Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26/09/2024, 09:52 UTC
Behavioral task
behavioral1
Sample
f81a91dafdf1ba8212b508ad0e38baf6_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
f81a91dafdf1ba8212b508ad0e38baf6_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
f81a91dafdf1ba8212b508ad0e38baf6_JaffaCakes118.exe
-
Size
319KB
-
MD5
f81a91dafdf1ba8212b508ad0e38baf6
-
SHA1
41bda1037df9142416de8a43cfc1e9af02a8d1fb
-
SHA256
ab3b884636f0245a47dd659b4833d900226b6ae8cb2483266e63bb2453d61d84
-
SHA512
d5b4af20855af8fc1a656f744a3d3dceb51b22703239bc9bfdc2e0689cfc541fd07488565857e19d6bba48672fe8fc8e56968f7828678ba8088e53ed0ac03b36
-
SSDEEP
3072:u+8SuviVZPz8/2/MMtWsX58Xdr9HoZAiHtu89t74l+cmZyCBys7Q6qOkaH7k3G7i:aQguZWZogWnve
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral1/memory/2880-9-0x0000000000400000-0x0000000000457000-memory.dmp modiloader_stage2 -
Executes dropped EXE 2 IoCs
pid Process 2484 1123132.exe 2168 1123132.exe -
Loads dropped DLL 3 IoCs
pid Process 2880 f81a91dafdf1ba8212b508ad0e38baf6_JaffaCakes118.exe 2880 f81a91dafdf1ba8212b508ad0e38baf6_JaffaCakes118.exe 2484 1123132.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2484 set thread context of 2168 2484 1123132.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f81a91dafdf1ba8212b508ad0e38baf6_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1123132.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2484 1123132.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2880 wrote to memory of 2484 2880 f81a91dafdf1ba8212b508ad0e38baf6_JaffaCakes118.exe 30 PID 2880 wrote to memory of 2484 2880 f81a91dafdf1ba8212b508ad0e38baf6_JaffaCakes118.exe 30 PID 2880 wrote to memory of 2484 2880 f81a91dafdf1ba8212b508ad0e38baf6_JaffaCakes118.exe 30 PID 2880 wrote to memory of 2484 2880 f81a91dafdf1ba8212b508ad0e38baf6_JaffaCakes118.exe 30 PID 2484 wrote to memory of 2168 2484 1123132.exe 31 PID 2484 wrote to memory of 2168 2484 1123132.exe 31 PID 2484 wrote to memory of 2168 2484 1123132.exe 31 PID 2484 wrote to memory of 2168 2484 1123132.exe 31 PID 2484 wrote to memory of 2168 2484 1123132.exe 31 PID 2484 wrote to memory of 2168 2484 1123132.exe 31 PID 2484 wrote to memory of 2168 2484 1123132.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\f81a91dafdf1ba8212b508ad0e38baf6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f81a91dafdf1ba8212b508ad0e38baf6_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\1123132.exe"C:\Users\Admin\AppData\Local\Temp\1123132.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\1123132.exeC:\Users\Admin\AppData\Local\Temp\1123132.exe3⤵
- Executes dropped EXE
PID:2168
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
178KB
MD5cefd27ace3ef5a3bdcd0e6ec427ba77f
SHA1d5b48deb9f94e22550156c1c62b3cb5af884d3dd
SHA256a3b9e0ab740fcf59469883ca42f47f9b80195f8ebb1feafdfa531a1443f43003
SHA512b2305052e333d63633f4d0fcfb277f9f7586b5e6dbbed324a9226c1c1b9f06b8ef2f480431059e069d4ea40ed80433c5570bee82e9fc249339f702ece6cb96d9