Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-07-2024 23:55
Static task
static1
Behavioral task
behavioral1
Sample
26b63ca40c4e0b6c117a5f29131801d7_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
26b63ca40c4e0b6c117a5f29131801d7_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
26b63ca40c4e0b6c117a5f29131801d7_JaffaCakes118.exe
-
Size
793KB
-
MD5
26b63ca40c4e0b6c117a5f29131801d7
-
SHA1
41c0bebca37b23eb1cba9187bb1e61a7fa55ef5a
-
SHA256
18ddc9b5ae98b6c30b1ff139da7520dbbb8ee0410108b62b6a45c397a4d63cb1
-
SHA512
34553912380a2c670320c7a779b3a53a709b9dc81533cdce21a5bd8639643901e8038bed18aeb7c3e3606030b4ca2915d999a0cb0d32230cbf9d60ec1a51c355
-
SSDEEP
24576:2j7dEzLqVegFntK82DyptPT3AXKJUHpTagtsRBiFGTX:C7UqVegFUvDy/PT3AXKJUHpTagtsRBiU
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2076-4-0x0000000000400000-0x00000000004D0000-memory.dmp modiloader_stage2 -
Drops file in Program Files directory 1 IoCs
Processes:
26b63ca40c4e0b6c117a5f29131801d7_JaffaCakes118.exedescription ioc process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt 26b63ca40c4e0b6c117a5f29131801d7_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
26b63ca40c4e0b6c117a5f29131801d7_JaffaCakes118.exedescription pid process target process PID 2076 wrote to memory of 2384 2076 26b63ca40c4e0b6c117a5f29131801d7_JaffaCakes118.exe IEXPLORE.EXE PID 2076 wrote to memory of 2384 2076 26b63ca40c4e0b6c117a5f29131801d7_JaffaCakes118.exe IEXPLORE.EXE PID 2076 wrote to memory of 2384 2076 26b63ca40c4e0b6c117a5f29131801d7_JaffaCakes118.exe IEXPLORE.EXE PID 2076 wrote to memory of 2384 2076 26b63ca40c4e0b6c117a5f29131801d7_JaffaCakes118.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\26b63ca40c4e0b6c117a5f29131801d7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\26b63ca40c4e0b6c117a5f29131801d7_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2076-0-0x0000000000400000-0x00000000004D0000-memory.dmpFilesize
832KB
-
memory/2076-2-0x0000000000660000-0x0000000000661000-memory.dmpFilesize
4KB
-
memory/2076-3-0x0000000000415000-0x0000000000416000-memory.dmpFilesize
4KB
-
memory/2076-4-0x0000000000400000-0x00000000004D0000-memory.dmpFilesize
832KB