Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20250207-en -
resource tags
arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system -
submitted
30/03/2025, 09:07
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_9873e6f797695204028324bf18613eb3.exe
Resource
win7-20250207-en
Behavioral task
behavioral2
Sample
JaffaCakes118_9873e6f797695204028324bf18613eb3.exe
Resource
win10v2004-20250314-en
General
-
Target
JaffaCakes118_9873e6f797695204028324bf18613eb3.exe
-
Size
352KB
-
MD5
9873e6f797695204028324bf18613eb3
-
SHA1
fbd90371157ffc6a10f89de323e5bea96fb6a772
-
SHA256
a0a01451e333a6cea0bc322cd7d9611ef7b7f2ccea1f13920939fae2ebba498d
-
SHA512
95322ba7f77e791feb873badd8ef5a23d2134b58b864d87b171d1916a5a508a9a2807b03981732a7615262a5381b4152a7f979676f88552abcb3abe516d482f9
-
SSDEEP
6144:MZXvpNAstNXy1tg75ON3OPN1eo5KF8Q5vQBfGFpMFf3iZusT2EKT18L6j9LT7Sk/:MZXvpNptNB75ON3OPNj5KF8RebMF3MLk
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 9 IoCs
resource yara_rule behavioral1/memory/2076-8-0x0000000000400000-0x0000000000433000-memory.dmp modiloader_stage2 behavioral1/memory/2076-10-0x0000000000400000-0x0000000000433000-memory.dmp modiloader_stage2 behavioral1/memory/2076-11-0x0000000000400000-0x0000000000433000-memory.dmp modiloader_stage2 behavioral1/memory/2076-24-0x0000000000400000-0x0000000000433000-memory.dmp modiloader_stage2 behavioral1/memory/1492-34-0x0000000000400000-0x0000000000433000-memory.dmp modiloader_stage2 behavioral1/memory/1492-35-0x0000000000400000-0x0000000000433000-memory.dmp modiloader_stage2 behavioral1/memory/1492-37-0x0000000000400000-0x0000000000433000-memory.dmp modiloader_stage2 behavioral1/memory/1492-36-0x0000000000400000-0x0000000000433000-memory.dmp modiloader_stage2 behavioral1/memory/1492-48-0x0000000000400000-0x0000000000433000-memory.dmp modiloader_stage2 -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\server = "C:\\Windows\\server.exe" server.exe Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7Q8P5QT4-C6TT-AR66-LGST-MAEI23M3AOL6} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7Q8P5QT4-C6TT-AR66-LGST-MAEI23M3AOL6}\StubPath = "\"C:\\Windows\\server.exe\"" server.exe -
Executes dropped EXE 2 IoCs
pid Process 236 server.exe 1492 server.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1192 set thread context of 2076 1192 JaffaCakes118_9873e6f797695204028324bf18613eb3.exe 30 PID 236 set thread context of 1492 236 server.exe 32 -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\server.exe JaffaCakes118_9873e6f797695204028324bf18613eb3.exe File opened for modification C:\Windows\server.exe JaffaCakes118_9873e6f797695204028324bf18613eb3.exe File opened for modification C:\Windows\server.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9873e6f797695204028324bf18613eb3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9873e6f797695204028324bf18613eb3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2076 JaffaCakes118_9873e6f797695204028324bf18613eb3.exe 1492 server.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1192 JaffaCakes118_9873e6f797695204028324bf18613eb3.exe 236 server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1192 wrote to memory of 2076 1192 JaffaCakes118_9873e6f797695204028324bf18613eb3.exe 30 PID 1192 wrote to memory of 2076 1192 JaffaCakes118_9873e6f797695204028324bf18613eb3.exe 30 PID 1192 wrote to memory of 2076 1192 JaffaCakes118_9873e6f797695204028324bf18613eb3.exe 30 PID 1192 wrote to memory of 2076 1192 JaffaCakes118_9873e6f797695204028324bf18613eb3.exe 30 PID 1192 wrote to memory of 2076 1192 JaffaCakes118_9873e6f797695204028324bf18613eb3.exe 30 PID 1192 wrote to memory of 2076 1192 JaffaCakes118_9873e6f797695204028324bf18613eb3.exe 30 PID 1192 wrote to memory of 2076 1192 JaffaCakes118_9873e6f797695204028324bf18613eb3.exe 30 PID 1192 wrote to memory of 2076 1192 JaffaCakes118_9873e6f797695204028324bf18613eb3.exe 30 PID 1192 wrote to memory of 2076 1192 JaffaCakes118_9873e6f797695204028324bf18613eb3.exe 30 PID 1192 wrote to memory of 2076 1192 JaffaCakes118_9873e6f797695204028324bf18613eb3.exe 30 PID 1192 wrote to memory of 2076 1192 