Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-09-2024 00:32
Static task
static1
Behavioral task
behavioral1
Sample
e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe
-
Size
695KB
-
MD5
e7fd6329143532ea0bebe005412dd0e4
-
SHA1
14f9cc314ea92887e1444e9d530356bf3f9736a7
-
SHA256
60fcc429efb0da6f06194ad25a8127c7ab74219a20a3e140f6b4e356090daba1
-
SHA512
11cbe66f8d53dd461748f8b0305cf27d2fe22ba5543a76eb90f7df3a37f405b790fda7992859c1ad5f6cf5dd32b98925044a19b98505bfdcb47ffd4907d933be
-
SSDEEP
12288:DDNkFa5fF7RTX979xwJyTW7DsVpClkJXNF9QPC14kMabunqQFFmFQei3D95BSGXr:DJ+gF1tTyyTW7Cp/EC14km+FHiZqAjOC
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
resource yara_rule behavioral1/memory/2532-14-0x0000000010000000-0x000000001005B000-memory.dmp modiloader_stage2 behavioral1/memory/2532-7-0x0000000010000000-0x000000001005B000-memory.dmp modiloader_stage2 behavioral1/memory/2532-4-0x0000000010000000-0x000000001005B000-memory.dmp modiloader_stage2 -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2252 set thread context of 2532 2252 e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe 30 PID 2532 set thread context of 2020 2532 e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe 31 -
Program crash 1 IoCs
pid pid_target Process procid_target 2108 2020 WerFault.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2532 2252 e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe 30 PID 2252 wrote to memory of 2532 2252 e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe 30 PID 2252 wrote to memory of 2532 2252 e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe 30 PID 2252 wrote to memory of 2532 2252 e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe 30 PID 2252 wrote to memory of 2532 2252 e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe 30 PID 2252 wrote to memory of 2532 2252 e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe 30 PID 2532 wrote to memory of 2020 2532 e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe 31 PID 2532 wrote to memory of 2020 2532 e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe 31 PID 2532 wrote to memory of 2020 2532 e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe 31 PID 2532 wrote to memory of 2020 2532 e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe 31 PID 2532 wrote to memory of 2020 2532 e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe 31 PID 2532 wrote to memory of 2020 2532 e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe 31 PID 2020 wrote to memory of 2108 2020 e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe 32 PID 2020 wrote to memory of 2108 2020 e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe 32 PID 2020 wrote to memory of 2108 2020 e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe 32 PID 2020 wrote to memory of 2108 2020 e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e7fd6329143532ea0bebe005412dd0e4_JaffaCakes118.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 364⤵
- Program crash
PID:2108
-
-
-