Analysis
-
max time kernel
147s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 22:00
Static task
static1
Behavioral task
behavioral1
Sample
09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe
-
Size
1.7MB
-
MD5
09a32979c530c80cb87f56d7eeda2c0b
-
SHA1
4b7b0320dd74ad2fe9fc5e2d91e476d6dca411bf
-
SHA256
a2c87d019943bf7d1d05f87749c574d10e41e5147f174ee6de6605db8728b8ca
-
SHA512
3e0716ecbc6b72ce270e5d63864a1c439f39c40b91a6db57d9bfbb05b9e365ada86313bd8095d79b23a2cefa2765b17fa765a28c7b41d02a9d0543682cafb539
-
SSDEEP
49152:DDZHyO9BQ2ZpZ4QKtojLzsPi8/4tLE5Fj:DDTBQ2F4QKOPIPi8f
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
ModiLoader Second Stage 10 IoCs
Processes:
resource yara_rule behavioral1/memory/2292-14-0x0000000020000000-0x00000000201E2000-memory.dmp modiloader_stage2 behavioral1/memory/2668-17-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2668-18-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2668-28-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2056-39-0x0000000020001000-0x0000000020003000-memory.dmp modiloader_stage2 behavioral1/memory/2056-47-0x0000000020000000-0x00000000201E2000-memory.dmp modiloader_stage2 behavioral1/memory/2056-46-0x0000000020000000-0x00000000201E2000-memory.dmp modiloader_stage2 behavioral1/memory/1508-51-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/1508-52-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2056-62-0x0000000020000000-0x00000000201E2000-memory.dmp modiloader_stage2 -
Deletes itself 1 IoCs
Processes:
winlogon.exepid process 1508 winlogon.exe -
Executes dropped EXE 2 IoCs
Processes:
winlogon.exewinlogon.exepid process 2056 winlogon.exe 1508 winlogon.exe -
Processes:
resource yara_rule behavioral1/memory/2668-13-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2668-16-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2668-17-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2668-18-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2668-28-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/1508-43-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/1508-49-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/1508-51-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/1508-52-0x0000000000400000-0x0000000000450000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\winlogon.exe" winlogon.exe -
Processes:
09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exewinlogon.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exewinlogon.exedescription pid process target process PID 2292 set thread context of 2668 2292 09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe 09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe PID 2056 set thread context of 1508 2056 winlogon.exe winlogon.exe -
Drops file in Windows directory 4 IoCs
Processes:
09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exewinlogon.exedescription ioc process File created C:\Windows\winlogon.exe 09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe File opened for modification C:\Windows\winlogon.exe 09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe File created C:\Windows\ntdtcstp.dll winlogon.exe File created C:\Windows\cmsetac.dll winlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exevssvc.exewinlogon.exedescription pid process Token: SeDebugPrivilege 2668 09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe Token: SeBackupPrivilege 2740 vssvc.exe Token: SeRestorePrivilege 2740 vssvc.exe Token: SeAuditPrivilege 2740 vssvc.exe Token: SeDebugPrivilege 1508 winlogon.exe Token: SeDebugPrivilege 1508 winlogon.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
winlogon.exepid process 1508 winlogon.exe 1508 winlogon.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exewinlogon.exedescription pid process target process PID 2292 wrote to memory of 2668 2292 09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe 09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe PID 2292 wrote to memory of 2668 2292 09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe 09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe PID 2292 wrote to memory of 2668 2292 09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe 09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe PID 2292 wrote to memory of 2668 2292 09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe 09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe PID 2292 wrote to memory of 2668 2292 09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe 09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe PID 2292 wrote to memory of 2668 2292 09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe 09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe PID 2668 wrote to memory of 2056 2668 09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe winlogon.exe PID 2668 wrote to memory of 2056 2668 09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe winlogon.exe PID 2668 wrote to memory of 2056 2668 09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe winlogon.exe PID 2668 wrote to memory of 2056 2668 09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe winlogon.exe PID 2056 wrote to memory of 1508 2056 winlogon.exe winlogon.exe PID 2056 wrote to memory of 1508 2056 winlogon.exe winlogon.exe PID 2056 wrote to memory of 1508 2056 winlogon.exe winlogon.exe PID 2056 wrote to memory of 1508 2056 winlogon.exe winlogon.exe PID 2056 wrote to memory of 1508 2056 winlogon.exe winlogon.exe PID 2056 wrote to memory of 1508 2056 winlogon.exe winlogon.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe2⤵
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\winlogon.exe"C:\Windows\winlogon.exe" \melt "C:\Users\Admin\AppData\Local\Temp\09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\winlogon.exeC:\Windows\winlogon.exe \melt C:\Users\Admin\AppData\Local\Temp\09a32979c530c80cb87f56d7eeda2c0b_JaffaCakes118.exe4⤵
- UAC bypass
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1508
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD509a32979c530c80cb87f56d7eeda2c0b
SHA14b7b0320dd74ad2fe9fc5e2d91e476d6dca411bf
SHA256a2c87d019943bf7d1d05f87749c574d10e41e5147f174ee6de6605db8728b8ca
SHA5123e0716ecbc6b72ce270e5d63864a1c439f39c40b91a6db57d9bfbb05b9e365ada86313bd8095d79b23a2cefa2765b17fa765a28c7b41d02a9d0543682cafb539