Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2024 06:28
Static task
static1
Behavioral task
behavioral1
Sample
8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe
-
Size
609KB
-
MD5
8430d2883ceaf0e9366957be27728ab9
-
SHA1
1c76240ee032c82d241539739366e0238f729a57
-
SHA256
c17c7d9eed7ef63407fbffa4686f093e090c708b0495c3029bd757ca518e5577
-
SHA512
985890136d0682b8875de88d4a74045de7b9c20f129dabf3040997a297edd181b85a095fada740c3768eb40efcef5d98042365fef77fbdd28e91a6a7326ca8c9
-
SSDEEP
12288:8zfJ6Ckx5OKvAP+Z0k4oTNzo4Kf2F3Z4mxxGx5aZ9Sy4+6:8zfJ6pHvsT3oTNzcf2QmXGrdV
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2224-73-0x0000000000400000-0x0000000000576000-memory.dmp modiloader_stage2 behavioral2/memory/2028-75-0x0000000000400000-0x0000000000576000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
Processes:
mp3.exepid Process 2224 mp3.exe -
Drops file in System32 directory 4 IoCs
Processes:
8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exemp3.exedescription ioc Process File created C:\Windows\SysWOW64\mp3.exe 8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\mp3.exe 8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\mp3.exe mp3.exe File created C:\Windows\SysWOW64\Deleteme.bat 8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target Process procid_target 3896 2028 WerFault.exe 83 2164 2224 WerFault.exe 90 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exe8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exemp3.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mp3.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exedescription pid Process procid_target PID 2028 wrote to memory of 2224 2028 8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe 90 PID 2028 wrote to memory of 2224 2028 8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe 90 PID 2028 wrote to memory of 2224 2028 8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe 90 PID 2028 wrote to memory of 4364 2028 8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe 93 PID 2028 wrote to memory of 4364 2028 8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe 93 PID 2028 wrote to memory of 4364 2028 8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8430d2883ceaf0e9366957be27728ab9_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 3242⤵
- Program crash
PID:3896
-
-
C:\Windows\SysWOW64\mp3.exeC:\Windows\system32\mp3.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2224 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 3243⤵
- Program crash
PID:2164
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\Deleteme.bat2⤵
- System Location Discovery: System Language Discovery
PID:4364
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2028 -ip 20281⤵PID:1740
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2224 -ip 22241⤵PID:4968
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD5272ab88723f48991df23db0d785d9a1a
SHA154f01c2e5e179df1b06f4cf365aad6ac3e7c6378
SHA256c5665410de2bdb8c65d9ba9e60aae4380862915ef858796885b1f0af0b0d0db3
SHA5126a737d44462a7398037b8c9a63883b21a83c4407452458510a4667bbad777f8630aa6522fe97a6c4df0d0f46c0e0d3f50d5020cedf166bffefc25143f2a4727e
-
Filesize
609KB
MD58430d2883ceaf0e9366957be27728ab9
SHA11c76240ee032c82d241539739366e0238f729a57
SHA256c17c7d9eed7ef63407fbffa4686f093e090c708b0495c3029bd757ca518e5577
SHA512985890136d0682b8875de88d4a74045de7b9c20f129dabf3040997a297edd181b85a095fada740c3768eb40efcef5d98042365fef77fbdd28e91a6a7326ca8c9