Analysis

  • max time kernel
    140s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-09-2024 09:32

General

  • Target

    e8d04fb3da70d1909470cb64ff7745c9_JaffaCakes118.exe

  • Size

    97KB

  • MD5

    e8d04fb3da70d1909470cb64ff7745c9

  • SHA1

    857b690e5ecd7215a353112c823aaa32f35bc777

  • SHA256

    5a97f196f19f00067daf65082dab3eceea9f82374d409a65a6555f48b8fa2e91

  • SHA512

    e7f68812eeedb0dec57c3865c870e3240b64828cde5dcc437af81e6bb1a02a55b1e1ec4877b155434d5403843d2da851a2ff16bb7e11e1a35af452027fa6368d

  • SSDEEP

    1536:E+5ng+pfYpirWD+fBD8w//qZxNdD5St5TvtbdAMv8+QtLtRiAroDU:E+5ngSfYpWzpD8kqLNStVvbQhQ

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • ModiLoader Second Stage 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e8d04fb3da70d1909470cb64ff7745c9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e8d04fb3da70d1909470cb64ff7745c9_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:300
    • C:\Users\Admin\AppData\Local\Temp\äÓÎ ãä Sexy-Girls-hot.exe
      "C:\Users\Admin\AppData\Local\Temp\äÓÎ ãä Sexy-Girls-hot.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1504
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 88
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2300
    • C:\Users\Admin\AppData\Local\Temp\bbb.exe
      "C:\Users\Admin\AppData\Local\Temp\bbb.exe"
      2⤵
      • Executes dropped EXE
      PID:2468

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\bbb.exe

    Filesize

    7KB

    MD5

    8524724985250341f25c7a99b279ee0d

    SHA1

    a58a9ffc41cf4e2e1d4bf17b2dac26fd4b36443a

    SHA256

    0b06ee9b0244043f093845846a4af4dac93177c71842655f644b7c9d17580725

    SHA512

    ac8e4fb4ed3b32d524663cfb9a227b513a0f7b190f7e635e23ee0c5f1dd928d75537f5613f0a8129e53ea332224e3daf3d6c69cc2deffe72017601d670b6d937

  • \Users\Admin\AppData\Local\Temp\äÓÎ ãä Sexy-Girls-hot.exe

    Filesize

    71KB

    MD5

    b3403b39b86a14124f1848ffdf69d241

    SHA1

    6e8ed231482fb9fde3146db734b53ce61a1c43b5

    SHA256

    45647d2835bb141665ce8b07ed514e6c9c353306cb5f84f186782901cd7cda47

    SHA512

    54f4f8b047a46d023e0d17303971b16b4fb806530145061a6fe83038d264d2adce0d5d547c06b15560a984518223fa90485029e5a60c958f266b494150261f25

  • memory/300-18-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/1504-24-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.