Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/01/2025, 08:52 UTC
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_714262a7a7bbf39256d333d4b5883b49.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_714262a7a7bbf39256d333d4b5883b49.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_714262a7a7bbf39256d333d4b5883b49.exe
-
Size
721KB
-
MD5
714262a7a7bbf39256d333d4b5883b49
-
SHA1
cba470a68080c499d50d99f337ef03fea0c8d1dd
-
SHA256
26cd0bd1983a210a4e68b0ebb56029c17471d27d53cd2d8310bdb41c367d9191
-
SHA512
cfa4c69d23ab8dc1f98a581f84062e4f919041aea627d30319f4925fdfe7a02eb796fcfd574a4ee1642327978b4f9a399e9fe1a0b97e1e7dd251fa400c8e0d97
-
SSDEEP
12288:9c//////k7ymKeqPKgAlqOoh7rJZ9uIPMugRbg1MPNRUqPsbOGbBl4upep6duAe3:9c//////krBSlA0OmfJztVgYMFRULKik
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 6 IoCs
resource yara_rule behavioral1/memory/2404-4-0x0000000000400000-0x00000000004BF000-memory.dmp modiloader_stage2 behavioral1/memory/2404-7-0x0000000000400000-0x00000000004BF000-memory.dmp modiloader_stage2 behavioral1/memory/2404-8-0x0000000000400000-0x00000000004BF000-memory.dmp modiloader_stage2 behavioral1/memory/2404-10-0x0000000000400000-0x00000000004BF000-memory.dmp modiloader_stage2 behavioral1/memory/2404-16-0x0000000000400000-0x00000000004BF000-memory.dmp modiloader_stage2 behavioral1/memory/2404-6-0x0000000000400000-0x00000000004BF000-memory.dmp modiloader_stage2 -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1836 set thread context of 2404 1836 JaffaCakes118_714262a7a7bbf39256d333d4b5883b49.exe 30 PID 2404 set thread context of 2084 2404 JaffaCakes118_714262a7a7bbf39256d333d4b5883b49.exe 31 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\2009.txt JaffaCakes118_714262a7a7bbf39256d333d4b5883b49.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_714262a7a7bbf39256d333d4b5883b49.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_714262a7a7bbf39256d333d4b5883b49.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1836 wrote to memory of 2404 1836 JaffaCakes118_714262a7a7bbf39256d333d4b5883b49.exe 30 PID 1836 wrote to memory of 2404 1836 JaffaCakes118_714262a7a7bbf39256d333d4b5883b49.exe 30 PID 1836 wrote to memory of 2404 1836 JaffaCakes118_714262a7a7bbf39256d333d4b5883b49.exe 30 PID 1836 wrote to memory of 2404 1836 JaffaCakes118_714262a7a7bbf39256d333d4b5883b49.exe 30 PID 1836 wrote to memory of 2404 1836 JaffaCakes118_714262a7a7bbf39256d333d4b5883b49.exe 30 PID 1836 wrote to memory of 2404 1836 JaffaCakes118_714262a7a7bbf39256d333d4b5883b49.exe 30 PID 2404 wrote to memory of 2084 2404 JaffaCakes118_714262a7a7bbf39256d333d4b5883b49.exe 31 PID 2404 wrote to memory of 2084 2404 JaffaCakes118_714262a7a7bbf39256d333d4b5883b49.exe 31 PID 2404 wrote to memory of 2084 2404 JaffaCakes118_714262a7a7bbf39256d333d4b5883b49.exe 31 PID 2404 wrote to memory of 2084 2404 JaffaCakes118_714262a7a7bbf39256d333d4b5883b49.exe 31 PID 2404 wrote to memory of 2084 2404 JaffaCakes118_714262a7a7bbf39256d333d4b5883b49.exe 31 PID 2404 wrote to memory of 2084 2404 JaffaCakes118_714262a7a7bbf39256d333d4b5883b49.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_714262a7a7bbf39256d333d4b5883b49.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_714262a7a7bbf39256d333d4b5883b49.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_714262a7a7bbf39256d333d4b5883b49.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_714262a7a7bbf39256d333d4b5883b49.exe2⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\system32\mstsc.exe"3⤵PID:2084
-
-