Analysis

  • max time kernel
    147s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 22:00

General

  • Target

    09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe

  • Size

    1.7MB

  • MD5

    09a32979c530c80cb87f56d7eeda2c0b

  • SHA1

    4b7b0320dd74ad2fe9fc5e2d91e476d6dca411bf

  • SHA256

    a2c87d019943bf7d1d05f87749c574d10e41e5147f174ee6de6605db8728b8ca

  • SHA512

    3e0716ecbc6b72ce270e5d63864a1c439f39c40b91a6db57d9bfbb05b9e365ada86313bd8095d79b23a2cefa2765b17fa765a28c7b41d02a9d0543682cafb539

  • SSDEEP

    49152:DDZHyO9BQ2ZpZ4QKtojLzsPi8/4tLE5Fj:DDTBQ2F4QKOPIPi8f

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • UAC bypass 3 TTPs 1 IoCs
  • ModiLoader Second Stage 10 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • System policy modification 1 TTPs 1 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Users\Admin\AppData\Local\Temp\09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe
      2⤵
      • Checks whether UAC is enabled
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Windows\winlogon.exe
        "C:\Windows\winlogon.exe" \melt "C:\Users\Admin\AppData\Local\Temp\09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2056
        • C:\Windows\winlogon.exe
          C:\Windows\winlogon.exe \melt C:\Users\Admin\AppData\Local\Temp\09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe
          4⤵
          • UAC bypass
          • Deletes itself
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • System policy modification
          PID:1508
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2740

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\winlogon.exe

    Filesize

    1.7MB

    MD5

    09a32979c530c80cb87f56d7eeda2c0b

    SHA1

    4b7b0320dd74ad2fe9fc5e2d91e476d6dca411bf

    SHA256

    a2c87d019943bf7d1d05f87749c574d10e41e5147f174ee6de6605db8728b8ca

    SHA512

    3e0716ecbc6b72ce270e5d63864a1c439f39c40b91a6db57d9bfbb05b9e365ada86313bd8095d79b23a2cefa2765b17fa765a28c7b41d02a9d0543682cafb539

  • memory/1508-51-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

  • memory/1508-59-0x00000000023A0000-0x00000000023AE000-memory.dmp

    Filesize

    56KB

  • memory/1508-58-0x0000000000340000-0x0000000000348000-memory.dmp

    Filesize

    32KB

  • memory/1508-56-0x00000000023A0000-0x00000000023AE000-memory.dmp

    Filesize

    56KB

  • memory/1508-52-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

  • memory/1508-50-0x0000000020000000-0x00000000201E2000-memory.dmp

    Filesize

    1.9MB

  • memory/1508-49-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

  • memory/1508-43-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

  • memory/2056-39-0x0000000020001000-0x0000000020003000-memory.dmp

    Filesize

    8KB

  • memory/2056-46-0x0000000020000000-0x00000000201E2000-memory.dmp

    Filesize

    1.9MB

  • memory/2056-47-0x0000000020000000-0x00000000201E2000-memory.dmp

    Filesize

    1.9MB

  • memory/2056-62-0x0000000020000000-0x00000000201E2000-memory.dmp

    Filesize

    1.9MB

  • memory/2056-29-0x0000000000270000-0x0000000000271000-memory.dmp

    Filesize

    4KB

  • memory/2292-14-0x0000000020000000-0x00000000201E2000-memory.dmp

    Filesize

    1.9MB

  • memory/2292-0-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

  • memory/2292-2-0x0000000000320000-0x0000000000321000-memory.dmp

    Filesize

    4KB

  • memory/2292-1-0x0000000001E90000-0x0000000001FED000-memory.dmp

    Filesize

    1.4MB

  • memory/2668-28-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

  • memory/2668-19-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

  • memory/2668-18-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

  • memory/2668-17-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

  • memory/2668-16-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

  • memory/2668-10-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

  • memory/2668-13-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

  • memory/2668-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB