Analysis
-
max time kernel
144s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 04:21
Behavioral task
behavioral1
Sample
1f6dd8abec7ed164e5663c9324f68839_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1f6dd8abec7ed164e5663c9324f68839_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
1f6dd8abec7ed164e5663c9324f68839_JaffaCakes118.exe
-
Size
270KB
-
MD5
1f6dd8abec7ed164e5663c9324f68839
-
SHA1
1c0fa8ed470522a45c9b06e1a614d7cf877ee1a9
-
SHA256
b902253ab20c158fbec990c5335d1609a2f467ccc74fa40ab91b6f36cd126a2c
-
SHA512
36c8b92dc77caa00ea961ce2b806e35db3d9157a86ed62fa857489800130f2120aea14d686481520639cc3633104dba142e03aad67e27316f69173d911435e13
-
SSDEEP
6144:KG377xS2Vp2CeiorXhwTBOz53VpcCJJvH:Zr7xS2Vp6FwTObJJvH
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Processes:
mstwain32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
ModiLoader Second Stage 16 IoCs
Processes:
resource yara_rule C:\Windows\mstwain32.exe modiloader_stage2 behavioral1/memory/1328-8-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/3060-17-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/3060-20-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/3060-24-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/3060-28-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/3060-31-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/3060-35-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/3060-38-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/3060-41-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/3060-44-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/3060-47-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/3060-50-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/3060-53-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/3060-56-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/3060-59-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 -
Deletes itself 1 IoCs
Processes:
mstwain32.exepid process 3060 mstwain32.exe -
Executes dropped EXE 1 IoCs
Processes:
mstwain32.exepid process 3060 mstwain32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
mstwain32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe" mstwain32.exe -
Processes:
1f6dd8abec7ed164e5663c9324f68839_JaffaCakes118.exemstwain32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1f6dd8abec7ed164e5663c9324f68839_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstwain32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Drops file in Windows directory 4 IoCs
Processes:
1f6dd8abec7ed164e5663c9324f68839_JaffaCakes118.exemstwain32.exedescription ioc process File created C:\Windows\mstwain32.exe 1f6dd8abec7ed164e5663c9324f68839_JaffaCakes118.exe File opened for modification C:\Windows\mstwain32.exe 1f6dd8abec7ed164e5663c9324f68839_JaffaCakes118.exe File created C:\Windows\ntdtcstp.dll mstwain32.exe File created C:\Windows\cmsetac.dll mstwain32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
1f6dd8abec7ed164e5663c9324f68839_JaffaCakes118.exevssvc.exemstwain32.exedescription pid process Token: SeDebugPrivilege 1328 1f6dd8abec7ed164e5663c9324f68839_JaffaCakes118.exe Token: SeBackupPrivilege 2160 vssvc.exe Token: SeRestorePrivilege 2160 vssvc.exe Token: SeAuditPrivilege 2160 vssvc.exe Token: SeDebugPrivilege 3060 mstwain32.exe Token: SeDebugPrivilege 3060 mstwain32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
mstwain32.exepid process 3060 mstwain32.exe 3060 mstwain32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
1f6dd8abec7ed164e5663c9324f68839_JaffaCakes118.exedescription pid process target process PID 1328 wrote to memory of 3060 1328 1f6dd8abec7ed164e5663c9324f68839_JaffaCakes118.exe mstwain32.exe PID 1328 wrote to memory of 3060 1328 1f6dd8abec7ed164e5663c9324f68839_JaffaCakes118.exe mstwain32.exe PID 1328 wrote to memory of 3060 1328 1f6dd8abec7ed164e5663c9324f68839_JaffaCakes118.exe mstwain32.exe PID 1328 wrote to memory of 3060 1328 1f6dd8abec7ed164e5663c9324f68839_JaffaCakes118.exe mstwain32.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
mstwain32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f6dd8abec7ed164e5663c9324f68839_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1f6dd8abec7ed164e5663c9324f68839_JaffaCakes118.exe"1⤵
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\1f6dd8abec7ed164e5663c9324f68839_JaffaCakes118.exe"2⤵
- UAC bypass
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3060
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2160
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
270KB
MD51f6dd8abec7ed164e5663c9324f68839
SHA11c0fa8ed470522a45c9b06e1a614d7cf877ee1a9
SHA256b902253ab20c158fbec990c5335d1609a2f467ccc74fa40ab91b6f36cd126a2c
SHA51236c8b92dc77caa00ea961ce2b806e35db3d9157a86ed62fa857489800130f2120aea14d686481520639cc3633104dba142e03aad67e27316f69173d911435e13