Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 21:52
Behavioral task
behavioral1
Sample
099725219e5a2f8a02d6c3e3996e6755_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
099725219e5a2f8a02d6c3e3996e6755_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
099725219e5a2f8a02d6c3e3996e6755_JaffaCakes118.exe
-
Size
208KB
-
MD5
099725219e5a2f8a02d6c3e3996e6755
-
SHA1
3f7d30a6cfd17a1bf75160ad748e3ea1b4cc3983
-
SHA256
fda779d657a388dc185476741ef82d50fcb3d0e616359e61f05594c819c84433
-
SHA512
0173f259cc7aac3d89af2e48b20fdb3d8cf2acf9775bac0160aa74f5c6aa8a828dcf7f28560c92d365c81b146d6dd3257ef4b3cf0f03107ad1755a7708aee7d7
-
SSDEEP
3072:w1+MJKrUnFYY5z1i0Nmbi5fJBNPO9K+WoutdAwd/lD+xI0r:YIrPj0NmWtN2soSJd/h
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Processes:
099725219e5a2f8a02d6c3e3996e6755_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 099725219e5a2f8a02d6c3e3996e6755_JaffaCakes118.exe -
ModiLoader Second Stage 15 IoCs
Processes:
resource yara_rule behavioral2/memory/4492-16-0x0000000000400000-0x0000000000480000-memory.dmp modiloader_stage2 behavioral2/memory/4492-19-0x0000000000400000-0x0000000000480000-memory.dmp modiloader_stage2 behavioral2/memory/4492-20-0x0000000000400000-0x0000000000480000-memory.dmp modiloader_stage2 behavioral2/memory/4492-23-0x0000000000400000-0x0000000000480000-memory.dmp modiloader_stage2 behavioral2/memory/4492-26-0x0000000000400000-0x0000000000480000-memory.dmp modiloader_stage2 behavioral2/memory/4492-29-0x0000000000400000-0x0000000000480000-memory.dmp modiloader_stage2 behavioral2/memory/4492-32-0x0000000000400000-0x0000000000480000-memory.dmp modiloader_stage2 behavioral2/memory/4492-35-0x0000000000400000-0x0000000000480000-memory.dmp modiloader_stage2 behavioral2/memory/4492-38-0x0000000000400000-0x0000000000480000-memory.dmp modiloader_stage2 behavioral2/memory/4492-41-0x0000000000400000-0x0000000000480000-memory.dmp modiloader_stage2 behavioral2/memory/4492-44-0x0000000000400000-0x0000000000480000-memory.dmp modiloader_stage2 behavioral2/memory/4492-47-0x0000000000400000-0x0000000000480000-memory.dmp modiloader_stage2 behavioral2/memory/4492-50-0x0000000000400000-0x0000000000480000-memory.dmp modiloader_stage2 behavioral2/memory/4492-53-0x0000000000400000-0x0000000000480000-memory.dmp modiloader_stage2 behavioral2/memory/4492-56-0x0000000000400000-0x0000000000480000-memory.dmp modiloader_stage2 -
Loads dropped DLL 4 IoCs
Processes:
099725219e5a2f8a02d6c3e3996e6755_JaffaCakes118.exepid process 4492 099725219e5a2f8a02d6c3e3996e6755_JaffaCakes118.exe 4492 099725219e5a2f8a02d6c3e3996e6755_JaffaCakes118.exe 4492 099725219e5a2f8a02d6c3e3996e6755_JaffaCakes118.exe 4492 099725219e5a2f8a02d6c3e3996e6755_JaffaCakes118.exe -
Processes:
resource yara_rule behavioral2/memory/4492-0-0x0000000000400000-0x0000000000480000-memory.dmp upx behavioral2/memory/4492-16-0x0000000000400000-0x0000000000480000-memory.dmp upx behavioral2/memory/4492-19-0x0000000000400000-0x0000000000480000-memory.dmp upx behavioral2/memory/4492-20-0x0000000000400000-0x0000000000480000-memory.dmp upx behavioral2/memory/4492-23-0x0000000000400000-0x0000000000480000-memory.dmp upx behavioral2/memory/4492-26-0x0000000000400000-0x0000000000480000-memory.dmp upx behavioral2/memory/4492-29-0x0000000000400000-0x0000000000480000-memory.dmp upx behavioral2/memory/4492-32-0x0000000000400000-0x0000000000480000-memory.dmp upx behavioral2/memory/4492-35-0x0000000000400000-0x0000000000480000-memory.dmp upx behavioral2/memory/4492-38-0x0000000000400000-0x0000000000480000-memory.dmp upx behavioral2/memory/4492-41-0x0000000000400000-0x0000000000480000-memory.dmp upx behavioral2/memory/4492-44-0x0000000000400000-0x0000000000480000-memory.dmp upx behavioral2/memory/4492-47-0x0000000000400000-0x0000000000480000-memory.dmp upx behavioral2/memory/4492-50-0x0000000000400000-0x0000000000480000-memory.dmp upx behavioral2/memory/4492-53-0x0000000000400000-0x0000000000480000-memory.dmp upx behavioral2/memory/4492-56-0x0000000000400000-0x0000000000480000-memory.dmp upx -
Processes:
099725219e5a2f8a02d6c3e3996e6755_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 099725219e5a2f8a02d6c3e3996e6755_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 099725219e5a2f8a02d6c3e3996e6755_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
099725219e5a2f8a02d6c3e3996e6755_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 4492 099725219e5a2f8a02d6c3e3996e6755_JaffaCakes118.exe Token: SeDebugPrivilege 4492 099725219e5a2f8a02d6c3e3996e6755_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
099725219e5a2f8a02d6c3e3996e6755_JaffaCakes118.exepid process 4492 099725219e5a2f8a02d6c3e3996e6755_JaffaCakes118.exe 4492 099725219e5a2f8a02d6c3e3996e6755_JaffaCakes118.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
099725219e5a2f8a02d6c3e3996e6755_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 099725219e5a2f8a02d6c3e3996e6755_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\099725219e5a2f8a02d6c3e3996e6755_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\099725219e5a2f8a02d6c3e3996e6755_JaffaCakes118.exe"1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4492
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD5c2f05c372906a6d29595da23d408b9e2
SHA1d3c5416d66adbd13b8095ed585a63e69a2e257f0
SHA256b7b7d5023796dba52cfcf2d4d64193aa3930631bded2bb4a95323d886f2f6b79
SHA512582eccc0460c63238c43b87555d1d599c1682a140161a348371d99ac98998c04a50cda70b9c5844ae4ff35d5c31ec001765ee4d32fb6f8656aa2696b6fdfb741
-
Filesize
7KB
MD567587e25a971a141628d7f07bd40ffa0
SHA176fcd014539a3bb247cc0b761225f68bd6055f6b
SHA256e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378
SHA5126e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350