Analysis
-
max time kernel
143s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 02:15
Static task
static1
Behavioral task
behavioral1
Sample
812910d24e02ca6148329467d312b9d8_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
812910d24e02ca6148329467d312b9d8_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
812910d24e02ca6148329467d312b9d8_JaffaCakes118.exe
-
Size
15KB
-
MD5
812910d24e02ca6148329467d312b9d8
-
SHA1
d687f964af84a2faa14944eb16bc1e8de5517d70
-
SHA256
11bc0354de82a6f239dd747ed076ccc6c79744273d6f84909e7bff944a3d221b
-
SHA512
d8f3c93150ae2eed370a9709034ab8dccb943d0bf2eb63a2f23ffcd5cffb0f2dd4a2a302750f48a8012eb92f962a36fae68e810d0b94245c42a06bad11cebeb5
-
SSDEEP
384:Cy2GE954szZ3QYNTvq0lzwDtJcq3PTu7JnYHbE+MFDGa2dRQ:D239G+Nvkkq3PTbHblU2dK
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral1/memory/2760-4-0x0000000013140000-0x0000000013152000-memory.dmp modiloader_stage2 behavioral1/memory/3008-22-0x0000000013140000-0x0000000013152000-memory.dmp modiloader_stage2 -
Deletes itself 1 IoCs
pid Process 2756 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 3008 wupdmgr.exe 2864 wupdmgr.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2760 set thread context of 2824 2760 812910d24e02ca6148329467d312b9d8_JaffaCakes118.exe 30 PID 3008 set thread context of 2864 3008 wupdmgr.exe 32 PID 2864 set thread context of 2652 2864 wupdmgr.exe 35 -
resource yara_rule behavioral1/memory/2824-6-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2824-7-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2824-3-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2864-20-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2864-24-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2824-25-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2864-29-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\vmmlog32.dll 812910d24e02ca6148329467d312b9d8_JaffaCakes118.exe File created C:\Windows\wupdmgr.exe 812910d24e02ca6148329467d312b9d8_JaffaCakes118.exe File opened for modification C:\Windows\wupdmgr.exe 812910d24e02ca6148329467d312b9d8_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wupdmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 812910d24e02ca6148329467d312b9d8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 812910d24e02ca6148329467d312b9d8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wupdmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2864 wupdmgr.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2760 wrote to memory of 2824 2760 812910d24e02ca6148329467d312b9d8_JaffaCakes118.exe 30 PID 2760 wrote to memory of 2824 2760 812910d24e02ca6148329467d312b9d8_JaffaCakes118.exe 30 PID 2760 wrote to memory of 2824 2760 812910d24e02ca6148329467d312b9d8_JaffaCakes118.exe 30 PID 2760 wrote to memory of 2824 2760 812910d24e02ca6148329467d312b9d8_JaffaCakes118.exe 30 PID 2760 wrote to memory of 2824 2760 812910d24e02ca6148329467d312b9d8_JaffaCakes118.exe 30 PID 2760 wrote to memory of 2824 2760 812910d24e02ca6148329467d312b9d8_JaffaCakes118.exe 30 PID 2824 wrote to memory of 3008 2824 812910d24e02ca6148329467d312b9d8_JaffaCakes118.exe 31 PID 2824 wrote to memory of 3008 2824 812910d24e02ca6148329467d312b9d8_JaffaCakes118.exe 31 PID 2824 wrote to memory of 3008 2824 812910d24e02ca6148329467d312b9d8_JaffaCakes118.exe 31 PID 2824 wrote to memory of 3008 2824 812910d24e02ca6148329467d312b9d8_JaffaCakes118.exe 31 PID 3008 wrote to memory of 2864 3008 wupdmgr.exe 32 PID 3008 wrote to memory of 2864 3008 wupdmgr.exe 32 PID 3008 wrote to memory of 2864 3008 wupdmgr.exe 32 PID 3008 wrote to memory of 2864 3008 wupdmgr.exe 32 PID 3008 wrote to memory of 2864 3008 wupdmgr.exe 32 PID 3008 wrote to memory of 2864 3008 wupdmgr.exe 32 PID 2824 wrote to memory of 2756 2824 812910d24e02ca6148329467d312b9d8_JaffaCakes118.exe 33 PID 2824 wrote to memory of 2756 2824 812910d24e02ca6148329467d312b9d8_JaffaCakes118.exe 33 PID 2824 wrote to memory of 2756 2824 812910d24e02ca6148329467d312b9d8_JaffaCakes118.exe 33 PID 2824 wrote to memory of 2756 2824 812910d24e02ca6148329467d312b9d8_JaffaCakes118.exe 33 PID 2864 wrote to memory of 2652 2864 wupdmgr.exe 35 PID 2864 wrote to memory of 2652 2864 wupdmgr.exe 35 PID 2864 wrote to memory of 2652 2864 wupdmgr.exe 35 PID 2864 wrote to memory of 2652 2864 wupdmgr.exe 35 PID 2864 wrote to memory of 2652 2864 wupdmgr.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\812910d24e02ca6148329467d312b9d8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\812910d24e02ca6148329467d312b9d8_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\812910d24e02ca6148329467d312b9d8_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\812910d24e02ca6148329467d312b9d8_JaffaCakes118.exe2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\wupdmgr.exe"C:\Windows\wupdmgr.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\wupdmgr.exeC:\Windows\wupdmgr.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
PID:2652
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\812910~1.EXE > nul3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2756
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD58dd4273ec0cc7b3547fe713022c60eb7
SHA1776862128eb0005931a21626b9632046c92ffc9f
SHA25635caef39c7465601f6a4fcd19594a888108d97e584eab7d1f61afab1ff044971
SHA5128c0fc25a50e61c48d1de0021ec8da7d7ea58f21917c21abd4210d54c4e999a234821ef8c0b6347d49dcb31e440cb13722004e63cea54451988a8a4cc015e3992
-
Filesize
15KB
MD5812910d24e02ca6148329467d312b9d8
SHA1d687f964af84a2faa14944eb16bc1e8de5517d70
SHA25611bc0354de82a6f239dd747ed076ccc6c79744273d6f84909e7bff944a3d221b
SHA512d8f3c93150ae2eed370a9709034ab8dccb943d0bf2eb63a2f23ffcd5cffb0f2dd4a2a302750f48a8012eb92f962a36fae68e810d0b94245c42a06bad11cebeb5