Analysis
-
max time kernel
143s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-05-2024 14:52
Behavioral task
behavioral1
Sample
10c6f2ab630e600b78ed200b381e7040_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
10c6f2ab630e600b78ed200b381e7040_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
10c6f2ab630e600b78ed200b381e7040_JaffaCakes118.exe
-
Size
270KB
-
MD5
10c6f2ab630e600b78ed200b381e7040
-
SHA1
fde4d24d51c1ce8990a6c4a95d31b54139cafd92
-
SHA256
0bc43275172f6b2c4af4d7518beb64cad28ab6cddade83e042d89654e7bc8355
-
SHA512
39f8a473b40615ebc98ca894dc2574f27a197c0fd238313c2a95a121a5976819984e58682d598f1e003e8d9063d7bdfdf949945d1704d221c9c0f4a847ee1d88
-
SSDEEP
6144:KG377xS2Vp2CeiorXhwTBOz53ciSpcCJJvH:Zr7xS2Vp6FwTbiSbJJvH
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Processes:
mstwain32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
ModiLoader Second Stage 16 IoCs
Processes:
resource yara_rule C:\Windows\mstwain32.exe modiloader_stage2 behavioral1/memory/1196-8-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1348-17-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1348-20-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1348-25-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1348-28-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1348-31-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1348-35-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1348-38-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1348-41-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1348-44-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1348-47-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1348-50-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1348-53-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1348-56-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1348-59-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 -
Deletes itself 1 IoCs
Processes:
mstwain32.exepid process 1348 mstwain32.exe -
Executes dropped EXE 1 IoCs
Processes:
mstwain32.exepid process 1348 mstwain32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
mstwain32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe" mstwain32.exe -
Processes:
10c6f2ab630e600b78ed200b381e7040_JaffaCakes118.exemstwain32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 10c6f2ab630e600b78ed200b381e7040_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstwain32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Drops file in Windows directory 4 IoCs
Processes:
10c6f2ab630e600b78ed200b381e7040_JaffaCakes118.exemstwain32.exedescription ioc process File opened for modification C:\Windows\mstwain32.exe 10c6f2ab630e600b78ed200b381e7040_JaffaCakes118.exe File created C:\Windows\ntdtcstp.dll mstwain32.exe File created C:\Windows\cmsetac.dll mstwain32.exe File created C:\Windows\mstwain32.exe 10c6f2ab630e600b78ed200b381e7040_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
10c6f2ab630e600b78ed200b381e7040_JaffaCakes118.exevssvc.exemstwain32.exedescription pid process Token: SeDebugPrivilege 1196 10c6f2ab630e600b78ed200b381e7040_JaffaCakes118.exe Token: SeBackupPrivilege 1048 vssvc.exe Token: SeRestorePrivilege 1048 vssvc.exe Token: SeAuditPrivilege 1048 vssvc.exe Token: SeDebugPrivilege 1348 mstwain32.exe Token: SeDebugPrivilege 1348 mstwain32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
mstwain32.exepid process 1348 mstwain32.exe 1348 mstwain32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
10c6f2ab630e600b78ed200b381e7040_JaffaCakes118.exedescription pid process target process PID 1196 wrote to memory of 1348 1196 10c6f2ab630e600b78ed200b381e7040_JaffaCakes118.exe mstwain32.exe PID 1196 wrote to memory of 1348 1196 10c6f2ab630e600b78ed200b381e7040_JaffaCakes118.exe mstwain32.exe PID 1196 wrote to memory of 1348 1196 10c6f2ab630e600b78ed200b381e7040_JaffaCakes118.exe mstwain32.exe PID 1196 wrote to memory of 1348 1196 10c6f2ab630e600b78ed200b381e7040_JaffaCakes118.exe mstwain32.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
mstwain32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\10c6f2ab630e600b78ed200b381e7040_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\10c6f2ab630e600b78ed200b381e7040_JaffaCakes118.exe"1⤵
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\10c6f2ab630e600b78ed200b381e7040_JaffaCakes118.exe"2⤵
- UAC bypass
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1348
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1048
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
270KB
MD510c6f2ab630e600b78ed200b381e7040
SHA1fde4d24d51c1ce8990a6c4a95d31b54139cafd92
SHA2560bc43275172f6b2c4af4d7518beb64cad28ab6cddade83e042d89654e7bc8355
SHA51239f8a473b40615ebc98ca894dc2574f27a197c0fd238313c2a95a121a5976819984e58682d598f1e003e8d9063d7bdfdf949945d1704d221c9c0f4a847ee1d88