Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06-12-2024 10:29

General

  • Target

    cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe

  • Size

    705KB

  • MD5

    cc81c48dade59b365af47f88d73d11d3

  • SHA1

    9f1f7268a3cb48a4d182d17f4995db9551a50cc3

  • SHA256

    dd48956600e9edd1e5e917a380013e5fe249a6704bb3ed730d0a4158c3d4379b

  • SHA512

    8142200accf60ec17c0f9f5b30a03d65a4aaca628293857cad2bccf2b2761493da862cc468dc7b90be4c3858dbe100b02bcd4f289663afb1d2d30836b56c6e9a

  • SSDEEP

    12288:yRjUrkgyBkGCt9y341FNdRGrlPFi0BNdgDbRwC3duXLE4dsTaHK:yBsk3yyofR0ri0Bs3VdvssTaq

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Modiloader family
  • ModiLoader Second Stage 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Program Files\Common Files\Microsoft Shared\MSINFO\Atievxe.exe
      "C:\Program Files\Common Files\Microsoft Shared\MSINFO\Atievxe.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2368
      • C:\Windows\SysWOW64\calc.exe
        "C:\Windows\system32\calc.exe"
        3⤵
          PID:2492
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c erase /F "C:\Users\Admin\AppData\Local\Temp\cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1260

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Program Files\Common Files\Microsoft Shared\MSInfo\Atievxe.exe

      Filesize

      705KB

      MD5

      cc81c48dade59b365af47f88d73d11d3

      SHA1

      9f1f7268a3cb48a4d182d17f4995db9551a50cc3

      SHA256

      dd48956600e9edd1e5e917a380013e5fe249a6704bb3ed730d0a4158c3d4379b

      SHA512

      8142200accf60ec17c0f9f5b30a03d65a4aaca628293857cad2bccf2b2761493da862cc468dc7b90be4c3858dbe100b02bcd4f289663afb1d2d30836b56c6e9a

    • memory/2012-0-0x00000000002E0000-0x00000000002E1000-memory.dmp

      Filesize

      4KB

    • memory/2012-21-0x0000000000400000-0x00000000004B6A00-memory.dmp

      Filesize

      730KB

    • memory/2368-13-0x0000000000650000-0x0000000000651000-memory.dmp

      Filesize

      4KB

    • memory/2368-20-0x0000000000400000-0x00000000004B6A00-memory.dmp

      Filesize

      730KB

    • memory/2492-16-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

    • memory/2492-18-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

    • memory/2492-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.