Analysis

  • max time kernel
    95s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-09-2024 15:34

General

  • Target

    ede5bbc69594ab35cd44eead5dc73752_JaffaCakes118.exe

  • Size

    853KB

  • MD5

    ede5bbc69594ab35cd44eead5dc73752

  • SHA1

    32734225f02f0fd4a375313183b692900ee5eeea

  • SHA256

    a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183

  • SHA512

    22b24fba0d320be89765d6fd9bde2226c2e928c4ef6e9476b69b1ee426c59072949c045c834b357ec747a679b2f613750d3058c46d89a1ec47bfa7622b0a543c

  • SSDEEP

    12288:Bki1msuXRKKAajizsFAiQHFQOsA+5UVK85Fe1qujMWWL0Uz/ELi2iwkDAPw:BfY3RKKAajpFApWNA+SVNe1/hqIiH6

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • ModiLoader First Stage 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ede5bbc69594ab35cd44eead5dc73752_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ede5bbc69594ab35cd44eead5dc73752_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Program Files (x86)\internet explorer\ieinstal.exe
      "C:\Program Files (x86)\internet explorer\ieinstal.exe"
      2⤵
        PID:1448
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x31c 0x428
      1⤵
        PID:4304

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2268-0-0x00000000022A0000-0x00000000022A1000-memory.dmp

        Filesize

        4KB

      • memory/2268-1-0x0000000004680000-0x0000000004681000-memory.dmp

        Filesize

        4KB

      • memory/2268-2-0x00000000022A0000-0x00000000022A1000-memory.dmp

        Filesize

        4KB

      • memory/2268-3-0x0000000000400000-0x00000000004DF000-memory.dmp

        Filesize

        892KB

      • memory/2268-4-0x0000000004680000-0x0000000004681000-memory.dmp

        Filesize

        4KB