Analysis
-
max time kernel
95s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2025, 15:11
Behavioral task
behavioral1
Sample
JaffaCakes118_40dc55f1536a246b022472f447620235.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_40dc55f1536a246b022472f447620235.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_40dc55f1536a246b022472f447620235.exe
-
Size
80KB
-
MD5
40dc55f1536a246b022472f447620235
-
SHA1
d66c85b2b679eb1ce9c131f5bf2fc95846105b10
-
SHA256
e8ed6adb9f041680de3f74491a5e89bc53cdf872c0eee307fc1ef52ec3118e14
-
SHA512
e182d825bd0c12c405e590d251631c631bb50544b56d21fec288fdcaa676f724c3bcb168a84e684dc59ea30d92e76bf7a58fc605a16e8316d2f65d20dd49c2ac
-
SSDEEP
1536:EjL+8BjYq/dq7wUpTTy/Av+8BjYq/dq7wUpTTy/E:Ef+8bQ/Ry/O+8bQ/Ry/
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral2/memory/1856-20-0x0000000000400000-0x000000000041B000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation JaffaCakes118_40dc55f1536a246b022472f447620235.exe -
Executes dropped EXE 1 IoCs
pid Process 1728 server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_40dc55f1536a246b022472f447620235.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1728 server.exe 1728 server.exe 1728 server.exe 1728 server.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1856 wrote to memory of 1728 1856 JaffaCakes118_40dc55f1536a246b022472f447620235.exe 83 PID 1856 wrote to memory of 1728 1856 JaffaCakes118_40dc55f1536a246b022472f447620235.exe 83 PID 1856 wrote to memory of 1728 1856 JaffaCakes118_40dc55f1536a246b022472f447620235.exe 83 PID 1728 wrote to memory of 3420 1728 server.exe 56 PID 1728 wrote to memory of 3420 1728 server.exe 56 PID 1728 wrote to memory of 3420 1728 server.exe 56 PID 1728 wrote to memory of 3420 1728 server.exe 56 PID 1728 wrote to memory of 3420 1728 server.exe 56 PID 1728 wrote to memory of 3420 1728 server.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dc55f1536a246b022472f447620235.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dc55f1536a246b022472f447620235.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD5e278df043a74086cf5b16328f47ab25d
SHA1e67a644885cbdbb3740956fa2523ac7ef7da8165
SHA256a3797ecbb2bd4466de8c702f763f1e058303216bcb5135566a90dff6a1d2643a
SHA512404e1450094e751ad80b9e52d2feccc25fbb045b6bdd50e5438b4c4722fa61f2575703810ea019994ed833c5e09f93e6bd3f533e765a359de7543de5c15a8e89
-
Filesize
28KB
MD5723fc73467d4c8e79f615bb510d2ce1d
SHA119ea3c5221b035643cba3844c2a41edaa03eb87a
SHA256063481090a49a80feed9c88f8ca62f7f6919fff2adea4309323fdeb3d79f3ddd
SHA512e0acec47316335264bbf7f020f05784d3ac3cb6765cfda812df0c5a991575a38992333c5e74d43bbb69a0f6275777a9deadbcb4464704b9e6aa1ca39acc03b22