Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
27/09/2024, 14:00 UTC
Static task
static1
Behavioral task
behavioral1
Sample
fa88df5d972e2c0b867ec0cda6f711ec_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
fa88df5d972e2c0b867ec0cda6f711ec_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
fa88df5d972e2c0b867ec0cda6f711ec_JaffaCakes118.exe
-
Size
286KB
-
MD5
fa88df5d972e2c0b867ec0cda6f711ec
-
SHA1
424e17936235d1d348ea66627de479bb6ba46e2e
-
SHA256
e0006e97a56ac37edbafd67ba10ec7e4f661ab1683411deaa3e33007f40f9389
-
SHA512
57fc574f0720cb41681cab81d6f5366a5ca4668c0c059e13c91c6792623c7d72e25ddc7cfb6eade97293a902d6c3a7e942f7faf3c919492315c5349dbb8d92a2
-
SSDEEP
6144:6f0qbz3+KEoCuiJIZHpaxVK1WhmpA1rE4b/QHo2ZZ7M8dsWQEaWf/t:1quJBfJkIz2/bHoisiaWt
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral1/memory/2076-2-0x0000000000400000-0x000000000050C000-memory.dmp modiloader_stage2 -
Program crash 1 IoCs
pid pid_target Process procid_target 1720 2076 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fa88df5d972e2c0b867ec0cda6f711ec_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2076 wrote to memory of 1720 2076 fa88df5d972e2c0b867ec0cda6f711ec_JaffaCakes118.exe 30 PID 2076 wrote to memory of 1720 2076 fa88df5d972e2c0b867ec0cda6f711ec_JaffaCakes118.exe 30 PID 2076 wrote to memory of 1720 2076 fa88df5d972e2c0b867ec0cda6f711ec_JaffaCakes118.exe 30 PID 2076 wrote to memory of 1720 2076 fa88df5d972e2c0b867ec0cda6f711ec_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa88df5d972e2c0b867ec0cda6f711ec_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fa88df5d972e2c0b867ec0cda6f711ec_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 362⤵
- Program crash
PID:1720
-