Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-09-2024 14:18
Static task
static1
Behavioral task
behavioral1
Sample
e94e3b8e51032773f456ea39a5135cf8_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e94e3b8e51032773f456ea39a5135cf8_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e94e3b8e51032773f456ea39a5135cf8_JaffaCakes118.exe
-
Size
141KB
-
MD5
e94e3b8e51032773f456ea39a5135cf8
-
SHA1
0d0574d3713364be46f96f6ace785b52d71e779f
-
SHA256
2a0869fd9b64ece60bce02fb856d9d113ca5f5740a06db06264ccf9375723403
-
SHA512
8682ada3702a406812dfef04ca0d9b4fbe6380b65f30826c4ba957a75a9c9f6fd21e8e5aa16c79f3ebd37c9a80d45fc773d52ef5d722c626935deb12c5e89206
-
SSDEEP
3072:Eh8YRHE5GsBZCu9MxOLMJN9BwFWv6S+iJuo2:e8C0GAZCvach5v6S+A2
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral1/memory/1740-7-0x0000000020000000-0x0000000020028000-memory.dmp modiloader_stage2 -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1740 set thread context of 2868 1740 e94e3b8e51032773f456ea39a5135cf8_JaffaCakes118.exe 31 PID 2868 set thread context of 2568 2868 e94e3b8e51032773f456ea39a5135cf8_JaffaCakes118.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e94e3b8e51032773f456ea39a5135cf8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e94e3b8e51032773f456ea39a5135cf8_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1740 wrote to memory of 2868 1740 e94e3b8e51032773f456ea39a5135cf8_JaffaCakes118.exe 31 PID 1740 wrote to memory of 2868 1740 e94e3b8e51032773f456ea39a5135cf8_JaffaCakes118.exe 31 PID 1740 wrote to memory of 2868 1740 e94e3b8e51032773f456ea39a5135cf8_JaffaCakes118.exe 31 PID 1740 wrote to memory of 2868 1740 e94e3b8e51032773f456ea39a5135cf8_JaffaCakes118.exe 31 PID 1740 wrote to memory of 2868 1740 e94e3b8e51032773f456ea39a5135cf8_JaffaCakes118.exe 31 PID 1740 wrote to memory of 2868 1740 e94e3b8e51032773f456ea39a5135cf8_JaffaCakes118.exe 31 PID 2868 wrote to memory of 2568 2868 e94e3b8e51032773f456ea39a5135cf8_JaffaCakes118.exe 32 PID 2868 wrote to memory of 2568 2868 e94e3b8e51032773f456ea39a5135cf8_JaffaCakes118.exe 32 PID 2868 wrote to memory of 2568 2868 e94e3b8e51032773f456ea39a5135cf8_JaffaCakes118.exe 32 PID 2868 wrote to memory of 2568 2868 e94e3b8e51032773f456ea39a5135cf8_JaffaCakes118.exe 32 PID 2868 wrote to memory of 2568 2868 e94e3b8e51032773f456ea39a5135cf8_JaffaCakes118.exe 32 PID 2868 wrote to memory of 2568 2868 e94e3b8e51032773f456ea39a5135cf8_JaffaCakes118.exe 32 PID 2868 wrote to memory of 2568 2868 e94e3b8e51032773f456ea39a5135cf8_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\e94e3b8e51032773f456ea39a5135cf8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e94e3b8e51032773f456ea39a5135cf8_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\e94e3b8e51032773f456ea39a5135cf8_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e94e3b8e51032773f456ea39a5135cf8_JaffaCakes118.exe2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\e94e3b8e51032773f456ea39a5135cf8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e94e3b8e51032773f456ea39a5135cf8_JaffaCakes118.exe"3⤵PID:2568
-
-