Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 23:07
Behavioral task
behavioral1
Sample
fd797a814e849b4bd85f721e987530a0_JaffaCakes118.dll
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
fd797a814e849b4bd85f721e987530a0_JaffaCakes118.dll
Resource
win10v2004-20241007-en
General
-
Target
fd797a814e849b4bd85f721e987530a0_JaffaCakes118.dll
-
Size
148KB
-
MD5
fd797a814e849b4bd85f721e987530a0
-
SHA1
490c520025aec21f18254e8ea329a39db2b83e66
-
SHA256
fd7396c4b28c8dc79a31ee6558d14e381180de9d1d8b750a82f94e439f70a21a
-
SHA512
3e2cc1795a73090cd4b08da42e1e50453e1c282c0e4004485dc2a1eaf792ee06bb68ffb6590a757387f73890db44ba30d5cb4e5e404ee847834a01cef9d010cd
-
SSDEEP
1536:8l4qmQbmmelfzPPuiHCj/uwd3DiB3AgpXsATaEOO2L:tKDUz+Qwd32B3xpXbOBL
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral1/memory/2820-0-0x00000000001E0000-0x0000000000205000-memory.dmp modiloader_stage2 behavioral1/memory/2820-1-0x00000000001E0000-0x0000000000205000-memory.dmp modiloader_stage2 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2760 wrote to memory of 2820 2760 regsvr32.exe 30 PID 2760 wrote to memory of 2820 2760 regsvr32.exe 30 PID 2760 wrote to memory of 2820 2760 regsvr32.exe 30 PID 2760 wrote to memory of 2820 2760 regsvr32.exe 30 PID 2760 wrote to memory of 2820 2760 regsvr32.exe 30 PID 2760 wrote to memory of 2820 2760 regsvr32.exe 30 PID 2760 wrote to memory of 2820 2760 regsvr32.exe 30
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\fd797a814e849b4bd85f721e987530a0_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\fd797a814e849b4bd85f721e987530a0_JaffaCakes118.dll2⤵
- System Location Discovery: System Language Discovery
PID:2820
-