Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 20:51
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_4392aa94cdcbc149255da7fd3b7c5ce3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_4392aa94cdcbc149255da7fd3b7c5ce3.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_4392aa94cdcbc149255da7fd3b7c5ce3.exe
-
Size
184KB
-
MD5
4392aa94cdcbc149255da7fd3b7c5ce3
-
SHA1
36cee175effed400666486c72d08ea6ba06930fa
-
SHA256
c6b8d4ccff474538b855894be5afe5cf0a5ffec5382d7350af6e0b06525c1376
-
SHA512
fe75a3e6bf1ec43a160fe18d347d8742986e00101d9612a2ab3c20ed2a2dbee1e9375c75365000c4203fd293c7a0594f37680864688a33531ae9b50b0200a9ac
-
SSDEEP
3072:K2n+9E5MTxw7HeVk18ctLDxNckysDFD8XulT1TaJAYmbQ:O6qcZDTcwDV8gImb
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral1/memory/2728-12-0x0000000000400000-0x000000000046C000-memory.dmp modiloader_stage2 behavioral1/memory/2728-11-0x0000000000400000-0x000000000046C000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 2804 Winservices.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysServices = "C:\\Windows\\Winservices.exe" cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2316 set thread context of 2728 2316 JaffaCakes118_4392aa94cdcbc149255da7fd3b7c5ce3.exe 30 -
resource yara_rule behavioral1/memory/2728-4-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2728-8-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2728-5-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2728-12-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2728-11-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2728-10-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2728-9-0x0000000000400000-0x000000000046C000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Winservices.exe cmd.exe File opened for modification C:\Windows\Winservices.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_4392aa94cdcbc149255da7fd3b7c5ce3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Winservices.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2316 JaffaCakes118_4392aa94cdcbc149255da7fd3b7c5ce3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2728 2316 JaffaCakes118_4392aa94cdcbc149255da7fd3b7c5ce3.exe 30 PID 2316 wrote to memory of 2728 2316 JaffaCakes118_4392aa94cdcbc149255da7fd3b7c5ce3.exe 30 PID 2316 wrote to memory of 2728 2316 JaffaCakes118_4392aa94cdcbc149255da7fd3b7c5ce3.exe 30 PID 2316 wrote to memory of 2728 2316 JaffaCakes118_4392aa94cdcbc149255da7fd3b7c5ce3.exe 30 PID 2316 wrote to memory of 2728 2316 JaffaCakes118_4392aa94cdcbc149255da7fd3b7c5ce3.exe 30 PID 2316 wrote to memory of 2728 2316 JaffaCakes118_4392aa94cdcbc149255da7fd3b7c5ce3.exe 30 PID 2316 wrote to memory of 2728 2316 JaffaCakes118_4392aa94cdcbc149255da7fd3b7c5ce3.exe 30 PID 2316 wrote to memory of 2728 2316 JaffaCakes118_4392aa94cdcbc149255da7fd3b7c5ce3.exe 30 PID 2728 wrote to memory of 2804 2728 cmd.exe 31 PID 2728 wrote to memory of 2804 2728 cmd.exe 31 PID 2728 wrote to memory of 2804 2728 cmd.exe 31 PID 2728 wrote to memory of 2804 2728 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4392aa94cdcbc149255da7fd3b7c5ce3.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4392aa94cdcbc149255da7fd3b7c5ce3.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\Winservices.exe"C:\Windows\Winservices.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2804
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
295KB
MD5ad7b9c14083b52bc532fba5948342b98
SHA1ee8cbf12d87c4d388f09b4f69bed2e91682920b5
SHA25617f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae
SHA512e12aad20c824187b39edb3c7943709290b5ddbf1b4032988db46f2e86da3cf7e7783f78c82e4dc5da232f666b8f9799a260a1f8e2694eb4d0cdaf78da710fde1