Analysis
-
max time kernel
145s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/04/2024, 21:43
Static task
static1
Behavioral task
behavioral1
Sample
e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe
Resource
win10v2004-20240319-en
General
-
Target
e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe
-
Size
189KB
-
MD5
e5ec659cf211fb86b002bdfc8bafa71b
-
SHA1
036fda53c0696ac9a0e3efb24a9b11460df09290
-
SHA256
99144a3062341ff040436600132a45ba917b8661e4128094e6f0550f7707a012
-
SHA512
b7587b2a63cc9cefb69badcabb8dbdb29fe248518ddd9f95a39e4b1514c2431a04f465391aaf0c56ade5fdaea89cd4033997bb68e9dbeab5327387ec5a9252e2
-
SSDEEP
3072:b/I0NfZAp5tPeAFtzcSsXie+ZZ9w6eo4OxCLzx2g437U:7IsZOnxchSep6eo4OGx2gC7U
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe -
ModiLoader Second Stage 18 IoCs
resource yara_rule behavioral1/memory/2168-5-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral1/memory/2168-6-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral1/memory/2168-9-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral1/memory/2168-20-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral1/memory/2168-23-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral1/memory/2168-24-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral1/memory/2168-27-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral1/memory/2168-30-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral1/memory/2168-33-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral1/memory/2168-36-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral1/memory/2168-39-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral1/memory/2168-42-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral1/memory/2168-45-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral1/memory/2168-48-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral1/memory/2168-51-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral1/memory/2168-54-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral1/memory/2168-57-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral1/memory/2168-60-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 -
Loads dropped DLL 2 IoCs
pid Process 2168 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe 2168 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2168-2-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/2168-4-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/2168-5-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/2168-6-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/2168-9-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/2168-20-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/2168-23-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/2168-24-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/2168-27-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/2168-30-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/2168-33-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/2168-36-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/2168-39-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/2168-42-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/2168-45-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/2168-48-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/2168-51-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/2168-54-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/2168-57-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/2168-60-0x0000000000400000-0x000000000044F000-memory.dmp upx -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2380 set thread context of 2168 2380 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe 28 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\VMPipe32.dll e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2168 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe Token: SeDebugPrivilege 2168 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2380 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe 2168 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe 2168 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2168 2380 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe 28 PID 2380 wrote to memory of 2168 2380 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe 28 PID 2380 wrote to memory of 2168 2380 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe 28 PID 2380 wrote to memory of 2168 2380 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe 28 PID 2380 wrote to memory of 2168 2380 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe 28 PID 2380 wrote to memory of 2168 2380 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe 28 PID 2380 wrote to memory of 2168 2380 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe 28 PID 2380 wrote to memory of 2168 2380 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe 28 PID 2380 wrote to memory of 2168 2380 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe 28 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe2⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2168
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD5ba8aaa1fad7e35b86ac143179b1616bd
SHA1b19789ed5256d829596f06d36c2f16dc95646412
SHA256152786dde90388e45c73ce4fd5528ccb11deb2cf1e3a4c62fcb4ebc8fec7652c
SHA5129d6e90450c566df7707062556dc6d0c6ec0b700b604726c62d439377d2a2ab11db04e02af957b10c38eb080c73c4630aaa67b1e59d05414a7bbf4188a10bde5a
-
Filesize
7KB
MD567587e25a971a141628d7f07bd40ffa0
SHA176fcd014539a3bb247cc0b761225f68bd6055f6b
SHA256e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378
SHA5126e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350