Analysis
-
max time kernel
59s -
max time network
59s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2024 16:38
Behavioral task
behavioral1
Sample
1d5e6f06b05e39f726439c058ff11ebf_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1d5e6f06b05e39f726439c058ff11ebf_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
1d5e6f06b05e39f726439c058ff11ebf_JaffaCakes118.exe
-
Size
270KB
-
MD5
1d5e6f06b05e39f726439c058ff11ebf
-
SHA1
5a6f3293d1980a7220ec3c264f4c87e5f5c4ba4f
-
SHA256
70668c180217f0354ad3da0b852948423b4217cbc8f3cffb986430bd5e5d910c
-
SHA512
f2ec95c96315d687cf8db05e1cf360e77e6bb84659e19ea5029b51d6ec6814b8aafe6e3deadb9bd0fc332b0794283d1f650494cec79dd4f7a4f2f8e3f4e4c1f0
-
SSDEEP
6144:KG377xS2Vp2CeiorXhwTBOz53QpcCJJvH:Zr7xS2Vp6FwT/bJJvH
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Processes:
mstwain32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
ModiLoader Second Stage 7 IoCs
Processes:
resource yara_rule C:\Windows\mstwain32.exe modiloader_stage2 behavioral2/memory/4484-9-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/2328-26-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/2328-29-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/2328-32-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/2328-35-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/2328-38-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1d5e6f06b05e39f726439c058ff11ebf_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation 1d5e6f06b05e39f726439c058ff11ebf_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
mstwain32.exepid process 2328 mstwain32.exe -
Executes dropped EXE 1 IoCs
Processes:
mstwain32.exepid process 2328 mstwain32.exe -
Loads dropped DLL 4 IoCs
Processes:
mstwain32.exepid process 2328 mstwain32.exe 2328 mstwain32.exe 2328 mstwain32.exe 2328 mstwain32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
mstwain32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe" mstwain32.exe -
Processes:
1d5e6f06b05e39f726439c058ff11ebf_JaffaCakes118.exemstwain32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1d5e6f06b05e39f726439c058ff11ebf_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstwain32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Drops file in Windows directory 4 IoCs
Processes:
1d5e6f06b05e39f726439c058ff11ebf_JaffaCakes118.exemstwain32.exedescription ioc process File created C:\Windows\mstwain32.exe 1d5e6f06b05e39f726439c058ff11ebf_JaffaCakes118.exe File opened for modification C:\Windows\mstwain32.exe 1d5e6f06b05e39f726439c058ff11ebf_JaffaCakes118.exe File created C:\Windows\ntdtcstp.dll mstwain32.exe File created C:\Windows\cmsetac.dll mstwain32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
1d5e6f06b05e39f726439c058ff11ebf_JaffaCakes118.exevssvc.exemstwain32.exedescription pid process Token: SeDebugPrivilege 4484 1d5e6f06b05e39f726439c058ff11ebf_JaffaCakes118.exe Token: SeBackupPrivilege 4532 vssvc.exe Token: SeRestorePrivilege 4532 vssvc.exe Token: SeAuditPrivilege 4532 vssvc.exe Token: SeDebugPrivilege 2328 mstwain32.exe Token: SeDebugPrivilege 2328 mstwain32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
mstwain32.exepid process 2328 mstwain32.exe 2328 mstwain32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
1d5e6f06b05e39f726439c058ff11ebf_JaffaCakes118.exedescription pid process target process PID 4484 wrote to memory of 2328 4484 1d5e6f06b05e39f726439c058ff11ebf_JaffaCakes118.exe mstwain32.exe PID 4484 wrote to memory of 2328 4484 1d5e6f06b05e39f726439c058ff11ebf_JaffaCakes118.exe mstwain32.exe PID 4484 wrote to memory of 2328 4484 1d5e6f06b05e39f726439c058ff11ebf_JaffaCakes118.exe mstwain32.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
mstwain32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d5e6f06b05e39f726439c058ff11ebf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1d5e6f06b05e39f726439c058ff11ebf_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\1d5e6f06b05e39f726439c058ff11ebf_JaffaCakes118.exe"2⤵
- UAC bypass
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2328
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4532
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD58487712c028dabaa68ac525b18561443
SHA1ba264866badd556380bd3dd954feec03a9a5203c
SHA256fe829e5b09cf72699ddc93223d03811f9ffa7a8c56efa8aaf125b59e2c048792
SHA51299b213176ecfac4f427268a19762e8d19e427e4857bc951b28ce3fd82f6b05459cb4add95e11a97c7278a45702b1dce36c03db4a1a28a64c0bb0a0b52b9fda75
-
Filesize
270KB
MD51d5e6f06b05e39f726439c058ff11ebf
SHA15a6f3293d1980a7220ec3c264f4c87e5f5c4ba4f
SHA25670668c180217f0354ad3da0b852948423b4217cbc8f3cffb986430bd5e5d910c
SHA512f2ec95c96315d687cf8db05e1cf360e77e6bb84659e19ea5029b51d6ec6814b8aafe6e3deadb9bd0fc332b0794283d1f650494cec79dd4f7a4f2f8e3f4e4c1f0
-
Filesize
7KB
MD567587e25a971a141628d7f07bd40ffa0
SHA176fcd014539a3bb247cc0b761225f68bd6055f6b
SHA256e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378
SHA5126e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350