Analysis

  • max time kernel
    145s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07/04/2024, 21:43

General

  • Target

    e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe

  • Size

    189KB

  • MD5

    e5ec659cf211fb86b002bdfc8bafa71b

  • SHA1

    036fda53c0696ac9a0e3efb24a9b11460df09290

  • SHA256

    99144a3062341ff040436600132a45ba917b8661e4128094e6f0550f7707a012

  • SHA512

    b7587b2a63cc9cefb69badcabb8dbdb29fe248518ddd9f95a39e4b1514c2431a04f465391aaf0c56ade5fdaea89cd4033997bb68e9dbeab5327387ec5a9252e2

  • SSDEEP

    3072:b/I0NfZAp5tPeAFtzcSsXie+ZZ9w6eo4OxCLzx2g437U:7IsZOnxchSep6eo4OGx2gC7U

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • UAC bypass 3 TTPs 1 IoCs
  • ModiLoader Second Stage 18 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 20 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Users\Admin\AppData\Local\Temp\e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe
      2⤵
      • UAC bypass
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2168

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\cmsetac.dll

    Filesize

    33KB

    MD5

    ba8aaa1fad7e35b86ac143179b1616bd

    SHA1

    b19789ed5256d829596f06d36c2f16dc95646412

    SHA256

    152786dde90388e45c73ce4fd5528ccb11deb2cf1e3a4c62fcb4ebc8fec7652c

    SHA512

    9d6e90450c566df7707062556dc6d0c6ec0b700b604726c62d439377d2a2ab11db04e02af957b10c38eb080c73c4630aaa67b1e59d05414a7bbf4188a10bde5a

  • \Users\Admin\AppData\Local\Temp\ntdtcstp.dll

    Filesize

    7KB

    MD5

    67587e25a971a141628d7f07bd40ffa0

    SHA1

    76fcd014539a3bb247cc0b761225f68bd6055f6b

    SHA256

    e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

    SHA512

    6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

  • memory/2168-22-0x00000000007A0000-0x00000000007AE000-memory.dmp

    Filesize

    56KB

  • memory/2168-54-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

  • memory/2168-7-0x00000000003F0000-0x00000000003F1000-memory.dmp

    Filesize

    4KB

  • memory/2168-9-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

  • memory/2168-5-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

  • memory/2168-4-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

  • memory/2168-15-0x00000000007A0000-0x00000000007AE000-memory.dmp

    Filesize

    56KB

  • memory/2168-17-0x0000000077360000-0x0000000077450000-memory.dmp

    Filesize

    960KB

  • memory/2168-18-0x0000000000790000-0x0000000000791000-memory.dmp

    Filesize

    4KB

  • memory/2168-19-0x0000000075590000-0x00000000755A4000-memory.dmp

    Filesize

    80KB

  • memory/2168-20-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

  • memory/2168-24-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

  • memory/2168-6-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

  • memory/2168-2-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

  • memory/2168-21-0x0000000000750000-0x0000000000758000-memory.dmp

    Filesize

    32KB

  • memory/2168-27-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

  • memory/2168-30-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

  • memory/2168-33-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

  • memory/2168-36-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

  • memory/2168-39-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

  • memory/2168-42-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

  • memory/2168-45-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

  • memory/2168-48-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

  • memory/2168-51-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

  • memory/2168-23-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

  • memory/2168-57-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

  • memory/2168-60-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB