Analysis
-
max time kernel
140s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17-09-2024 11:50
Behavioral task
behavioral1
Sample
e6c2004f8b577bd10e9682271bdf19ba_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e6c2004f8b577bd10e9682271bdf19ba_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e6c2004f8b577bd10e9682271bdf19ba_JaffaCakes118.exe
-
Size
19KB
-
MD5
e6c2004f8b577bd10e9682271bdf19ba
-
SHA1
bbd1eb059677543dd65b1b308163aee4a7d0a8fd
-
SHA256
fe6466ccf7c38a4b9b9b9cc0e0f59153ed5cc421d6a1f5f94cd867e5fcc98b44
-
SHA512
e1869884287a7efd22a0df0606bd7f497fb88fb259c4b5a7a1091e57cd77221200606d015ad13972ef68b5c9c4317ff081ba826f6cc497c049498aa66dddaaec
-
SSDEEP
192:ntdLcj8WDkB9Cab+peklBs97THnRaT5S545myq29:7NB9C4+lTs9paY545myn
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral2/memory/4928-0-0x0000000040000000-0x000000004000A000-memory.dmp modiloader_stage2 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e6c2004f8b577bd10e9682271bdf19ba_JaffaCakes118.exe
Processes
Network
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request45.56.20.217.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request67.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.165.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.126.166.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request121.170.16.2.in-addr.arpaIN PTRResponse121.170.16.2.in-addr.arpaIN PTRa2-16-170-121deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request240.143.123.92.in-addr.arpaIN PTRResponse240.143.123.92.in-addr.arpaIN PTRa92-123-143-240deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
71 B 131 B 1 1
DNS Request
45.56.20.217.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
67.31.126.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
154.239.44.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
28.118.140.52.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
26.165.165.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
56.126.166.20.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
121.170.16.2.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
240.143.123.92.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa