Analysis
-
max time kernel
141s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
09/10/2024, 06:40
General
-
Target
2c9d430dec7f0000209b7165e2027d73_JaffaCakes118.exe
-
Size
371KB
-
MD5
2c9d430dec7f0000209b7165e2027d73
-
SHA1
ea5e2204a4ceeaeef90bc556a62d20994faa6fd8
-
SHA256
eec5e1f9da04020337128f5c7a4ebcc65631aa591136788b8638c951ee2f4a85
-
SHA512
19e56143654e72625362335f5fee7e7282561818d3fe8fdfcd1787c946d51c0489a1ffd8294e29c79fbc4c8be7a43647812cc2c8c5a97408d9f38e902d47c6ab
-
SSDEEP
6144:PPIFgrHYFqlk06w5lJAjCeSUV1MtavDF/zne9X7Xf2iTxErC4zY:3IFCHYF706i7HeSw10yDhe9X7LyrC4zY
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 10 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
UPX packed file 14 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c9d430dec7f0000209b7165e2027d73_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2c9d430dec7f0000209b7165e2027d73_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Alcazer Update.exe"C:\Users\Admin\AppData\Local\Temp\Alcazer Update.exe" 02⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\server.exeC:\\server.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Winservices.exe"C:\Windows\Winservices.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
C:\server.exeC:\\server.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
367KB
MD55dadb5759009a28990c72ea7fc0c9cf2
SHA1544fe400a825f652de44154a15ecb9afe129329b
SHA2561fd7764250e3bddeeec37382a50da31161f2fbcf55a6133388f70774a59b10a3
SHA512816dd4f5e5d9129ce1b626fe764a969a0bb1e8231de3789a060dd965d0b28511daf4dffd1c8547872e7698c5892d0d9f8283983283e4917f4f492e4cb9f9c09c
-
Filesize
157KB
MD58b36554001524571d15176deaed686df
SHA1797fa19456a420bd0cd54d1d8a529b75e2ea64a9
SHA2563a8814870bb497857e4c8ddb09cc0b009f5e50395549c383c120bf1314262644
SHA5129c32ffb3e23e06c88eff5c389c8d8c051f7ab9bfd8815e759e0182977c444e767933da22d78b794ee2ce3a7b38d974c3510c298a77d34f1b38ab03563e089ed1
-
Filesize
52KB
-
Filesize
432KB
-
Filesize
4KB
-
Filesize
432KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB