Analysis
-
max time kernel
150s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
-
submitted
18-09-2024 02:09
General
-
Target
e82089d7aaed18cfb194e002ad1a2877_JaffaCakes118.exe
-
Size
30KB
-
MD5
e82089d7aaed18cfb194e002ad1a2877
-
SHA1
badebd19433e7ac3e25aab76a931444700334565
-
SHA256
c7be6a021e8c60656ec1ce97e95270f5f30755973b6d66468d51e58ecd6db7d8
-
SHA512
2b407cad6af7e815fa70be6601b3ada58a7e7e272b7546ff13b3bcc342eea1991c51fa4213c6e15557089983f18074783730aadb2b2389b41025b6f33811f307
-
SSDEEP
768:06NFd1MyFqBHSr9tMLkGiIiuuOk0/br3HoU0:0YX15FkCciI7k0T750
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 64 IoCs
-
Executes dropped EXE 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e82089d7aaed18cfb194e002ad1a2877_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e82089d7aaed18cfb194e002ad1a2877_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe23⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe24⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe25⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe27⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe28⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe29⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe30⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe31⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe32⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe33⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe34⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe35⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe36⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe37⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe38⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe39⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe40⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe41⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe42⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe43⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe44⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe47⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe48⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe50⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe51⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe52⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe53⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe54⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe55⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe56⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe57⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe58⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe59⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe60⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe61⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe62⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe63⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe64⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe65⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe66⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe67⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe68⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe69⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe70⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe71⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe72⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe73⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe74⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe75⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe76⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe77⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe78⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe79⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe80⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe81⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe82⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe83⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe84⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe85⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe86⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe87⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe88⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe89⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe90⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe91⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe92⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe93⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe94⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe95⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe96⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe97⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe98⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe99⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe100⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe101⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe102⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe103⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe104⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe105⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe106⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe107⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe108⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe109⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe110⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe111⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe112⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe113⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe114⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe115⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe116⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe117⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe118⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe119⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe120⤵
-
C:\Windows\SysWOW64\svvosts.exeC:\Windows\system32\svvosts.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-