Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    18-12-2024 23:07

General

  • Target

    fd797a814e849b4bd85f721e987530a0_JaffaCakes118.dll

  • Size

    148KB

  • MD5

    fd797a814e849b4bd85f721e987530a0

  • SHA1

    490c520025aec21f18254e8ea329a39db2b83e66

  • SHA256

    fd7396c4b28c8dc79a31ee6558d14e381180de9d1d8b750a82f94e439f70a21a

  • SHA512

    3e2cc1795a73090cd4b08da42e1e50453e1c282c0e4004485dc2a1eaf792ee06bb68ffb6590a757387f73890db44ba30d5cb4e5e404ee847834a01cef9d010cd

  • SSDEEP

    1536:8l4qmQbmmelfzPPuiHCj/uwd3DiB3AgpXsATaEOO2L:tKDUz+Qwd32B3xpXbOBL

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Modiloader family
  • ModiLoader Second Stage 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\fd797a814e849b4bd85f721e987530a0_JaffaCakes118.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2760
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\fd797a814e849b4bd85f721e987530a0_JaffaCakes118.dll
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2820-0-0x00000000001E0000-0x0000000000205000-memory.dmp

    Filesize

    148KB

  • memory/2820-1-0x00000000001E0000-0x0000000000205000-memory.dmp

    Filesize

    148KB