Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/01/2025, 04:22

General

  • Target

    JaffaCakes118_020b40f01a98e5b6ed96705163529faa.exe

  • Size

    72KB

  • MD5

    020b40f01a98e5b6ed96705163529faa

  • SHA1

    4240b02cf37ab867e786f69f038401852dc1ac0e

  • SHA256

    db4ba35b3aeae2d07b87004b202663bc3d78e29b0188db0d9321ffcfe7ded1c5

  • SHA512

    afbd52f371bf514f7f87ed0ff1aacec8820f16c90b6e716d4a2f8d3c845aedc745235c58183740b773c824c1db606719bbcdfed971eeb62cb1942061f4eee46d

  • SSDEEP

    1536:adAyopai/zkM6ZTeCgZliNFJVPZ9kUbjS9M0um23ji:aOUQMJxgVW0u9W

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Modiloader family
  • ModiLoader Second Stage 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_020b40f01a98e5b6ed96705163529faa.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_020b40f01a98e5b6ed96705163529faa.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2996
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 120
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2928
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2316

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\images.jpg

    Filesize

    1KB

    MD5

    8279cbb7205a50d5402952084a5fc6a3

    SHA1

    1949fea5e51b28cbdab449259109a039d9706d09

    SHA256

    44d386d70b7553f398619c9a474992291f9a6db31722ca88978a53ed0661ec49

    SHA512

    3557731d95bca36323ff9560082e571acf4ae7c4b443c73121c668de9f100ac4e4c978e88904db68e53e2f0118fbddedc905de63356fd7f7fd824223379a6690

  • \Users\Admin\AppData\Local\Temp\server.exe

    Filesize

    58KB

    MD5

    94832d355493f1b02c02bfb4f17a4173

    SHA1

    7d70ab91c42dd5c20178abbae3f8cafcbac3a8c2

    SHA256

    f020dabf321c5090a7fe4b50a46c15de10740ac677bce0c0af54ebbae5c78c8d

    SHA512

    ec5c570b35f5082cd771b659968f4e1d38a234860ea24ab4b275e5f22269a4a8862e56bc9e70696d39a12553eb76028f2d527e564314d2a977f4dc2c4744623f

  • memory/2316-2-0x00000000001E0000-0x00000000001E2000-memory.dmp

    Filesize

    8KB

  • memory/2316-4-0x0000000000490000-0x0000000000491000-memory.dmp

    Filesize

    4KB

  • memory/2316-16-0x0000000000490000-0x0000000000491000-memory.dmp

    Filesize

    4KB

  • memory/2980-1-0x0000000000B20000-0x0000000000B22000-memory.dmp

    Filesize

    8KB

  • memory/2980-10-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB