Analysis
-
max time kernel
147s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
07-12-2024 19:43
General
-
Target
d34e00616f9435ea4230af0f02433e00_JaffaCakes118.exe
-
Size
304KB
-
MD5
d34e00616f9435ea4230af0f02433e00
-
SHA1
84d3dcb08b90c308235cab9cd108197bafe24578
-
SHA256
d30ae0561d7bc2e97add3641d019ea2d4e005a194aa92779aac1fdc7ad85aa5c
-
SHA512
1565e181adb8fb67b09cf9f196283be7aa4e2d22272d267072112110178cd330c854bc6f99e940063774e49e90fc5c489488f0815cb13bc9b546b279e78f830c
-
SSDEEP
6144:p2LMosRplrZ4W6CqYKt6jw1j+oSnJTVxdSxoJIksI13t+R:oMowpVWWRFKueZSnJJfJHnS
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 3 IoCs
-
Executes dropped EXE 2 IoCs
-
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
-
Loads dropped DLL 4 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 3 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d34e00616f9435ea4230af0f02433e00_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d34e00616f9435ea4230af0f02433e00_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\msnmsgr.exe"C:\Windows\msnmsgr.exe"2⤵
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ldapi32.exeC:\Windows\system32\ldapi32.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD547d49db219a0a7b2b1ec8b9a357045d6
SHA1297ef13862b0aab027f56f0cb3e66abfd6261b2e
SHA256b9854ad352414803c704022b6cfd10b9911bb3353fca8077cc23aa89ebf4a994
SHA512dc9d0afa87f5d50a76beb157751a519676c8363b5c91c205d517219475ac0bb78c566a19bf4006946ee086ceae3574cfe0936d70bd41f465d547cf92bdf755e0
-
Filesize
281KB
MD5b46792c856d70c617f22c28d9ab53f90
SHA15d987e455c70e80dba7003f329fa37e011608573
SHA256967a29663b44caa7cc11f1012211fbbb9fa2ffde72c3f0d57dad34a73ca12028
SHA51208a83cc0daf9f56e4783d7c1347db08d562dee4aa40eb9635007fb0a4a27e777ed28cab39b81693941db4925e72a9d8056dbe0da1c0b837ed04e836f6923669b
-
Filesize
11KB
MD5494dbaadd3f62ec0560cb911b1704486
SHA1f6302506396afd0d82b2571f68a3414bbb9633df
SHA256a06966bfe368d7740c162a295f5dbeade37f0e479273f4cc2b5f6205b4f7361f
SHA5123fd7535430c543ac4eb0da0e07c10cff0bca1f2f748e5ed386e4ff9769367a4e3b8ea79b591e26db5e3aef6df94bbc4fd34b57df1636f7e669965ebcf1e61dd0
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
36KB
-
Filesize
1.7MB
-
Filesize
36KB
-
Filesize
332KB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
48KB