Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24-09-2024 13:45

General

  • Target

    f3c5e2979473915ce47514b9a9a0991e_JaffaCakes118.exe

  • Size

    90KB

  • MD5

    f3c5e2979473915ce47514b9a9a0991e

  • SHA1

    005501244bfe45e4a4f02ff5ca0dc2c728e56057

  • SHA256

    d804fd595e9008d7b90bf18c2ce3680a5a7f9bd609629db3cb2dc602cd5c2cb4

  • SHA512

    3a89c92f490141a058ea294e2457fe6f123fe525fd00b6effed87b3bd8bd62228c957c489c7e1117319820cb7347c02ed58cbed946823b3f41769a832f099488

  • SSDEEP

    1536:C9Pcb2OD+70Q8kIlHEOkXGHOUkXdtg/WqrT7J1O1CX1XFfpup7c9ipR:gcb/D+bFgjkCX1VQRc8pR

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Modifies firewall policy service 3 TTPs 1 IoCs
  • ModiLoader Second Stage 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 6 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f3c5e2979473915ce47514b9a9a0991e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f3c5e2979473915ce47514b9a9a0991e_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Users\Admin\AppData\Local\Temp\f3c5e2979473915ce47514b9a9a0991e_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\f3c5e2979473915ce47514b9a9a0991e_JaffaCakes118.exe
      2⤵
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2992
      • C:\Program Files (x86)\Common Files\System\Taskmngr.exe
        "C:\Program Files (x86)\Common Files\System\Taskmngr.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3052
        • C:\Program Files (x86)\Common Files\System\Taskmngr.exe
          "C:\Program Files (x86)\Common Files\System\Taskmngr.exe"
          4⤵
          • Modifies firewall policy service
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          PID:2260

Network

  • flag-us
    DNS
    sluts.no-ip.org
    Taskmngr.exe
    Remote address:
    8.8.8.8:53
    Request
    sluts.no-ip.org
    IN A
  • flag-us
    DNS
    sluts.no-ip.org
    Taskmngr.exe
    Remote address:
    8.8.8.8:53
    Request
    sluts.no-ip.org
    IN A
  • flag-us
    DNS
    sluts.no-ip.org
    Taskmngr.exe
    Remote address:
    8.8.8.8:53
    Request
    sluts.no-ip.org
    IN A
  • flag-us
    DNS
    sluts.no-ip.org
    Taskmngr.exe
    Remote address:
    8.8.8.8:53
    Request
    sluts.no-ip.org
    IN A
  • flag-us
    DNS
    sluts.no-ip.org
    Taskmngr.exe
    Remote address:
    8.8.8.8:53
    Request
    sluts.no-ip.org
    IN A
  • flag-us
    DNS
    sluts.no-ip.org
    Taskmngr.exe
    Remote address:
    8.8.8.8:53
    Request
    sluts.no-ip.org
    IN A
  • flag-us
    DNS
    sluts.no-ip.org
    Taskmngr.exe
    Remote address:
    8.8.8.8:53
    Request
    sluts.no-ip.org
    IN A
  • flag-us
    DNS
    sluts.no-ip.org
    Taskmngr.exe
    Remote address:
    8.8.8.8:53
    Request
    sluts.no-ip.org
    IN A
  • flag-us
    DNS
    sluts.no-ip.org
    Taskmngr.exe
    Remote address:
    8.8.8.8:53
    Request
    sluts.no-ip.org
    IN A
  • flag-us
    DNS
    sluts.no-ip.org
    Taskmngr.exe
    Remote address:
    8.8.8.8:53
    Request
    sluts.no-ip.org
    IN A
  • flag-us
    DNS
    sluts.no-ip.org
    Taskmngr.exe
    Remote address:
    8.8.8.8:53
    Request
    sluts.no-ip.org
    IN A
  • flag-us
    DNS
    sluts.no-ip.org
    Taskmngr.exe
    Remote address:
    8.8.8.8:53
    Request
    sluts.no-ip.org
    IN A
  • flag-us
    DNS
    sluts.no-ip.org
    Taskmngr.exe
    Remote address:
    8.8.8.8:53
    Request
    sluts.no-ip.org
    IN A
  • flag-us
    DNS
    sluts.no-ip.org
    Taskmngr.exe
    Remote address:
    8.8.8.8:53
    Request
    sluts.no-ip.org
    IN A
  • flag-us
    DNS
    sluts.no-ip.org
    Taskmngr.exe
    Remote address:
    8.8.8.8:53
    Request
    sluts.no-ip.org
    IN A
  • flag-us
    DNS
    sluts.no-ip.org
    Taskmngr.exe
    Remote address:
    8.8.8.8:53
    Request
    sluts.no-ip.org
    IN A
  • flag-us
    DNS
    sluts.no-ip.org
    Taskmngr.exe
    Remote address:
    8.8.8.8:53
    Request
    sluts.no-ip.org
    IN A
  • flag-us
    DNS
    sluts.no-ip.org
    Taskmngr.exe
    Remote address:
    8.8.8.8:53
    Request
    sluts.no-ip.org
    IN A
  • flag-us
    DNS
    sluts.no-ip.org
    Taskmngr.exe
    Remote address:
    8.8.8.8:53
    Request
    sluts.no-ip.org
    IN A
  • flag-us
    DNS
    sluts.no-ip.org
    Taskmngr.exe
    Remote address:
    8.8.8.8:53
    Request
    sluts.no-ip.org
    IN A
  • flag-us
    DNS
    sluts.no-ip.org
    Taskmngr.exe
    Remote address:
    8.8.8.8:53
    Request
    sluts.no-ip.org
    IN A
  • flag-us
    DNS
    sluts.no-ip.org
    Taskmngr.exe
    Remote address:
    8.8.8.8:53
    Request
    sluts.no-ip.org
    IN A
  • flag-us
    DNS
    sluts.no-ip.org
    Taskmngr.exe
    Remote address:
    8.8.8.8:53
    Request
    sluts.no-ip.org
    IN A
  • flag-us
    DNS
    sluts.no-ip.org
    Taskmngr.exe
    Remote address:
    8.8.8.8:53
    Request
    sluts.no-ip.org
    IN A
  • flag-us
    DNS
    sluts.no-ip.org
    Taskmngr.exe
    Remote address:
    8.8.8.8:53
    Request
    sluts.no-ip.org
    IN A
  • flag-us
    DNS
    sluts.no-ip.org
    Taskmngr.exe
    Remote address:
    8.8.8.8:53
    Request
    sluts.no-ip.org
    IN A
    Response
No results found
  • 8.8.8.8:53
    sluts.no-ip.org
    dns
    Taskmngr.exe
    305 B
    5

