Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 18:15
Static task
static1
Behavioral task
behavioral1
Sample
088f96da0ea3e133d21f7a688343cb55_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
088f96da0ea3e133d21f7a688343cb55_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
088f96da0ea3e133d21f7a688343cb55_JaffaCakes118.exe
-
Size
768KB
-
MD5
088f96da0ea3e133d21f7a688343cb55
-
SHA1
58b72da06274150851534394c395844a2e38b7ac
-
SHA256
03691a29229b13311064b1244ed3f15236410d0e073d854bda6e568f74788cd7
-
SHA512
1ba8d584871a9a36b8dc17bb61c8d6ec17b0f534580b18351db087295fd5e0e42d4eed3d1d4e6d9dea59a588a4ab82738cf1e4ff0240f395d446ac6d1e4e5e64
-
SSDEEP
24576:tOOauuf6iLF6KhLuoTC4QGFsR9PNmIXCL:LtuSE0OB23GFUVohL
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1696-18-0x0000000000400000-0x00000000004C2000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
Processes:
61538 PM.exepid process 1696 61538 PM.exe -
Drops file in System32 directory 1 IoCs
Processes:
61538 PM.exedescription ioc process File created C:\Windows\SysWOW64\FieleWay.txt 61538 PM.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
61538 PM.exepid process 1696 61538 PM.exe -
Suspicious behavior: MapViewOfSection 21 IoCs
Processes:
61538 PM.exepid process 1696 61538 PM.exe 1696 61538 PM.exe 1696 61538 PM.exe 1696 61538 PM.exe 1696 61538 PM.exe 1696 61538 PM.exe 1696 61538 PM.exe 1696 61538 PM.exe 1696 61538 PM.exe 1696 61538 PM.exe 1696 61538 PM.exe 1696 61538 PM.exe 1696 61538 PM.exe 1696 61538 PM.exe 1696 61538 PM.exe 1696 61538 PM.exe 1696 61538 PM.exe 1696 61538 PM.exe 1696 61538 PM.exe 1696 61538 PM.exe 1696 61538 PM.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
088f96da0ea3e133d21f7a688343cb55_JaffaCakes118.exe61538 PM.exedescription pid process Token: SeSystemtimePrivilege 1684 088f96da0ea3e133d21f7a688343cb55_JaffaCakes118.exe Token: SeSystemtimePrivilege 1684 088f96da0ea3e133d21f7a688343cb55_JaffaCakes118.exe Token: SeDebugPrivilege 1696 61538 PM.exe Token: SeTakeOwnershipPrivilege 1696 61538 PM.exe Token: SeRestorePrivilege 1696 61538 PM.exe Token: SeBackupPrivilege 1696 61538 PM.exe Token: SeChangeNotifyPrivilege 1696 61538 PM.exe Token: SeSystemtimePrivilege 1684 088f96da0ea3e133d21f7a688343cb55_JaffaCakes118.exe Token: SeSystemtimePrivilege 1684 088f96da0ea3e133d21f7a688343cb55_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
088f96da0ea3e133d21f7a688343cb55_JaffaCakes118.exepid process 1684 088f96da0ea3e133d21f7a688343cb55_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
088f96da0ea3e133d21f7a688343cb55_JaffaCakes118.exe61538 PM.exedescription pid process target process PID 1684 wrote to memory of 1696 1684 088f96da0ea3e133d21f7a688343cb55_JaffaCakes118.exe 61538 PM.exe PID 1684 wrote to memory of 1696 1684 088f96da0ea3e133d21f7a688343cb55_JaffaCakes118.exe 61538 PM.exe PID 1684 wrote to memory of 1696 1684 088f96da0ea3e133d21f7a688343cb55_JaffaCakes118.exe 61538 PM.exe PID 1684 wrote to memory of 1696 1684 088f96da0ea3e133d21f7a688343cb55_JaffaCakes118.exe 61538 PM.exe PID 1696 wrote to memory of 388 1696 61538 PM.exe wininit.exe PID 1696 wrote to memory of 388 1696 61538 PM.exe wininit.exe PID 1696 wrote to memory of 388 1696 61538 PM.exe wininit.exe PID 1696 wrote to memory of 388 1696 61538 PM.exe wininit.exe PID 1696 wrote to memory of 388 1696 61538 PM.exe wininit.exe PID 1696 wrote to memory of 400 1696 61538 PM.exe csrss.exe PID 1696 wrote to memory of 400 1696 61538 PM.exe csrss.exe PID 1696 wrote to memory of 400 1696 61538 PM.exe csrss.exe PID 1696 wrote to memory of 400 1696 61538 PM.exe csrss.exe PID 1696 wrote to memory of 400 1696 61538 PM.exe csrss.exe PID 1696 wrote to memory of 436 1696 61538 PM.exe winlogon.exe PID 1696 wrote to memory of 436 1696 61538 PM.exe winlogon.exe PID 1696 wrote to memory of 436 1696 61538 PM.exe winlogon.exe PID 1696 wrote to memory of 436 1696 61538 PM.exe winlogon.exe PID 1696 wrote to memory of 436 1696 61538 PM.exe winlogon.exe PID 1696 wrote to memory of 484 1696 61538 PM.exe services.exe PID 1696 wrote to memory of 484 1696 61538 PM.exe services.exe PID 1696 wrote to memory of 484 1696 61538 PM.exe services.exe PID 1696 wrote to memory of 484 1696 61538 