Analysis
-
max time kernel
95s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2024 15:34
Behavioral task
behavioral1
Sample
ede5bbc69594ab35cd44eead5dc73752_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ede5bbc69594ab35cd44eead5dc73752_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
ede5bbc69594ab35cd44eead5dc73752_JaffaCakes118.exe
-
Size
853KB
-
MD5
ede5bbc69594ab35cd44eead5dc73752
-
SHA1
32734225f02f0fd4a375313183b692900ee5eeea
-
SHA256
a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183
-
SHA512
22b24fba0d320be89765d6fd9bde2226c2e928c4ef6e9476b69b1ee426c59072949c045c834b357ec747a679b2f613750d3058c46d89a1ec47bfa7622b0a543c
-
SSDEEP
12288:Bki1msuXRKKAajizsFAiQHFQOsA+5UVK85Fe1qujMWWL0Uz/ELi2iwkDAPw:BfY3RKKAajpFApWNA+SVNe1/hqIiH6
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader First Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2268-3-0x0000000000400000-0x00000000004DF000-memory.dmp modiloader_stage1 -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ede5bbc69594ab35cd44eead5dc73752_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ede5bbc69594ab35cd44eead5dc73752_JaffaCakes118.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 23 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
ede5bbc69594ab35cd44eead5dc73752_JaffaCakes118.exedescription pid process target process PID 2268 wrote to memory of 1448 2268 ede5bbc69594ab35cd44eead5dc73752_JaffaCakes118.exe ieinstal.exe PID 2268 wrote to memory of 1448 2268 ede5bbc69594ab35cd44eead5dc73752_JaffaCakes118.exe ieinstal.exe PID 2268 wrote to memory of 1448 2268 ede5bbc69594ab35cd44eead5dc73752_JaffaCakes118.exe ieinstal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ede5bbc69594ab35cd44eead5dc73752_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ede5bbc69594ab35cd44eead5dc73752_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"2⤵PID:1448
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x31c 0x4281⤵PID:4304