Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 19:16
Behavioral task
behavioral1
Sample
1c309851083983587ffe62b1c6a7cf18_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
1c309851083983587ffe62b1c6a7cf18_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
1c309851083983587ffe62b1c6a7cf18_JaffaCakes118.exe
-
Size
98KB
-
MD5
1c309851083983587ffe62b1c6a7cf18
-
SHA1
48b9622b9c32b2c153c5b131846be0af73513251
-
SHA256
d1c21ad3d39f1c3502a800d1d082f31fb4ca78c519b75c5c82148fc7f23fac55
-
SHA512
80db99c16ed9c4b521dbaea3b692e4bf75ab8a00653e053dbaddcd1cb5173f384d34f1d3b21a08ae535d79a8c57ecb4c7d950fde41a2e734bda983785a80ad6b
-
SSDEEP
3072:G3quF7c3jHz7YInISas6+ZLxkauVFXri:mJc3j/p++ZLxkdnXr
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1212-0-0x0000000000010000-0x0000000000036000-memory.dmp modiloader_stage2 behavioral1/memory/1928-11-0x0000000000010000-0x0000000000036000-memory.dmp modiloader_stage2 behavioral1/memory/1212-7-0x0000000000010000-0x0000000000036000-memory.dmp modiloader_stage2 behavioral1/memory/1928-13-0x0000000000010000-0x0000000000036000-memory.dmp modiloader_stage2 behavioral1/memory/1212-14-0x00000000002A0000-0x00000000002C6000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
Processes:
apocalyps32.exepid process 1928 apocalyps32.exe -
Processes:
resource yara_rule behavioral1/memory/1212-0-0x0000000000010000-0x0000000000036000-memory.dmp upx C:\Windows\apocalyps32.exe upx behavioral1/memory/1928-11-0x0000000000010000-0x0000000000036000-memory.dmp upx behavioral1/memory/1212-8-0x00000000002A0000-0x00000000002C6000-memory.dmp upx behavioral1/memory/1212-7-0x0000000000010000-0x0000000000036000-memory.dmp upx behavioral1/memory/1928-13-0x0000000000010000-0x0000000000036000-memory.dmp upx behavioral1/memory/1212-14-0x00000000002A0000-0x00000000002C6000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
Processes:
1c309851083983587ffe62b1c6a7cf18_JaffaCakes118.exeapocalyps32.exedescription ioc process File opened for modification C:\Windows\apocalyps32.exe 1c309851083983587ffe62b1c6a7cf18_JaffaCakes118.exe File created C:\Windows\apocalyps32.exe apocalyps32.exe File created C:\Windows\apocalyps32.exe 1c309851083983587ffe62b1c6a7cf18_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
1c309851083983587ffe62b1c6a7cf18_JaffaCakes118.exeapocalyps32.exedescription pid process target process PID 1212 wrote to memory of 1928 1212 1c309851083983587ffe62b1c6a7cf18_JaffaCakes118.exe apocalyps32.exe PID 1212 wrote to memory of 1928 1212 1c309851083983587ffe62b1c6a7cf18_JaffaCakes118.exe apocalyps32.exe PID 1212 wrote to memory of 1928 1212 1c309851083983587ffe62b1c6a7cf18_JaffaCakes118.exe apocalyps32.exe PID 1212 wrote to memory of 1928 1212 1c309851083983587ffe62b1c6a7cf18_JaffaCakes118.exe apocalyps32.exe PID 1928 wrote to memory of 2988 1928 apocalyps32.exe iexplore.exe PID 1928 wrote to memory of 2988 1928 apocalyps32.exe iexplore.exe PID 1928 wrote to memory of 2988 1928 apocalyps32.exe iexplore.exe PID 1928 wrote to memory of 2988 1928 apocalyps32.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c309851083983587ffe62b1c6a7cf18_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1c309851083983587ffe62b1c6a7cf18_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\apocalyps32.exe-bs2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe-bs3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\apocalyps32.exeFilesize
98KB
MD51c309851083983587ffe62b1c6a7cf18
SHA148b9622b9c32b2c153c5b131846be0af73513251
SHA256d1c21ad3d39f1c3502a800d1d082f31fb4ca78c519b75c5c82148fc7f23fac55
SHA51280db99c16ed9c4b521dbaea3b692e4bf75ab8a00653e053dbaddcd1cb5173f384d34f1d3b21a08ae535d79a8c57ecb4c7d950fde41a2e734bda983785a80ad6b
-
memory/1212-0-0x0000000000010000-0x0000000000036000-memory.dmpFilesize
152KB
-
memory/1212-8-0x00000000002A0000-0x00000000002C6000-memory.dmpFilesize
152KB
-
memory/1212-7-0x0000000000010000-0x0000000000036000-memory.dmpFilesize
152KB
-
memory/1212-14-0x00000000002A0000-0x00000000002C6000-memory.dmpFilesize
152KB
-
memory/1928-11-0x0000000000010000-0x0000000000036000-memory.dmpFilesize
152KB
-
memory/1928-13-0x0000000000010000-0x0000000000036000-memory.dmpFilesize
152KB