Overview
overview
10Static
static
10JaffaCakes...23.zip
windows7-x64
4JaffaCakes...23.zip
windows10-2004-x64
1Client.exe
windows7-x64
10Client.exe
windows10-2004-x64
10Editor.exe
windows7-x64
10Editor.exe
windows10-2004-x64
10OptixPRO T...an.pdf
windows7-x64
3OptixPRO T...an.pdf
windows10-2004-x64
3Server.exe
windows7-x64
10Server.exe
windows10-2004-x64
10README.vbs
windows7-x64
1README.vbs
windows10-2004-x64
1setup.ps1
windows7-x64
6setup.ps1
windows10-2004-x64
6subseven.ps1
windows7-x64
3subseven.ps1
windows10-2004-x64
3Analysis
-
max time kernel
140s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-01-2025 00:50
Behavioral task
behavioral1
Sample
JaffaCakes118_08e454a691a4836663a117c9c43f6323.zip
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral2
Sample
JaffaCakes118_08e454a691a4836663a117c9c43f6323.zip
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Client.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
Client.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Editor.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
Editor.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
OptixPRO Tutorial german.pdf
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral8
Sample
OptixPRO Tutorial german.pdf
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Server.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral10
Sample
Server.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
README.vbs
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral12
Sample
README.vbs
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
setup.ps1
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
setup.ps1
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
subseven.ps1
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
subseven.ps1
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
Server.exe
-
Size
871KB
-
MD5
384104967fb35e3d459552f8bc104fae
-
SHA1
97b85538978d75502744012a6b5f1023f09d4ed1
-
SHA256
a1b29d36cf876f7ef48d3902ca60f5f444c30bee0515e15bbc8ac04fedc3978e
-
SHA512
8d16e3698e6baad4bfa4b048a564729e7ec5efc35dc1e7079466a8c811efb00015da43ad3b02d8a87d0a1fc4dc6bf3a54081ec422761517dada52211918c11e5
-
SSDEEP
12288:OCnrin3t/UCdwfTnbJO1DMopqQMUsS39d9kRDuwKqS4NroyV3x6rFWlERpML0b:Nnrind/U4vqQ+S39daRDuUSUh6S6pMLa
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 6 IoCs
resource yara_rule behavioral10/files/0x000c000000023b03-3.dat modiloader_stage2 behavioral10/memory/2832-6-0x0000000000400000-0x00000000004DF000-memory.dmp modiloader_stage2 behavioral10/memory/1056-7-0x0000000000400000-0x00000000004DF000-memory.dmp modiloader_stage2 behavioral10/memory/1056-11-0x0000000000400000-0x00000000004DF000-memory.dmp modiloader_stage2 behavioral10/memory/1056-14-0x0000000000400000-0x00000000004DF000-memory.dmp modiloader_stage2 behavioral10/memory/1056-17-0x0000000000400000-0x00000000004DF000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 1056 spooll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vscanner = "c:\\windows\\spooll32.exe" Server.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created \??\c:\windows\spooll32.exe Server.exe File opened for modification \??\c:\windows\spooll32.exe Server.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spooll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2832 Server.exe 2832 Server.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe 1056 spooll32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2832 Server.exe Token: SeDebugPrivilege 2832 Server.exe Token: SeDebugPrivilege 1056 spooll32.exe Token: SeDebugPrivilege 1056 spooll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2832 wrote to memory of 1056 2832 Server.exe 82 PID 2832 wrote to memory of 1056 2832 Server.exe 82 PID 2832 wrote to memory of 1056 2832 Server.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\windows\spooll32.exec:\windows\spooll32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
871KB
MD5384104967fb35e3d459552f8bc104fae
SHA197b85538978d75502744012a6b5f1023f09d4ed1
SHA256a1b29d36cf876f7ef48d3902ca60f5f444c30bee0515e15bbc8ac04fedc3978e
SHA5128d16e3698e6baad4bfa4b048a564729e7ec5efc35dc1e7079466a8c811efb00015da43ad3b02d8a87d0a1fc4dc6bf3a54081ec422761517dada52211918c11e5