Analysis
-
max time kernel
147s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19-06-2024 21:48
Static task
static1
Behavioral task
behavioral1
Sample
00b0f2a6e491fe0215b19a0037dbed36_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
00b0f2a6e491fe0215b19a0037dbed36_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
00b0f2a6e491fe0215b19a0037dbed36_JaffaCakes118.exe
-
Size
481KB
-
MD5
00b0f2a6e491fe0215b19a0037dbed36
-
SHA1
0744ae66e734d9f7e642960df5fbcddfc3d636ed
-
SHA256
f051f15c5c975891df9dad69444ff66f0a45cdc5bd19ec16be1aa8d4075f0ceb
-
SHA512
570eef6e604a2277b59cfdb835f4840e333fdd812c5c79e28fda5216488783595dfb74f140c10f89a40d2c75d0e3c379bd95a61be81b52668e95a6cd618ff3fb
-
SSDEEP
12288:UJ4kS6ROujO+a/kq1bpvgcrQ0pgjCVkUZbOebJJvH/:JPkhy+a/kqlWczgjCVkU9OUJvH/
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Processes:
00b0f2a6e491fe0215b19a0037dbed36_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 00b0f2a6e491fe0215b19a0037dbed36_JaffaCakes118.exe -
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2196-16-0x0000000000400000-0x000000000082C000-memory.dmp modiloader_stage2 -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
00b0f2a6e491fe0215b19a0037dbed36_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 00b0f2a6e491fe0215b19a0037dbed36_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 00b0f2a6e491fe0215b19a0037dbed36_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 00b0f2a6e491fe0215b19a0037dbed36_JaffaCakes118.exe -
Loads dropped DLL 2 IoCs
Processes:
00b0f2a6e491fe0215b19a0037dbed36_JaffaCakes118.exepid process 2196 00b0f2a6e491fe0215b19a0037dbed36_JaffaCakes118.exe 2196 00b0f2a6e491fe0215b19a0037dbed36_JaffaCakes118.exe -
Processes:
00b0f2a6e491fe0215b19a0037dbed36_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 00b0f2a6e491fe0215b19a0037dbed36_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 00b0f2a6e491fe0215b19a0037dbed36_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
Processes:
00b0f2a6e491fe0215b19a0037dbed36_JaffaCakes118.exedescription ioc process File created C:\Windows\VMPipe32.dll 00b0f2a6e491fe0215b19a0037dbed36_JaffaCakes118.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
00b0f2a6e491fe0215b19a0037dbed36_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 00b0f2a6e491fe0215b19a0037dbed36_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 00b0f2a6e491fe0215b19a0037dbed36_JaffaCakes118.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
00b0f2a6e491fe0215b19a0037dbed36_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate 00b0f2a6e491fe0215b19a0037dbed36_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
00b0f2a6e491fe0215b19a0037dbed36_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 2196 00b0f2a6e491fe0215b19a0037dbed36_JaffaCakes118.exe Token: SeDebugPrivilege 2196 00b0f2a6e491fe0215b19a0037dbed36_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
00b0f2a6e491fe0215b19a0037dbed36_JaffaCakes118.exepid process 2196 00b0f2a6e491fe0215b19a0037dbed36_JaffaCakes118.exe 2196 00b0f2a6e491fe0215b19a0037dbed36_JaffaCakes118.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
00b0f2a6e491fe0215b19a0037dbed36_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 00b0f2a6e491fe0215b19a0037dbed36_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\00b0f2a6e491fe0215b19a0037dbed36_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\00b0f2a6e491fe0215b19a0037dbed36_JaffaCakes118.exe"1⤵
- UAC bypass
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\cmsetac.dllFilesize
33KB
MD59ec75aa034b2ea7431917ce12764c0ba
SHA1f7d13cd572cc05e66122cd1f763a8df4f1247e81
SHA25609f513de0b9ddff295ffd7602edac5119f6a6a994266c8a8c0e9ca5421e38bc3
SHA512543dc7d784259348de6f34e9525c9a7c1349768cffb906a3409311888f884db22c5dd9dca92f222f72dd188c016bddb61e9d3d847eab7f9ba5c5c5e543c264c4
-
\Users\Admin\AppData\Local\Temp\ntdtcstp.dllFilesize
7KB
MD567587e25a971a141628d7f07bd40ffa0
SHA176fcd014539a3bb247cc0b761225f68bd6055f6b
SHA256e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378
SHA5126e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350
-
memory/2196-12-0x00000000764A0000-0x0000000076590000-memory.dmpFilesize
960KB
-
memory/2196-5-0x0000000002340000-0x0000000002341000-memory.dmpFilesize
4KB
-
memory/2196-9-0x0000000003E70000-0x0000000003E7E000-memory.dmpFilesize
56KB
-
memory/2196-1-0x0000000002350000-0x0000000002460000-memory.dmpFilesize
1.1MB
-
memory/2196-0-0x0000000000400000-0x000000000082C000-memory.dmpFilesize
4.2MB
-
memory/2196-11-0x00000000764B0000-0x00000000764B1000-memory.dmpFilesize
4KB
-
memory/2196-14-0x0000000002B80000-0x0000000002B88000-memory.dmpFilesize
32KB
-
memory/2196-15-0x0000000003E70000-0x0000000003E7E000-memory.dmpFilesize
56KB
-
memory/2196-16-0x0000000000400000-0x000000000082C000-memory.dmpFilesize
4.2MB
-
memory/2196-17-0x0000000002350000-0x0000000002460000-memory.dmpFilesize
1.1MB
-
memory/2196-21-0x00000000764A0000-0x0000000076590000-memory.dmpFilesize
960KB