Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17/01/2025, 23:11

General

  • Target

    JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe

  • Size

    719KB

  • MD5

    99b275b5cc5a6bb8d492490c6979bae9

  • SHA1

    ab7301c148263996feaeff276bf9825be0d39659

  • SHA256

    aecec29b477c1a6f99aa8c512cc3179ef577ce814f74dc87005407bdd1602601

  • SHA512

    79022795c97a82b5737b63c169d33afeb3abf4b1b674b27a2b8b720468e1e736089987a8b2e6ddf2708a2b67d5ba2e74e10e440d98e8b6fe6422ef82f9b90469

  • SSDEEP

    12288:UJv4sbmf230mGKBE6ONz7oCqqu5FP03W3LzO9cg8SjSIMaolh+mS:U1SlmGd6R3qu5FPAiLzARdSIMaN

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Modiloader family
  • ModiLoader Second Stage 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2376
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\456.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\456.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2464
      • C:\program files\common files\microsoft shared\msinfo\¸´¼þ Sx_server.exe
        "C:\program files\common files\microsoft shared\msinfo\¸´¼þ Sx_server.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2792
        • C:\program files\internet explorer\IEXPLORE.EXE
          "C:\program files\internet explorer\IEXPLORE.EXE"
          4⤵
            PID:1152
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NOTEPAD.EXE
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NOTEPAD.EXE
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:3016

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Common Files\Microsoft Shared\MSInfo\¸´¼þ Sx_server.exe

      Filesize

      289KB

      MD5

      a8574aaf3427d0c468da1100fd1526ff

      SHA1

      012fefa0bb040c2528ef7266d535f2fe5cbf7707

      SHA256

      81bf66543e6ff717c9f26f0cf8740722f17ac175d1da3abe85a7dcab389459e8

      SHA512

      039e1ac5b8c324fba4be5a80128a0764336e790969c2b7ae22e308a12aed47e20c4a647c53cef2b353a3cf952c8e9dfb4c7a8edf16d00980caf8bcf34459bb22

    • \Users\Admin\AppData\Local\Temp\IXP000.TMP\456.exe

      Filesize

      634KB

      MD5

      73f2c3940d71ea34923e274b6935abfc

      SHA1

      0e79d8e82ccfeef2898b144188035cfde26616d4

      SHA256

      06f3c70980a2c6553c046c526fa18f282adeaa660eeedd16b85c7cbd4e888fea

      SHA512

      5b8ee88495cd14268923c0f4f64778c0ec0c9d435ec124e791fab21b59c9a98cdd78d47508a7b3ac3e5b4c071b4e894eff716cae8d9da1c594276bf430d04efe

    • \Users\Admin\AppData\Local\Temp\IXP000.TMP\NOTEPAD.EXE

      Filesize

      65KB

      MD5

      c9f225f98574759e377bce6d87958c9c

      SHA1

      3a23ac5865ea5ac89d87b4219646a1cee5820ac1

      SHA256

      7834f55bcff4d30d7b778bceea618cfd23cf4f184f7db6b74d1b49bbcf6c0560

      SHA512

      d9ffd8ba019cde8e7d71b6c208f2b949e271527373458fee48e461e49ff096d32361d372a48aaa84b153847dd75c79a99e23f8fa450c888aae180bb3e2dc4c1b

    • memory/2376-12-0x0000000000700000-0x00000000007AA000-memory.dmp

      Filesize

      680KB

    • memory/2376-11-0x0000000000700000-0x00000000007AA000-memory.dmp

      Filesize

      680KB

    • memory/2464-30-0x0000000000400000-0x00000000004AA000-memory.dmp

      Filesize

      680KB

    • memory/2464-18-0x0000000000400000-0x00000000004AA000-memory.dmp

      Filesize

      680KB

    • memory/2464-19-0x0000000000400000-0x00000000004AA000-memory.dmp

      Filesize

      680KB

    • memory/2464-24-0x0000000003AF0000-0x0000000003B00000-memory.dmp

      Filesize

      64KB

    • memory/2464-16-0x0000000000454000-0x0000000000455000-memory.dmp

      Filesize

      4KB

    • memory/2464-13-0x0000000000400000-0x00000000004AA000-memory.dmp

      Filesize

      680KB

    • memory/2464-31-0x0000000003C30000-0x0000000003DCD000-memory.dmp

      Filesize

      1.6MB

    • memory/2464-17-0x0000000000400000-0x00000000004AA000-memory.dmp

      Filesize

      680KB

    • memory/2792-43-0x0000000000400000-0x000000000059D000-memory.dmp

      Filesize

      1.6MB

    • memory/2792-44-0x0000000000C10000-0x0000000000DAD000-memory.dmp

      Filesize

      1.6MB

    • memory/2792-45-0x0000000000400000-0x000000000059D000-memory.dmp

      Filesize

      1.6MB

    • memory/2792-47-0x0000000000400000-0x000000000059D000-memory.dmp

      Filesize

      1.6MB