Analysis
-
max time kernel
145s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
01-07-2024 10:07
General
-
Target
1ae1e9c3a2ec5820e2d96a278eac562e_JaffaCakes118.exe
-
Size
342KB
-
MD5
1ae1e9c3a2ec5820e2d96a278eac562e
-
SHA1
4b922229ca4b5a6743510965ddb652f9b3a26567
-
SHA256
e50552f530a6be498748859e8e65a5baaf2dc7f5287c2004b4fc076264469837
-
SHA512
5ed5d4ebcee83dcb203da62b1f9b24bcd11af179dd41edc32d24113c846e0782e7f45f2579fb7c1cfaf5273189e3f720d92c958d1a62dc3a94fcd3087210d89e
-
SSDEEP
6144:C4XQxS2b4Y7C1vtx/9xCVLGKwd63tPlQuk0+4ko2pftDv8wt3FeVBjxWOj:C4sVbj7CRP/9xsLtDtU0J2TkyFeVBlWA
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 10 IoCs
-
Drops file in Windows directory 2 IoCs
-
Program crash 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ae1e9c3a2ec5820e2d96a278eac562e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1ae1e9c3a2ec5820e2d96a278eac562e_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\cnm.exeC:\Windows\cnm.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 124⤵
- Program crash
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 124⤵
- Program crash
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 708 -s 124⤵
- Program crash
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 124⤵
- Program crash
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 124⤵
- Program crash
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 124⤵
- Program crash
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 124⤵
- Program crash
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 124⤵
- Program crash
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 124⤵
- Program crash
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 124⤵
- Program crash
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1012,i,17949988676391029604,13756926835471203788,262144 --variations-seed-version --mojo-platform-channel-handle=4272 /prefetch:81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4436 -ip 44361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4732 -ip 47321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 708 -ip 7081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4648 -ip 46481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4716 -ip 47161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2116 -ip 21161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5088 -ip 50881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4316 -ip 43161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3328 -ip 33281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2120 -ip 21201⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\cnm.exeFilesize
342KB
MD51ae1e9c3a2ec5820e2d96a278eac562e
SHA14b922229ca4b5a6743510965ddb652f9b3a26567
SHA256e50552f530a6be498748859e8e65a5baaf2dc7f5287c2004b4fc076264469837
SHA5125ed5d4ebcee83dcb203da62b1f9b24bcd11af179dd41edc32d24113c846e0782e7f45f2579fb7c1cfaf5273189e3f720d92c958d1a62dc3a94fcd3087210d89e
-
memory/4436-16-0x0000000000400000-0x00000000004C1000-memory.dmpFilesize
772KB
-
memory/4732-0-0x00000000022F0000-0x00000000022F1000-memory.dmpFilesize
4KB
-
memory/4732-10-0x0000000000400000-0x00000000004C1000-memory.dmpFilesize
772KB
-
memory/4932-6-0x00000000022E0000-0x00000000022E1000-memory.dmpFilesize
4KB
-
memory/4932-12-0x0000000000400000-0x00000000004C1000-memory.dmpFilesize
772KB
-
memory/4932-15-0x00000000022E0000-0x00000000022E1000-memory.dmpFilesize
4KB