Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 18:32
Behavioral task
behavioral1
Sample
2629102aaab6078a598437b0bfde20f6_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2629102aaab6078a598437b0bfde20f6_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
2629102aaab6078a598437b0bfde20f6_JaffaCakes118.exe
-
Size
270KB
-
MD5
2629102aaab6078a598437b0bfde20f6
-
SHA1
7f02c1be915d19184f1f68ec89078ee55a9f974e
-
SHA256
8aa5a9c79c871690a1fad384608ba8abcb7e18a09968ed177a3830f9363a716f
-
SHA512
d70f52ea07b78af4dc1ebb6c89afb4e874b1436233ed2d24215cd3795ac8bf74d5ee3538fc27092f713a9ab14524bf7f79eca1a20b30adff0354ac22e2004847
-
SSDEEP
6144:KG377xS2Vp2CeiorXhwTBOz53RHopcCJJvH:Zr7xS2Vp6FwTcHobJJvH
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Processes:
mstwain32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
ModiLoader Second Stage 16 IoCs
Processes:
resource yara_rule C:\Windows\mstwain32.exe modiloader_stage2 behavioral1/memory/2968-9-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1792-18-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1792-21-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1792-26-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1792-29-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1792-32-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1792-36-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1792-39-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1792-42-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1792-45-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1792-48-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1792-51-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1792-54-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1792-57-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1792-60-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 -
Deletes itself 1 IoCs
Processes:
mstwain32.exepid process 1792 mstwain32.exe -
Executes dropped EXE 1 IoCs
Processes:
mstwain32.exepid process 1792 mstwain32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
mstwain32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lütfen Çalýþtýrýn = "C:\\Windows\\mstwain32.exe" mstwain32.exe -
Processes:
2629102aaab6078a598437b0bfde20f6_JaffaCakes118.exemstwain32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2629102aaab6078a598437b0bfde20f6_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstwain32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Drops file in Windows directory 4 IoCs
Processes:
2629102aaab6078a598437b0bfde20f6_JaffaCakes118.exemstwain32.exedescription ioc process File created C:\Windows\mstwain32.exe 2629102aaab6078a598437b0bfde20f6_JaffaCakes118.exe File opened for modification C:\Windows\mstwain32.exe 2629102aaab6078a598437b0bfde20f6_JaffaCakes118.exe File created C:\Windows\ntdtcstp.dll mstwain32.exe File created C:\Windows\cmsetac.dll mstwain32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
2629102aaab6078a598437b0bfde20f6_JaffaCakes118.exevssvc.exemstwain32.exedescription pid process Token: SeDebugPrivilege 2968 2629102aaab6078a598437b0bfde20f6_JaffaCakes118.exe Token: SeBackupPrivilege 1712 vssvc.exe Token: SeRestorePrivilege 1712 vssvc.exe Token: SeAuditPrivilege 1712 vssvc.exe Token: SeDebugPrivilege 1792 mstwain32.exe Token: SeDebugPrivilege 1792 mstwain32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
mstwain32.exepid process 1792 mstwain32.exe 1792 mstwain32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2629102aaab6078a598437b0bfde20f6_JaffaCakes118.exedescription pid process target process PID 2968 wrote to memory of 1792 2968 2629102aaab6078a598437b0bfde20f6_JaffaCakes118.exe mstwain32.exe PID 2968 wrote to memory of 1792 2968 2629102aaab6078a598437b0bfde20f6_JaffaCakes118.exe mstwain32.exe PID 2968 wrote to memory of 1792 2968 2629102aaab6078a598437b0bfde20f6_JaffaCakes118.exe mstwain32.exe PID 2968 wrote to memory of 1792 2968 2629102aaab6078a598437b0bfde20f6_JaffaCakes118.exe mstwain32.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
mstwain32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2629102aaab6078a598437b0bfde20f6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2629102aaab6078a598437b0bfde20f6_JaffaCakes118.exe"1⤵
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\2629102aaab6078a598437b0bfde20f6_JaffaCakes118.exe"2⤵
- UAC bypass
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1792
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
270KB
MD52629102aaab6078a598437b0bfde20f6
SHA17f02c1be915d19184f1f68ec89078ee55a9f974e
SHA2568aa5a9c79c871690a1fad384608ba8abcb7e18a09968ed177a3830f9363a716f
SHA512d70f52ea07b78af4dc1ebb6c89afb4e874b1436233ed2d24215cd3795ac8bf74d5ee3538fc27092f713a9ab14524bf7f79eca1a20b30adff0354ac22e2004847