmsj.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\video.dll 24d8f7dc35ca07ccc3018024e62de0eb_JaffaCakes118.exe File created C:\Windows\wmsj.exe 24d8f7dc35ca07ccc3018024e62de0eb_JaffaCakes118.exe File opened for modification C:\Windows\wmsj.exe 24d8f7dc35ca07ccc3018024e62de0eb_JaffaCakes118.exe File created C:\Windows\video.dll wmsj.exe File created C:\Windows\wmsj.exe wmsj.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1868 wrote to memory of 2516 1868 24d8f7dc35ca07ccc3018024e62de0eb_JaffaCakes118.exe 28 PID 1868 wrote to memory of 2516 1868 24d8f7dc35ca07ccc3018024e62de0eb_JaffaCakes118.exe 28 PID 1868 wrote to memory of 2516 1868 24d8f7dc35ca07ccc3018024e62de0eb_JaffaCakes118.exe 28 PID 1868 wrote to memory of 2516 1868 24d8f7dc35ca07ccc3018024e62de0eb_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\24d8f7dc35ca07ccc3018024e62de0eb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\24d8f7dc35ca07ccc3018024e62de0eb_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\wmsj.exeC:\Windows\wmsj.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2516
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD5606d261ca6cd700690038be8091273c3
SHA125f109657485b4efaf55d39e55dae463c00aa286
SHA25670a4549b3c4cc38dfa63c29d113923298912922e529959b5ef1b160703c0e0e4
SHA5128c399ff86adefee7a4f36dc00de948be5c419f61b454e12ea1c5659d87174dc3a970b1d9a6b9f4195db0b89c062ec49adfd206ba91a387200605653b2e0c8208
-
Filesize
26KB
MD524d8f7dc35ca07ccc3018024e62de0eb
SHA18f5f9190889da6f58d96ee43fe8faf3543c9510f
SHA25661818da6e0159663add4426d80401a4a84ce776d440660d6bb0a9d8826c4bdeb
SHA512bd2042efc5d7e1d1f5375288aca6045c108e6349b87fd7fee440025b1d51904c327da7c7e9c9e71d1ee57d3f977557169ec0b799434a815f3961f126266279db