Analysis
-
max time kernel
16s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
15/01/2025, 13:50 UTC
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_58a6b7936f77edd249d96a4f66773eb3.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_58a6b7936f77edd249d96a4f66773eb3.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_58a6b7936f77edd249d96a4f66773eb3.exe
-
Size
641KB
-
MD5
58a6b7936f77edd249d96a4f66773eb3
-
SHA1
59cf3e90ce1cd132b5e8bd133640c0d48a4de730
-
SHA256
205154024fb9ad6f526f58b048871fe35a80e48aaccf36fb9c83e1e9450bc13e
-
SHA512
375330eb88298e7942619a21027ee760388fd062b847317e1a562259874e5e30871c28746b4c7551cfd4e3817da3a8c02bd50b3b30609c756eae9a1d8147176f
-
SSDEEP
12288:0ZT2HoQqB80SvFeuEMN1c2obY7tXE6VA8ZHjp:0hSojB80SvFeXMpocZXEB6Hjp
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral1/memory/2216-21-0x0000000000400000-0x0000000000575000-memory.dmp modiloader_stage2 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2216 set thread context of 2756 2216 JaffaCakes118_58a6b7936f77edd249d96a4f66773eb3.exe 30 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\Fiele Ps.txt JaffaCakes118_58a6b7936f77edd249d96a4f66773eb3.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_58a6b7936f77edd249d96a4f66773eb3.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2216 wrote to memory of 2756 2216 JaffaCakes118_58a6b7936f77edd249d96a4f66773eb3.exe 30 PID 2216 wrote to memory of 2756 2216 JaffaCakes118_58a6b7936f77edd249d96a4f66773eb3.exe 30 PID 2216 wrote to memory of 2756 2216 JaffaCakes118_58a6b7936f77edd249d96a4f66773eb3.exe 30 PID 2216 wrote to memory of 2756 2216 JaffaCakes118_58a6b7936f77edd249d96a4f66773eb3.exe 30 PID 2216 wrote to memory of 2756 2216 JaffaCakes118_58a6b7936f77edd249d96a4f66773eb3.exe 30 PID 2216 wrote to memory of 2756 2216 JaffaCakes118_58a6b7936f77edd249d96a4f66773eb3.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_58a6b7936f77edd249d96a4f66773eb3.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_58a6b7936f77edd249d96a4f66773eb3.exe"1⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\system32\mstsc.exe"2⤵PID:2756
-