Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06-12-2024 10:29
Behavioral task
behavioral1
Sample
cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe
-
Size
705KB
-
MD5
cc81c48dade59b365af47f88d73d11d3
-
SHA1
9f1f7268a3cb48a4d182d17f4995db9551a50cc3
-
SHA256
dd48956600e9edd1e5e917a380013e5fe249a6704bb3ed730d0a4158c3d4379b
-
SHA512
8142200accf60ec17c0f9f5b30a03d65a4aaca628293857cad2bccf2b2761493da862cc468dc7b90be4c3858dbe100b02bcd4f289663afb1d2d30836b56c6e9a
-
SSDEEP
12288:yRjUrkgyBkGCt9y341FNdRGrlPFi0BNdgDbRwC3duXLE4dsTaHK:yBsk3yyofR0ri0Bs3VdvssTaq
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 4 IoCs
resource yara_rule behavioral1/files/0x00090000000120f9-3.dat modiloader_stage2 behavioral1/memory/2368-20-0x0000000000400000-0x00000000004B6A00-memory.dmp modiloader_stage2 behavioral1/memory/2492-18-0x0000000000400000-0x00000000004B7000-memory.dmp modiloader_stage2 behavioral1/memory/2012-21-0x0000000000400000-0x00000000004B6A00-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 2368 Atievxe.exe -
Loads dropped DLL 2 IoCs
pid Process 2012 cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe 2012 cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\_Atievxe.exe Atievxe.exe File opened for modification C:\Windows\SysWOW64\_Atievxe.exe Atievxe.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2368 set thread context of 2492 2368 Atievxe.exe 31 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\Atievxe.exe cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\Atievxe.exe cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Atievxe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2012 wrote to memory of 2368 2012 cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe 30 PID 2012 wrote to memory of 2368 2012 cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe 30 PID 2012 wrote to memory of 2368 2012 cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe 30 PID 2012 wrote to memory of 2368 2012 cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe 30 PID 2368 wrote to memory of 2492 2368 Atievxe.exe 31 PID 2368 wrote to memory of 2492 2368 Atievxe.exe 31 PID 2368 wrote to memory of 2492 2368 Atievxe.exe 31 PID 2368 wrote to memory of 2492 2368 Atievxe.exe 31 PID 2368 wrote to memory of 2492 2368 Atievxe.exe 31 PID 2368 wrote to memory of 2492 2368 Atievxe.exe 31 PID 2012 wrote to memory of 1260 2012 cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe 32 PID 2012 wrote to memory of 1260 2012 cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe 32 PID 2012 wrote to memory of 1260 2012 cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe 32 PID 2012 wrote to memory of 1260 2012 cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\Atievxe.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\Atievxe.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵PID:2492
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c erase /F "C:\Users\Admin\AppData\Local\Temp\cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1260
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
705KB
MD5cc81c48dade59b365af47f88d73d11d3
SHA19f1f7268a3cb48a4d182d17f4995db9551a50cc3
SHA256dd48956600e9edd1e5e917a380013e5fe249a6704bb3ed730d0a4158c3d4379b
SHA5128142200accf60ec17c0f9f5b30a03d65a4aaca628293857cad2bccf2b2761493da862cc468dc7b90be4c3858dbe100b02bcd4f289663afb1d2d30836b56c6e9a