modiloader | 2d86628a0efa7bc67af91c9a943787575e13a17be8326a417cdd37c4df3d952d

General

Target

00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Size

414KB
MD5

00e1229a0db38013ff2423f38838f0a0
SHA1

0e8260f63fb998f4cb6044fd76084c0e292fb27f
SHA256

2d86628a0efa7bc67af91c9a943787575e13a17be8326a417cdd37c4df3d952d
SHA512

b3caa00f5edadd84c28a4f7bd89bf78e7b7c5246619aca4d1b8f11afb2541fce04ba22bfaf357eaf8e09cbce8dba2abef999e38fbfde833bb0266eaf1cdbc4aa
SSDEEP

6144:cqq4CsEJ1VKqJCWGxlVVM1UHjn94oYs0KLVowmVn8n3HvurOTS/p/EM9Ld:0sEJLKqJVGxbVD94oYs0KLVBCe1Ep

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
C:\Temp\dfvxp522008a.exe	modiloader_stage2
behavioral1/memory/2424-16-0x0000000000400000-0x00000000004B9000-memory.dmp	modiloader_stage2

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

Processes:

00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\debugger = "IFEOFILE"	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscntfy.exe\debugger = "IFEOFILE"	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe\debugger = "IFEOFILE"	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe\debugger = "IFEOFILE"	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavmonD.exe	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe\debugger = "IFEOFILE"	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\debugger = "IFEOFILE"	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvMonXP.exe	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe\debugger = "IFEOFILE"	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwproxy.exe\debugger = "IFEOFILE"	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVXP.exe\debugger = "IFEOFILE"	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavsvc.exe\debugger = "IFEOFILE"	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe\debugger = "IFEOFILE"	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavsvc.exe	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe\debugger = "IFEOFILE"	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe\debugger = "IFEOFILE"	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe\debugger = "IFEOFILE"	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe\debugger = "IFEOFILE"	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\debugger = "IFEOFILE"	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avast.exe	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guard.exe\debugger = "IFEOFILE"	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscntfy.exe	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe\debugger = "IFEOFILE"	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav.exe	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwproxy.exe	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\debugger = "IFEOFILE"	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavmonD.exe\debugger = "IFEOFILE"	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guard.exe	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avast.exe\debugger = "IFEOFILE"	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.exe	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe\debugger = "IFEOFILE"	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.exe\debugger = "IFEOFILE"	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe\debugger = "IFEOFILE"	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe\debugger = "IFEOFILE"	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\debugger = "IFEOFILE"	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravmon.exe	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravmon.exe\debugger = "IFEOFILE"	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvMonXP.exe\debugger = "IFEOFILE"	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe\debugger = "IFEOFILE"	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe\debugger = "IFEOFILE"	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe\debugger = "IFEOFILE"	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVXP.exe	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav.exe\debugger = "IFEOFILE"	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

dfvxp522008a.exe

pid process

2424 dfvxp522008a.exe
Loads dropped DLL 2 IoCs

Processes:

00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe

pid process

1752 00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752 00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Drops file in Program Files directory 1 IoCs

Processes:

dfvxp522008a.exe

description ioc process

File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt dfvxp522008a.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2424	dfvxp522008a.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt	dfvxp522008a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe

pid	process
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 1752 00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe

pid process

1752 00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe

description	pid	process	target process
PID 1752 wrote to memory of 2424	1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe	dfvxp522008a.exe
PID 1752 wrote to memory of 2424	1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe	dfvxp522008a.exe
PID 1752 wrote to memory of 2424	1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe	dfvxp522008a.exe
PID 1752 wrote to memory of 2424	1752	00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe	dfvxp522008a.exe

C:\Users\Admin\AppData\Local\Temp\00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00e1229a0db38013ff2423f38838f0a0_JaffaCakes118.exe"
1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752

C:\Temp\dfvxp522008a.exe
"C:\Temp\dfvxp522008a.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2424

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Image File Execution Options Injection

1

T1546.012

Privilege Escalation

Event Triggered Execution

1

T1546

Image File Execution Options Injection

1

T1546.012

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\dfvxp522008a.exe
Filesize
673KB

MD5
7b189dbe5a577db50e38379debdc5681

SHA1
def708588d42e533ecf2d04a0a8b2433240d59ad

SHA256
d56b75be72ac5ad9a80648f520210c24eb828b7758863ba52b2d318687db567f

SHA512
2ed6ab2b563b170923c59fe482e5a9ac9d380ffd748ba71d61e4e3a9768ef56556154c560b6d282763f02baef8abefc6457a98a603dc799770115054f37c5450

Download Submit
memory/1752-0-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1752-13-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2424-14-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2424-16-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads