Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    27/01/2025, 15:11

General

  • Target

    JaffaCakes118_40dc55f1536a246b022472f447620235.exe

  • Size

    80KB

  • MD5

    40dc55f1536a246b022472f447620235

  • SHA1

    d66c85b2b679eb1ce9c131f5bf2fc95846105b10

  • SHA256

    e8ed6adb9f041680de3f74491a5e89bc53cdf872c0eee307fc1ef52ec3118e14

  • SHA512

    e182d825bd0c12c405e590d251631c631bb50544b56d21fec288fdcaa676f724c3bcb168a84e684dc59ea30d92e76bf7a58fc605a16e8316d2f65d20dd49c2ac

  • SSDEEP

    1536:EjL+8BjYq/dq7wUpTTy/Av+8BjYq/dq7wUpTTy/E:Ef+8bQ/Ry/O+8bQ/Ry/

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Modiloader family
  • ModiLoader Second Stage 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1212
      • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dc55f1536a246b022472f447620235.exe
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dc55f1536a246b022472f447620235.exe"
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2652
        • C:\Users\Admin\AppData\Local\Temp\server.exe
          "C:\Users\Admin\AppData\Local\Temp\server.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2532

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • \Users\Admin\AppData\Local\Temp\server.exe

            Filesize

            28KB

            MD5

            723fc73467d4c8e79f615bb510d2ce1d

            SHA1

            19ea3c5221b035643cba3844c2a41edaa03eb87a

            SHA256

            063481090a49a80feed9c88f8ca62f7f6919fff2adea4309323fdeb3d79f3ddd

            SHA512

            e0acec47316335264bbf7f020f05784d3ac3cb6765cfda812df0c5a991575a38992333c5e74d43bbb69a0f6275777a9deadbcb4464704b9e6aa1ca39acc03b22

          • memory/1212-12-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

            Filesize

            4KB

          • memory/1212-22-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

            Filesize

            24KB

          • memory/2532-15-0x0000000010000000-0x0000000010011000-memory.dmp

            Filesize

            68KB

          • memory/2532-34-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

          • memory/2652-4-0x0000000002390000-0x0000000002399000-memory.dmp

            Filesize

            36KB

          • memory/2652-21-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB