Analysis
-
max time kernel
106s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20250313-en -
resource tags
arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system -
submitted
31/03/2025, 18:24
Behavioral task
behavioral1
Sample
JaffaCakes118_99bbdc1591815718fb050ac629433dec.exe
Resource
win10v2004-20250313-en
General
-
Target
JaffaCakes118_99bbdc1591815718fb050ac629433dec.exe
-
Size
1.4MB
-
MD5
99bbdc1591815718fb050ac629433dec
-
SHA1
0552f93ec09edc1a47ba3b7bd0cf3b6dc4e1bc6e
-
SHA256
3522c819e523456d22a080a1ae77e08ef196a67d9866b4b212e0688f20f195b7
-
SHA512
cca52cbb32504129bd4f2a2c624fba84bb225792d05bd501c79232be6a127172191033442049df717af9dca897d86c37bcd755a76b86ebee8e6c75dbb4ace328
-
SSDEEP
24576:82K3KT1yiPqwG4QIFTj/k13FlWZCOr3uc+HY5yG/AISjyIvLAtZHAaG1KnoQXM7C:8NaJyRcQSY1/WF3/wjyIvoHAacKnJXGK
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral1/memory/2576-17-0x0000000000400000-0x000000000071C000-memory.dmp modiloader_stage2 behavioral1/memory/2576-19-0x0000000000400000-0x000000000071C000-memory.dmp modiloader_stage2 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_99bbdc1591815718fb050ac629433dec.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 2576 JaffaCakes118_99bbdc1591815718fb050ac629433dec.exe 2576 JaffaCakes118_99bbdc1591815718fb050ac629433dec.exe 2576 JaffaCakes118_99bbdc1591815718fb050ac629433dec.exe 2576 JaffaCakes118_99bbdc1591815718fb050ac629433dec.exe 2576 JaffaCakes118_99bbdc1591815718fb050ac629433dec.exe 2576 JaffaCakes118_99bbdc1591815718fb050ac629433dec.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 2576 JaffaCakes118_99bbdc1591815718fb050ac629433dec.exe 2576 JaffaCakes118_99bbdc1591815718fb050ac629433dec.exe 2576 JaffaCakes118_99bbdc1591815718fb050ac629433dec.exe 2576 JaffaCakes118_99bbdc1591815718fb050ac629433dec.exe 2576 JaffaCakes118_99bbdc1591815718fb050ac629433dec.exe 2576 JaffaCakes118_99bbdc1591815718fb050ac629433dec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_99bbdc1591815718fb050ac629433dec.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_99bbdc1591815718fb050ac629433dec.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2576
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
343B
MD547c1dcee24928c9b70e012f2c0421d22
SHA1c80cdc04f1b862862cf1541c3d64ae531d7359bd
SHA256dab0c828cc3bbfa3233b2c08a83308751a4830c251b647fe4d2b2b38f6b74451
SHA51258cede84d853ff612098b11e4eab4a5da8daa2237113847c9837e2ebdc121f105417f7637cce5a57f0eea534f294e58124b1088f4083a1d4c212e76b553182fd