Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    26/09/2024, 09:52 UTC

General

  • Target

    f81a91dafdf1ba8212b508ad0e38baf6_JaffaCakes118.exe

  • Size

    319KB

  • MD5

    f81a91dafdf1ba8212b508ad0e38baf6

  • SHA1

    41bda1037df9142416de8a43cfc1e9af02a8d1fb

  • SHA256

    ab3b884636f0245a47dd659b4833d900226b6ae8cb2483266e63bb2453d61d84

  • SHA512

    d5b4af20855af8fc1a656f744a3d3dceb51b22703239bc9bfdc2e0689cfc541fd07488565857e19d6bba48672fe8fc8e56968f7828678ba8088e53ed0ac03b36

  • SSDEEP

    3072:u+8SuviVZPz8/2/MMtWsX58Xdr9HoZAiHtu89t74l+cmZyCBys7Q6qOkaH7k3G7i:aQguZWZogWnve

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • ModiLoader Second Stage 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f81a91dafdf1ba8212b508ad0e38baf6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f81a91dafdf1ba8212b508ad0e38baf6_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2880
    • C:\Users\Admin\AppData\Local\Temp\1123132.exe
      "C:\Users\Admin\AppData\Local\Temp\1123132.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2484
      • C:\Users\Admin\AppData\Local\Temp\1123132.exe
        C:\Users\Admin\AppData\Local\Temp\1123132.exe
        3⤵
        • Executes dropped EXE
        PID:2168

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\1123132.exe

    Filesize

    178KB

    MD5

    cefd27ace3ef5a3bdcd0e6ec427ba77f

    SHA1

    d5b48deb9f94e22550156c1c62b3cb5af884d3dd

    SHA256

    a3b9e0ab740fcf59469883ca42f47f9b80195f8ebb1feafdfa531a1443f43003

    SHA512

    b2305052e333d63633f4d0fcfb277f9f7586b5e6dbbed324a9226c1c1b9f06b8ef2f480431059e069d4ea40ed80433c5570bee82e9fc249339f702ece6cb96d9

  • memory/2168-19-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2168-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2168-16-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2168-15-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2484-11-0x00000000740A1000-0x00000000740A2000-memory.dmp

    Filesize

    4KB

  • memory/2484-12-0x00000000740A0000-0x000000007464B000-memory.dmp

    Filesize

    5.7MB

  • memory/2484-13-0x00000000740A0000-0x000000007464B000-memory.dmp

    Filesize

    5.7MB

  • memory/2484-21-0x00000000740A0000-0x000000007464B000-memory.dmp

    Filesize

    5.7MB

  • memory/2880-9-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.