Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 23:47
Behavioral task
behavioral1
Sample
17fffdf52e92d4675a06f602015b286e_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
17fffdf52e92d4675a06f602015b286e_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
17fffdf52e92d4675a06f602015b286e_JaffaCakes118.exe
-
Size
54KB
-
MD5
17fffdf52e92d4675a06f602015b286e
-
SHA1
6d072eacd68829f8fd673ff9e6dc186be0a8c0f1
-
SHA256
b9bdbb2ec4295354c71033d638b8b555cfd4f77f70580826a9a02c5989862d41
-
SHA512
1b116cb8a1184eeea1cc1514a6c46f4ce86ca4dfdcac63ab51fe83c395567d6818fdc15c25978b8dbd5e68d97c2518ee673b002c38b934d5eaafc6269ab05eaf
-
SSDEEP
768:JJcUTqFQm109y2gKu1NIVQ5Ot364K4i4VQ0+hDLN5Dmp8UdQBOxPY8Hgc0Xes:g8qFQW09kx1LuaN5Dmp8U6oI
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2220-1-0x0000000000010000-0x0000000000025000-memory.dmp modiloader_stage2 \Users\Admin\AppData\Local\Temp\kacir.dll modiloader_stage2 behavioral1/memory/2220-8-0x0000000000010000-0x0000000000025000-memory.dmp modiloader_stage2 behavioral1/memory/2220-9-0x0000000000400000-0x000000000040B000-memory.dmp modiloader_stage2 -
Loads dropped DLL 2 IoCs
Processes:
17fffdf52e92d4675a06f602015b286e_JaffaCakes118.exeWerFault.exepid process 2220 17fffdf52e92d4675a06f602015b286e_JaffaCakes118.exe 1336 WerFault.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1336 2220 WerFault.exe 17fffdf52e92d4675a06f602015b286e_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
17fffdf52e92d4675a06f602015b286e_JaffaCakes118.exedescription pid process target process PID 2220 wrote to memory of 1336 2220 17fffdf52e92d4675a06f602015b286e_JaffaCakes118.exe WerFault.exe PID 2220 wrote to memory of 1336 2220 17fffdf52e92d4675a06f602015b286e_JaffaCakes118.exe WerFault.exe PID 2220 wrote to memory of 1336 2220 17fffdf52e92d4675a06f602015b286e_JaffaCakes118.exe WerFault.exe PID 2220 wrote to memory of 1336 2220 17fffdf52e92d4675a06f602015b286e_JaffaCakes118.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\17fffdf52e92d4675a06f602015b286e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\17fffdf52e92d4675a06f602015b286e_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 1282⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\kacir.dllFilesize
19KB
MD5dda37de6068ad16771e3a6464bb8778b
SHA1903317703bfcd07e9bea7246920de98916017e08
SHA256e5fa2290f69a152c53dec772142ddb3d4c04cb2ee25ad05b0ec97ab202361f11
SHA5121d38ba967b34c6d48b8048bf282484bc6c8d6f3644a127a8102d3edbcf5dd854744da7e8f15b10b93b6124db634a7c891c1c175fca8a7b2e6810fc204132ea05
-
memory/2220-1-0x0000000000010000-0x0000000000025000-memory.dmpFilesize
84KB
-
memory/2220-8-0x0000000000010000-0x0000000000025000-memory.dmpFilesize
84KB
-
memory/2220-9-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB