Analysis
-
max time kernel
147s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
07/04/2024, 21:43
Static task
static1
Behavioral task
behavioral1
Sample
e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe
Resource
win10v2004-20240319-en
General
-
Target
e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe
-
Size
189KB
-
MD5
e5ec659cf211fb86b002bdfc8bafa71b
-
SHA1
036fda53c0696ac9a0e3efb24a9b11460df09290
-
SHA256
99144a3062341ff040436600132a45ba917b8661e4128094e6f0550f7707a012
-
SHA512
b7587b2a63cc9cefb69badcabb8dbdb29fe248518ddd9f95a39e4b1514c2431a04f465391aaf0c56ade5fdaea89cd4033997bb68e9dbeab5327387ec5a9252e2
-
SSDEEP
3072:b/I0NfZAp5tPeAFtzcSsXie+ZZ9w6eo4OxCLzx2g437U:7IsZOnxchSep6eo4OGx2gC7U
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe -
ModiLoader Second Stage 19 IoCs
resource yara_rule behavioral2/memory/1780-6-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral2/memory/1780-5-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral2/memory/1780-9-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral2/memory/1780-22-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral2/memory/1780-25-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral2/memory/1780-26-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral2/memory/1780-29-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral2/memory/1780-30-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral2/memory/1780-33-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral2/memory/1780-36-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral2/memory/1780-39-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral2/memory/1780-42-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral2/memory/1780-45-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral2/memory/1780-48-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral2/memory/1780-51-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral2/memory/1780-54-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral2/memory/1780-57-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral2/memory/1780-60-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 behavioral2/memory/1780-63-0x0000000000400000-0x000000000044F000-memory.dmp modiloader_stage2 -
Loads dropped DLL 4 IoCs
pid Process 1780 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe 1780 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe 1780 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe 1780 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/1780-2-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/1780-4-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/1780-6-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/1780-5-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/1780-9-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/1780-22-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/1780-25-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/1780-26-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/1780-29-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/1780-30-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/1780-33-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/1780-36-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/1780-39-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/1780-42-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/1780-45-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/1780-48-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/1780-51-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/1780-54-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/1780-57-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/1780-60-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/1780-63-0x0000000000400000-0x000000000044F000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3572 set thread context of 1780 3572 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe 93 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\VMPipe32.dll e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1780 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe Token: SeDebugPrivilege 1780 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3572 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe 1780 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe 1780 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3572 wrote to memory of 1780 3572 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe 93 PID 3572 wrote to memory of 1780 3572 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe 93 PID 3572 wrote to memory of 1780 3572 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe 93 PID 3572 wrote to memory of 1780 3572 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe 93 PID 3572 wrote to memory of 1780 3572 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe 93 PID 3572 wrote to memory of 1780 3572 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe 93 PID 3572 wrote to memory of 1780 3572 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe 93 PID 3572 wrote to memory of 1780 3572 e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe 93 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e5ec659cf211fb86b002bdfc8bafa71b_JaffaCakes118.exe2⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1060 --field-trial-handle=2292,i,2927097380497635931,2014459809064723663,262144 --variations-seed-version /prefetch:81⤵PID:1888
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD5ba8aaa1fad7e35b86ac143179b1616bd
SHA1b19789ed5256d829596f06d36c2f16dc95646412
SHA256152786dde90388e45c73ce4fd5528ccb11deb2cf1e3a4c62fcb4ebc8fec7652c
SHA5129d6e90450c566df7707062556dc6d0c6ec0b700b604726c62d439377d2a2ab11db04e02af957b10c38eb080c73c4630aaa67b1e59d05414a7bbf4188a10bde5a
-
Filesize
7KB
MD567587e25a971a141628d7f07bd40ffa0
SHA176fcd014539a3bb247cc0b761225f68bd6055f6b
SHA256e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378
SHA5126e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350