Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 15:11
Behavioral task
behavioral1
Sample
JaffaCakes118_40dc55f1536a246b022472f447620235.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_40dc55f1536a246b022472f447620235.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_40dc55f1536a246b022472f447620235.exe
-
Size
80KB
-
MD5
40dc55f1536a246b022472f447620235
-
SHA1
d66c85b2b679eb1ce9c131f5bf2fc95846105b10
-
SHA256
e8ed6adb9f041680de3f74491a5e89bc53cdf872c0eee307fc1ef52ec3118e14
-
SHA512
e182d825bd0c12c405e590d251631c631bb50544b56d21fec288fdcaa676f724c3bcb168a84e684dc59ea30d92e76bf7a58fc605a16e8316d2f65d20dd49c2ac
-
SSDEEP
1536:EjL+8BjYq/dq7wUpTTy/Av+8BjYq/dq7wUpTTy/E:Ef+8bQ/Ry/O+8bQ/Ry/
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral1/memory/2652-21-0x0000000000400000-0x000000000041B000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 2532 server.exe -
Loads dropped DLL 2 IoCs
pid Process 2652 JaffaCakes118_40dc55f1536a246b022472f447620235.exe 2652 JaffaCakes118_40dc55f1536a246b022472f447620235.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_40dc55f1536a246b022472f447620235.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2532 server.exe 2532 server.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2652 wrote to memory of 2532 2652 JaffaCakes118_40dc55f1536a246b022472f447620235.exe 31 PID 2652 wrote to memory of 2532 2652 JaffaCakes118_40dc55f1536a246b022472f447620235.exe 31 PID 2652 wrote to memory of 2532 2652 JaffaCakes118_40dc55f1536a246b022472f447620235.exe 31 PID 2652 wrote to memory of 2532 2652 JaffaCakes118_40dc55f1536a246b022472f447620235.exe 31 PID 2532 wrote to memory of 1212 2532 server.exe 21 PID 2532 wrote to memory of 1212 2532 server.exe 21 PID 2532 wrote to memory of 1212 2532 server.exe 21 PID 2532 wrote to memory of 1212 2532 server.exe 21 PID 2532 wrote to memory of 1212 2532 server.exe 21 PID 2532 wrote to memory of 1212 2532 server.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dc55f1536a246b022472f447620235.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dc55f1536a246b022472f447620235.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2532
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD5723fc73467d4c8e79f615bb510d2ce1d
SHA119ea3c5221b035643cba3844c2a41edaa03eb87a
SHA256063481090a49a80feed9c88f8ca62f7f6919fff2adea4309323fdeb3d79f3ddd
SHA512e0acec47316335264bbf7f020f05784d3ac3cb6765cfda812df0c5a991575a38992333c5e74d43bbb69a0f6275777a9deadbcb4464704b9e6aa1ca39acc03b22