Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/01/2025, 04:22
Behavioral task
behavioral1
Sample
JaffaCakes118_020b40f01a98e5b6ed96705163529faa.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_020b40f01a98e5b6ed96705163529faa.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_020b40f01a98e5b6ed96705163529faa.exe
-
Size
72KB
-
MD5
020b40f01a98e5b6ed96705163529faa
-
SHA1
4240b02cf37ab867e786f69f038401852dc1ac0e
-
SHA256
db4ba35b3aeae2d07b87004b202663bc3d78e29b0188db0d9321ffcfe7ded1c5
-
SHA512
afbd52f371bf514f7f87ed0ff1aacec8820f16c90b6e716d4a2f8d3c845aedc745235c58183740b773c824c1db606719bbcdfed971eeb62cb1942061f4eee46d
-
SSDEEP
1536:adAyopai/zkM6ZTeCgZliNFJVPZ9kUbjS9M0um23ji:aOUQMJxgVW0u9W
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral1/memory/2980-10-0x0000000000400000-0x0000000000419000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 2996 server.exe -
Loads dropped DLL 5 IoCs
pid Process 2980 JaffaCakes118_020b40f01a98e5b6ed96705163529faa.exe 2928 WerFault.exe 2928 WerFault.exe 2928 WerFault.exe 2928 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2928 2996 WerFault.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_020b40f01a98e5b6ed96705163529faa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2316 DllHost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2316 DllHost.exe 2316 DllHost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2980 wrote to memory of 2996 2980 JaffaCakes118_020b40f01a98e5b6ed96705163529faa.exe 31 PID 2980 wrote to memory of 2996 2980 JaffaCakes118_020b40f01a98e5b6ed96705163529faa.exe 31 PID 2980 wrote to memory of 2996 2980 JaffaCakes118_020b40f01a98e5b6ed96705163529faa.exe 31 PID 2980 wrote to memory of 2996 2980 JaffaCakes118_020b40f01a98e5b6ed96705163529faa.exe 31 PID 2996 wrote to memory of 2928 2996 server.exe 32 PID 2996 wrote to memory of 2928 2996 server.exe 32 PID 2996 wrote to memory of 2928 2996 server.exe 32 PID 2996 wrote to memory of 2928 2996 server.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_020b40f01a98e5b6ed96705163529faa.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_020b40f01a98e5b6ed96705163529faa.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 1203⤵
- Loads dropped DLL
- Program crash
PID:2928
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2316
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58279cbb7205a50d5402952084a5fc6a3
SHA11949fea5e51b28cbdab449259109a039d9706d09
SHA25644d386d70b7553f398619c9a474992291f9a6db31722ca88978a53ed0661ec49
SHA5123557731d95bca36323ff9560082e571acf4ae7c4b443c73121c668de9f100ac4e4c978e88904db68e53e2f0118fbddedc905de63356fd7f7fd824223379a6690
-
Filesize
58KB
MD594832d355493f1b02c02bfb4f17a4173
SHA17d70ab91c42dd5c20178abbae3f8cafcbac3a8c2
SHA256f020dabf321c5090a7fe4b50a46c15de10740ac677bce0c0af54ebbae5c78c8d
SHA512ec5c570b35f5082cd771b659968f4e1d38a234860ea24ab4b275e5f22269a4a8862e56bc9e70696d39a12553eb76028f2d527e564314d2a977f4dc2c4744623f