Analysis
-
max time kernel
94s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 10:46
Static task
static1
Behavioral task
behavioral1
Sample
19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe
-
Size
380KB
-
MD5
19d58529bd859c53f9520a9e2ed3a524
-
SHA1
542ded1a740d41bc9df36df64703767008d87ab2
-
SHA256
e89a02b1742f58e50369e103f19f030dc1d31aff33f97dda2f35ef1a938cb7d5
-
SHA512
bbfa761b443f1243b21f479af77604d9809448636eccc83dc7f273f934ebe7b0d27164c15fb5b9064eeb26084acf4112e84056e14bfc3270578005db5afe3849
-
SSDEEP
6144:S5emnohbdsdVnyAICBQP7C/aq1HgdxFFzFv9P9TqucPkzd2+9YwA2pIlt0uy0P:HmnQ2znHIC6P7C/pCd9BlPoF6vhYK8P
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2116-16-0x0000000000400000-0x00000000004BF000-memory.dmp modiloader_stage2 behavioral2/memory/468-18-0x0000000000400000-0x00000000004BF000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
Processes:
taskmger.exepid process 468 taskmger.exe -
Drops file in System32 directory 2 IoCs
Processes:
taskmger.exedescription ioc process File created C:\Windows\SysWOW64\_taskmger.exe taskmger.exe File opened for modification C:\Windows\SysWOW64\_taskmger.exe taskmger.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
taskmger.exedescription pid process target process PID 468 set thread context of 4592 468 taskmger.exe notepad.exe -
Drops file in Windows directory 3 IoCs
Processes:
19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exedescription ioc process File created C:\Windows\taskmger.exe 19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe File opened for modification C:\Windows\taskmger.exe 19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe File created C:\Windows\SxDel.bat 19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process 4012 468 WerFault.exe 2416 4592 WerFault.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exetaskmger.exedescription pid process target process PID 2116 wrote to memory of 468 2116 19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe taskmger.exe PID 2116 wrote to memory of 468 2116 19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe taskmger.exe PID 2116 wrote to memory of 468 2116 19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe taskmger.exe PID 468 wrote to memory of 4592 468 taskmger.exe notepad.exe PID 468 wrote to memory of 4592 468 taskmger.exe notepad.exe PID 468 wrote to memory of 4592 468 taskmger.exe notepad.exe PID 468 wrote to memory of 4592 468 taskmger.exe notepad.exe PID 468 wrote to memory of 4592 468 taskmger.exe notepad.exe PID 468 wrote to memory of 4260 468 taskmger.exe IEXPLORE.EXE PID 468 wrote to memory of 4260 468 taskmger.exe IEXPLORE.EXE PID 2116 wrote to memory of 208 2116 19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe cmd.exe PID 2116 wrote to memory of 208 2116 19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe cmd.exe PID 2116 wrote to memory of 208 2116 19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\taskmger.exeC:\Windows\taskmger.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 124⤵
- Program crash
-
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 6563⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SxDel.bat2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4592 -ip 45921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 468 -ip 4681⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SxDel.batFilesize
212B
MD502dae0fbbc649edcc12d1bdf5a49bf34
SHA106b23264ba12e1f8fcc0a9bb89ce0022d9988c74
SHA256e0f1c51db66cdc873201d0fa14df2da87bc1ff65e04fd6fc1ae50499b6265095
SHA51258f806e4195244aef0657a71e4de2fd10191b98b5ced98447c7a1a87f55393e5b2ce88dd6f2ad2ccc9ff8e23f1b40760ee61e5efe6b49c5d2db845820b6c9bdf
-
C:\Windows\SysWOW64\_taskmger.exeFilesize
380KB
MD519d58529bd859c53f9520a9e2ed3a524
SHA1542ded1a740d41bc9df36df64703767008d87ab2
SHA256e89a02b1742f58e50369e103f19f030dc1d31aff33f97dda2f35ef1a938cb7d5
SHA512bbfa761b443f1243b21f479af77604d9809448636eccc83dc7f273f934ebe7b0d27164c15fb5b9064eeb26084acf4112e84056e14bfc3270578005db5afe3849
-
memory/468-7-0x0000000000400000-0x00000000004BF000-memory.dmpFilesize
764KB
-
memory/468-10-0x0000000002130000-0x0000000002131000-memory.dmpFilesize
4KB
-
memory/468-18-0x0000000000400000-0x00000000004BF000-memory.dmpFilesize
764KB
-
memory/2116-0-0x0000000000400000-0x00000000004BF000-memory.dmpFilesize
764KB
-
memory/2116-1-0x0000000002270000-0x0000000002271000-memory.dmpFilesize
4KB
-
memory/2116-16-0x0000000000400000-0x00000000004BF000-memory.dmpFilesize
764KB
-
memory/4592-11-0x0000000000400000-0x00000000004BF000-memory.dmpFilesize
764KB