PM.exe services.exe PID 1696 wrote to memory of 484 1696 61538 PM.exe services.exe PID 1696 wrote to memory of 492 1696 61538 PM.exe lsass.exe PID 1696 wrote to memory of 492 1696 61538 PM.exe lsass.exe PID 1696 wrote to memory of 492 1696 61538 PM.exe lsass.exe PID 1696 wrote to memory of 492 1696 61538 PM.exe lsass.exe PID 1696 wrote to memory of 492 1696 61538 PM.exe lsass.exe PID 1696 wrote to memory of 500 1696 61538 PM.exe lsm.exe PID 1696 wrote to memory of 500 1696 61538 PM.exe lsm.exe PID 1696 wrote to memory of 500 1696 61538 PM.exe lsm.exe PID 1696 wrote to memory of 500 1696 61538 PM.exe lsm.exe PID 1696 wrote to memory of 500 1696 61538 PM.exe lsm.exe PID 1696 wrote to memory of 592 1696 61538 PM.exe svchost.exe PID 1696 wrote to memory of 592 1696 61538 PM.exe svchost.exe PID 1696 wrote to memory of 592 1696 61538 PM.exe svchost.exe PID 1696 wrote to memory of 592 1696 61538 PM.exe svchost.exe PID 1696 wrote to memory of 592 1696 61538 PM.exe svchost.exe PID 1696 wrote to memory of 668 1696 61538 PM.exe svchost.exe PID 1696 wrote to memory of 668 1696 61538 PM.exe svchost.exe PID 1696 wrote to memory of 668 1696 61538 PM.exe svchost.exe PID 1696 wrote to memory of 668 1696 61538 PM.exe svchost.exe PID 1696 wrote to memory of 668 1696 61538 PM.exe svchost.exe PID 1696 wrote to memory of 736 1696 61538 PM.exe svchost.exe PID 1696 wrote to memory of 736 1696 61538 PM.exe svchost.exe PID 1696 wrote to memory of 736 1696 61538 PM.exe svchost.exe PID 1696 wrote to memory of 736 1696 61538 PM.exe svchost.exe PID 1696 wrote to memory of 736 1696 61538 PM.exe svchost.exe PID 1696 wrote to memory of 808 1696 61538 PM.exe svchost.exe PID 1696 wrote to memory of 808 1696 61538 PM.exe svchost.exe PID 1696 wrote to memory of 808 1696 61538 PM.exe svchost.exe PID 1696 wrote to memory of 808 1696 61538 PM.exe svchost.exe PID 1696 wrote to memory of 808 1696 61538 PM.exe svchost.exe PID 1696 wrote to memory of 856 1696 61538 PM.exe svchost.exe PID 1696 wrote to memory of 856 1696 61538 PM.exe svchost.exe PID 1696 wrote to memory of 856 1696 61538 PM.exe svchost.exe PID 1696 wrote to memory of 856 1696 61538 PM.exe svchost.exe PID 1696 wrote to memory of 856 1696 61538 PM.exe svchost.exe PID 1696 wrote to memory of 988 1696 61538 PM.exe svchost.exe PID 1696 wrote to memory of 988 1696 61538 PM.exe svchost.exe PID 1696 wrote to memory of 988 1696 61538 PM.exe svchost.exe PID 1696 wrote to memory of 988 1696 61538 PM.exe svchost.exe PID 1696 wrote to memory of 988 1696 61538 PM.exe svchost.exe
Processes
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:388
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:484
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:592
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:668
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:736
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:808
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1324
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:856
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:988
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:300
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:1020
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:340
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1232
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2360
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2160
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:400
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:436
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1356
-
C:\Users\Admin\AppData\Local\Temp\088f96da0ea3e133d21f7a688343cb55_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\088f96da0ea3e133d21f7a688343cb55_JaffaCakes118.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\61538 PM.exe"C:\61538 PM.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
724KB
MD5f79e3f6362341b72df91556204bf96f4
SHA1a685ed0d50e847f0170c6f312c38894695564450
SHA25680420bcb88bf82c7add9e7418662f558d70a090347cc4ad3ab0af5a6f5b3a09c
SHA51228b7994a80baa3d03a91002a73ef13ec47f6b4c919a85ba113a524717e0e28af396d1c1f74b14aaf823717539bffb1e09206814b9438ae5313939b9232cf8024