Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01-11-2024 06:28
Static task
static1
Behavioral task
behavioral1
Sample
8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe
-
Size
609KB
-
MD5
8430d2883ceaf0e9366957be27728ab9
-
SHA1
1c76240ee032c82d241539739366e0238f729a57
-
SHA256
c17c7d9eed7ef63407fbffa4686f093e090c708b0495c3029bd757ca518e5577
-
SHA512
985890136d0682b8875de88d4a74045de7b9c20f129dabf3040997a297edd181b85a095fada740c3768eb40efcef5d98042365fef77fbdd28e91a6a7326ca8c9
-
SSDEEP
12288:8zfJ6Ckx5OKvAP+Z0k4oTNzo4Kf2F3Z4mxxGx5aZ9Sy4+6:8zfJ6pHvsT3oTNzcf2QmXGrdV
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2032-40-0x0000000000400000-0x0000000000576000-memory.dmp modiloader_stage2 behavioral1/memory/2524-47-0x0000000000400000-0x0000000000576000-memory.dmp modiloader_stage2 -
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 2696 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
mp3.exepid Process 2032 mp3.exe -
Loads dropped DLL 2 IoCs
Processes:
8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exepid Process 2524 8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe 2524 8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe -
Drops file in System32 directory 4 IoCs
Processes:
8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exemp3.exedescription ioc Process File created C:\Windows\SysWOW64\mp3.exe 8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\mp3.exe 8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\mp3.exe mp3.exe File created C:\Windows\SysWOW64\Deleteme.bat 8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
mp3.execmd.exe8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mp3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exedescription pid Process procid_target PID 2524 wrote to memory of 2032 2524 8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe 30 PID 2524 wrote to memory of 2032 2524 8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe 30 PID 2524 wrote to memory of 2032 2524 8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe 30 PID 2524 wrote to memory of 2032 2524 8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe 30 PID 2524 wrote to memory of 2696 2524 8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe 31 PID 2524 wrote to memory of 2696 2524 8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe 31 PID 2524 wrote to memory of 2696 2524 8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe 31 PID 2524 wrote to memory of 2696 2524 8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\mp3.exeC:\Windows\system32\mp3.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2032
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\system32\Deleteme.bat2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2696
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD5272ab88723f48991df23db0d785d9a1a
SHA154f01c2e5e179df1b06f4cf365aad6ac3e7c6378
SHA256c5665410de2bdb8c65d9ba9e60aae4380862915ef858796885b1f0af0b0d0db3
SHA5126a737d44462a7398037b8c9a63883b21a83c4407452458510a4667bbad777f8630aa6522fe97a6c4df0d0f46c0e0d3f50d5020cedf166bffefc25143f2a4727e
-
Filesize
609KB
MD58430d2883ceaf0e9366957be27728ab9
SHA11c76240ee032c82d241539739366e0238f729a57
SHA256c17c7d9eed7ef63407fbffa4686f093e090c708b0495c3029bd757ca518e5577
SHA512985890136d0682b8875de88d4a74045de7b9c20f129dabf3040997a297edd181b85a095fada740c3768eb40efcef5d98042365fef77fbdd28e91a6a7326ca8c9