Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16/01/2025, 08:52 UTC

General

  • Target

    JaffaCakes118_714262a7a7bbf39256d333d4b5883b49.exe

  • Size

    721KB

  • MD5

    714262a7a7bbf39256d333d4b5883b49

  • SHA1

    cba470a68080c499d50d99f337ef03fea0c8d1dd

  • SHA256

    26cd0bd1983a210a4e68b0ebb56029c17471d27d53cd2d8310bdb41c367d9191

  • SHA512

    cfa4c69d23ab8dc1f98a581f84062e4f919041aea627d30319f4925fdfe7a02eb796fcfd574a4ee1642327978b4f9a399e9fe1a0b97e1e7dd251fa400c8e0d97

  • SSDEEP

    12288:9c//////k7ymKeqPKgAlqOoh7rJZ9uIPMugRbg1MPNRUqPsbOGbBl4upep6duAe3:9c//////krBSlA0OmfJztVgYMFRULKik

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Modiloader family
  • ModiLoader Second Stage 6 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_714262a7a7bbf39256d333d4b5883b49.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_714262a7a7bbf39256d333d4b5883b49.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1836
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_714262a7a7bbf39256d333d4b5883b49.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_714262a7a7bbf39256d333d4b5883b49.exe
      2⤵
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2404
      • C:\Windows\SysWOW64\mstsc.exe
        "C:\Windows\system32\mstsc.exe"
        3⤵
          PID:2084

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1836-5-0x0000000000400000-0x00000000004BB000-memory.dmp

      Filesize

      748KB

    • memory/2084-15-0x0000000000400000-0x00000000004BB000-memory.dmp

      Filesize

      748KB

    • memory/2084-13-0x0000000000400000-0x00000000004BB000-memory.dmp

      Filesize

      748KB

    • memory/2084-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2404-0-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2404-2-0x0000000000400000-0x00000000004BF000-memory.dmp

      Filesize

      764KB

    • memory/2404-4-0x0000000000400000-0x00000000004BF000-memory.dmp

      Filesize

      764KB

    • memory/2404-7-0x0000000000400000-0x00000000004BF000-memory.dmp

      Filesize

      764KB

    • memory/2404-8-0x0000000000400000-0x00000000004BF000-memory.dmp

      Filesize

      764KB

    • memory/2404-10-0x0000000000400000-0x00000000004BF000-memory.dmp

      Filesize

      764KB

    • memory/2404-16-0x0000000000400000-0x00000000004BF000-memory.dmp

      Filesize

      764KB

    • memory/2404-6-0x0000000000400000-0x00000000004BF000-memory.dmp

      Filesize

      764KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.