Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-09-2024 00:32

General

  • Target

    e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe

  • Size

    695KB

  • MD5

    e7fd6329143532ea0bebe005412dd0e4

  • SHA1

    14f9cc314ea92887e1444e9d530356bf3f9736a7

  • SHA256

    60fcc429efb0da6f06194ad25a8127c7ab74219a20a3e140f6b4e356090daba1

  • SHA512

    11cbe66f8d53dd461748f8b0305cf27d2fe22ba5543a76eb90f7df3a37f405b790fda7992859c1ad5f6cf5dd32b98925044a19b98505bfdcb47ffd4907d933be

  • SSDEEP

    12288:DDNkFa5fF7RTX979xwJyTW7DsVpClkJXNF9QPC14kMabunqQFFmFQei3D95BSGXr:DJ+gF1tTyyTW7Cp/EC14km+FHiZqAjOC

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • ModiLoader Second Stage 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Users\Admin\AppData\Local\Temp\e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\Users\Admin\AppData\Local\Temp\e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2020
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 36
          4⤵
          • Program crash
          PID:2108

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2020-11-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2020-13-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2020-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2020-8-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

  • memory/2252-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

    Filesize

    4KB

  • memory/2252-5-0x0000000020000000-0x000000002005F000-memory.dmp

    Filesize

    380KB

  • memory/2532-14-0x0000000010000000-0x000000001005B000-memory.dmp

    Filesize

    364KB

  • memory/2532-7-0x0000000010000000-0x000000001005B000-memory.dmp

    Filesize

    364KB

  • memory/2532-4-0x0000000010000000-0x000000001005B000-memory.dmp

    Filesize

    364KB

  • memory/2532-1-0x0000000010000000-0x000000001005B000-memory.dmp

    Filesize

    364KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.