JaffaCakes118_9873e6f797695204028324bf18613eb3.exe 30 PID 1192 wrote to memory of 2076 1192 JaffaCakes118_9873e6f797695204028324bf18613eb3.exe 30 PID 1192 wrote to memory of 2076 1192 JaffaCakes118_9873e6f797695204028324bf18613eb3.exe 30 PID 1192 wrote to memory of 2076 1192 JaffaCakes118_9873e6f797695204028324bf18613eb3.exe 30 PID 1192 wrote to memory of 2076 1192 JaffaCakes118_9873e6f797695204028324bf18613eb3.exe 30 PID 2076 wrote to memory of 236 2076 JaffaCakes118_9873e6f797695204028324bf18613eb3.exe 31 PID 2076 wrote to memory of 236 2076 JaffaCakes118_9873e6f797695204028324bf18613eb3.exe 31 PID 2076 wrote to memory of 236 2076 JaffaCakes118_9873e6f797695204028324bf18613eb3.exe 31 PID 2076 wrote to memory of 236 2076 JaffaCakes118_9873e6f797695204028324bf18613eb3.exe 31 PID 236 wrote to memory of 1492 236 server.exe 32 PID 236 wrote to memory of 1492 236 server.exe 32 PID 236 wrote to memory of 1492 236 server.exe 32 PID 236 wrote to memory of 1492 236 server.exe 32 PID 236 wrote to memory of 1492 236 server.exe 32 PID 236 wrote to memory of 1492 236 server.exe 32 PID 236 wrote to memory of 1492 236 server.exe 32 PID 236 wrote to memory of 1492 236 server.exe 32 PID 236 wrote to memory of 1492 236 server.exe 32 PID 236 wrote to memory of 1492 236 server.exe 32 PID 236 wrote to memory of 1492 236 server.exe 32 PID 236 wrote to memory of 1492 236 server.exe 32 PID 236 wrote to memory of 1492 236 server.exe 32 PID 236 wrote to memory of 1492 236 server.exe 32 PID 236 wrote to memory of 1492 236 server.exe 32 PID 1492 wrote to memory of 2904 1492 server.exe 33 PID 1492 wrote to memory of 2904 1492 server.exe 33 PID 1492 wrote to memory of 2904 1492 server.exe 33 PID 1492 wrote to memory of 2904 1492 server.exe 33 PID 1492 wrote to memory of 2904 1492 server.exe 33 PID 1492 wrote to memory of 2904 1492 server.exe 33 PID 1492 wrote to memory of 2904 1492 server.exe 33 PID 1492 wrote to memory of 2904 1492 server.exe 33 PID 1492 wrote to memory of 2904 1492 server.exe 33 PID 1492 wrote to memory of 2904 1492 server.exe 33 PID 1492 wrote to memory of 2904 1492 server.exe 33 PID 1492 wrote to memory of 2904 1492 server.exe 33 PID 1492 wrote to memory of 2904 1492 server.exe 33 PID 1492 wrote to memory of 2904 1492 server.exe 33 PID 1492 wrote to memory of 2904 1492 server.exe 33 PID 1492 wrote to memory of 2904 1492 server.exe 33 PID 1492 wrote to memory of 2904 1492 server.exe 33 PID 1492 wrote to memory of 2904 1492 server.exe 33 PID 1492 wrote to memory of 2904 1492 server.exe 33 PID 1492 wrote to memory of 2904 1492 server.exe 33 PID 1492 wrote to memory of 2904 1492 server.exe 33 PID 1492 wrote to memory of 2904 1492 server.exe 33 PID 1492 wrote to memory of 2904 1492 server.exe 33 PID 1492 wrote to memory of 2904 1492 server.exe 33 PID 1492 wrote to memory of 2904 1492 server.exe 33 PID 1492 wrote to memory of 2904 1492 server.exe 33 PID 1492 wrote to memory of 2904 1492 server.exe 33 PID 1492 wrote to memory of 2904 1492 server.exe 33 PID 1492 wrote to memory of 2904 1492 server.exe 33 PID 1492 wrote to memory of 2904 1492 server.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9873e6f797695204028324bf18613eb3.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9873e6f797695204028324bf18613eb3.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9873e6f797695204028324bf18613eb3.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9873e6f797695204028324bf18613eb3.exe2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\server.exe"C:\Windows\server.exe" \melt "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9873e6f797695204028324bf18613eb3.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:236 -
C:\Windows\server.exeC:\Windows\server.exe4⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2904
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
352KB
MD59873e6f797695204028324bf18613eb3
SHA1fbd90371157ffc6a10f89de323e5bea96fb6a772
SHA256a0a01451e333a6cea0bc322cd7d9611ef7b7f2ccea1f13920939fae2ebba498d
SHA51295322ba7f77e791feb873badd8ef5a23d2134b58b864d87b171d1916a5a508a9a2807b03981732a7615262a5381b4152a7f979676f88552abcb3abe516d482f9