Analysis

  • max time kernel
    141s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2024 02:54

General

  • Target

    922648a5f30fc41df6fe9a5170503575_JaffaCakes118.exe

  • Size

    350KB

  • MD5

    922648a5f30fc41df6fe9a5170503575

  • SHA1

    13e2ba1c482fd269703f56955f96a450c0930f97

  • SHA256

    e9913f5553f79dedc047b5df4c66e1f2574bc10cb3757f6ba9203d46c0b11822

  • SHA512

    026933dd5ef0008b7521f0a0748c3352e25d06c5fb18c5f0e71729680018c743fffaee2c3bdae27137e7fbdb5caa888547ba65b088409581c4e458ea3f836e98

  • SSDEEP

    6144:IeLOFU2sDs3JqGCGhfu6PdsjVwuhvUkZn5IW2H2l4JoaH1SaSzCLzdJ7fBN:8sDs3J1Ccfevr0D/Cmjz

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Modiloader family
  • ModiLoader Second Stage 4 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\922648a5f30fc41df6fe9a5170503575_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\922648a5f30fc41df6fe9a5170503575_JaffaCakes118.exe"
    1⤵
    • Server Software Component: Terminal Services DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del "C:\Users\Admin\AppData\Local\Temp\922648a5f30fc41df6fe9a5170503575_JaffaCakes118.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1936
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k remoteservice
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:4288

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \??\c:\windows\SysWOW64\sys.dll

    Filesize

    323KB

    MD5

    e3f62cf69fd9baaf2307df410dab9376

    SHA1

    cfa7f4619ccc989fbe95570df87d9ee875824d11

    SHA256

    bd4a806ea9d9149e223df8055e812b2893eb4a2e851c1c8e48048b523b7e132a

    SHA512

    fe336869d95c1f302b9ef833138d5c8f55b16bc5801dba3a086234a42fbada51f7d9d5fd8eeaa1cfe72d75ef82b5a5bbcf60f99007c54189affee202b3e637be

  • memory/1964-6-0x0000000000400000-0x000000000045D200-memory.dmp

    Filesize

    372KB

  • memory/4288-5-0x0000000000D60000-0x0000000000DB9000-memory.dmp

    Filesize

    356KB

  • memory/4288-7-0x0000000000D60000-0x0000000000DB9000-memory.dmp

    Filesize

    356KB