    DNS Request

    sluts.no-ip.org

    DNS Request

    sluts.no-ip.org

    DNS Request

    sluts.no-ip.org

    DNS Request

    sluts.no-ip.org

    DNS Request

    sluts.no-ip.org

  • 8.8.8.8:53
    sluts.no-ip.org
    dns
    Taskmngr.exe
    305 B
    5

    DNS Request

    sluts.no-ip.org

    DNS Request

    sluts.no-ip.org

    DNS Request

    sluts.no-ip.org

    DNS Request

    sluts.no-ip.org

    DNS Request

    sluts.no-ip.org

  • 8.8.8.8:53
    sluts.no-ip.org
    dns
    Taskmngr.exe
    305 B
    5

    DNS Request

    sluts.no-ip.org

    DNS Request

    sluts.no-ip.org

    DNS Request

    sluts.no-ip.org

    DNS Request

    sluts.no-ip.org

    DNS Request

    sluts.no-ip.org

  • 8.8.8.8:53
    sluts.no-ip.org
    dns
    Taskmngr.exe
    305 B
    5

    DNS Request

    sluts.no-ip.org

    DNS Request

    sluts.no-ip.org

    DNS Request

    sluts.no-ip.org

    DNS Request

    sluts.no-ip.org

    DNS Request

    sluts.no-ip.org

  • 8.8.8.8:53
    sluts.no-ip.org
    dns
    Taskmngr.exe
    305 B
    5

    DNS Request

    sluts.no-ip.org

    DNS Request

    sluts.no-ip.org

    DNS Request

    sluts.no-ip.org

    DNS Request

    sluts.no-ip.org

    DNS Request

    sluts.no-ip.org

  • 8.8.8.8:53
    sluts.no-ip.org
    dns
    Taskmngr.exe
    61 B
    121 B
    1
    1

    DNS Request

    sluts.no-ip.org

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Program Files (x86)\Common Files\System\Taskmngr.exe

    Filesize

    90KB

    MD5

    f3c5e2979473915ce47514b9a9a0991e

    SHA1

    005501244bfe45e4a4f02ff5ca0dc2c728e56057

    SHA256

    d804fd595e9008d7b90bf18c2ce3680a5a7f9bd609629db3cb2dc602cd5c2cb4

    SHA512

    3a89c92f490141a058ea294e2457fe6f123fe525fd00b6effed87b3bd8bd62228c957c489c7e1117319820cb7347c02ed58cbed946823b3f41769a832f099488

  • memory/2108-4-0x0000000010000000-0x000000001001E000-memory.dmp

    Filesize

    120KB

  • memory/2260-28-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2260-30-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2992-3-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2992-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2992-0-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2992-6-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2992-9-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2992-29-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/3052-25-0x0000000010000000-0x000000001001E000-memory.dmp

    Filesize

    120KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.