Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 06:44
Static task
static1
Behavioral task
behavioral1
Sample
fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe
-
Size
174KB
-
MD5
fa81051829a3d385d98e67238af2565a
-
SHA1
341a494d1a82f9c6965c456495ff0c7429b8353d
-
SHA256
b5c96d6f5d3cf75e91f7b43166b86042b8951b75d5a9f3cd9642abee38776376
-
SHA512
8cf6daefe0326bdf920292883881d897d8cd6f92b8408793641713590058e1b06b9926d15cecdd8ea819932cd502ef938a3f119c8092cb8ba86938fd4333b1b0
-
SSDEEP
3072:T1Y/WrL2R2eR3qKmZCDO9r37AuIId0xtsH9wTrw/rOFoIC3Trw/rOFoICc:pY/Wr42eVq7Zn7HbnKTU/rMoJTU/rMoq
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 5 IoCs
resource yara_rule behavioral1/memory/2320-7-0x0000000000400000-0x000000000041B000-memory.dmp modiloader_stage2 behavioral1/memory/2320-9-0x0000000000400000-0x000000000041B000-memory.dmp modiloader_stage2 behavioral1/memory/2320-6-0x0000000000400000-0x000000000041B000-memory.dmp modiloader_stage2 behavioral1/memory/2320-4-0x0000000000400000-0x000000000041B000-memory.dmp modiloader_stage2 behavioral1/memory/2320-23-0x0000000000400000-0x000000000041B000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 2800 server.exe -
Loads dropped DLL 2 IoCs
pid Process 2320 fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe 2320 fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2060 set thread context of 2320 2060 fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2800 server.exe 2800 server.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2060 wrote to memory of 2320 2060 fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe 31 PID 2060 wrote to memory of 2320 2060 fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe 31 PID 2060 wrote to memory of 2320 2060 fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe 31 PID 2060 wrote to memory of 2320 2060 fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe 31 PID 2060 wrote to memory of 2320 2060 fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe 31 PID 2060 wrote to memory of 2320 2060 fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe 31 PID 2320 wrote to memory of 2800 2320 fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe 32 PID 2320 wrote to memory of 2800 2320 fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe 32 PID 2320 wrote to memory of 2800 2320 fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe 32 PID 2320 wrote to memory of 2800 2320 fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe 32 PID 2800 wrote to memory of 1208 2800 server.exe 21 PID 2800 wrote to memory of 1208 2800 server.exe 21 PID 2800 wrote to memory of 1208 2800 server.exe 21 PID 2800 wrote to memory of 1208 2800 server.exe 21 PID 2800 wrote to memory of 1208 2800 server.exe 21 PID 2800 wrote to memory of 1208 2800 server.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2800
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD5723fc73467d4c8e79f615bb510d2ce1d
SHA119ea3c5221b035643cba3844c2a41edaa03eb87a
SHA256063481090a49a80feed9c88f8ca62f7f6919fff2adea4309323fdeb3d79f3ddd
SHA512e0acec47316335264bbf7f020f05784d3ac3cb6765cfda812df0c5a991575a38992333c5e74d43bbb69a0f6275777a9deadbcb4464704b9e6aa1ca39acc03b22