Analysis
-
max time kernel
147s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 19:18
Behavioral task
behavioral1
Sample
09064c3bbdf291a2f85c1a049d8bd9df_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
09064c3bbdf291a2f85c1a049d8bd9df_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
09064c3bbdf291a2f85c1a049d8bd9df_JaffaCakes118.exe
-
Size
572KB
-
MD5
09064c3bbdf291a2f85c1a049d8bd9df
-
SHA1
320eacbd12d6f117885364bd64f1f9e9f99b54b2
-
SHA256
da42c9b97c23142f2d08d9d042995a69a687c2d18019d0c21c53ed683f618f10
-
SHA512
726d73dbe57fd33bcc47e499b348ddafdfd5b20b504d51274ca906ba1054d91db355438667e86d8c4342b9ec09fdcbb8ff5d8a9272e9cd9c1e5810f88a670fe6
-
SSDEEP
12288:pr7xS2Vp6FwTDAbJJvH2oSnSt7KqnGHbq:zS2Vp6FwTWJvHJt7AHb
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Processes:
mstwain32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
ModiLoader Second Stage 9 IoCs
Processes:
resource yara_rule behavioral1/memory/2424-0-0x0000000000400000-0x0000000000491000-memory.dmp modiloader_stage2 C:\Windows\mstwain32.exe modiloader_stage2 behavioral1/memory/2424-8-0x00000000039C0000-0x0000000003A51000-memory.dmp modiloader_stage2 behavioral1/memory/2504-12-0x0000000000400000-0x0000000000491000-memory.dmp modiloader_stage2 behavioral1/memory/2424-13-0x0000000000400000-0x0000000000491000-memory.dmp modiloader_stage2 behavioral1/memory/2504-21-0x0000000076010000-0x0000000076100000-memory.dmp modiloader_stage2 behavioral1/memory/2504-24-0x0000000000400000-0x0000000000491000-memory.dmp modiloader_stage2 behavioral1/memory/2504-27-0x0000000076010000-0x0000000076100000-memory.dmp modiloader_stage2 behavioral1/memory/2504-28-0x0000000076010000-0x0000000076100000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
Processes:
mstwain32.exepid process 2504 mstwain32.exe -
Processes:
resource yara_rule behavioral1/memory/2424-0-0x0000000000400000-0x0000000000491000-memory.dmp upx C:\Windows\mstwain32.exe upx behavioral1/memory/2424-8-0x00000000039C0000-0x0000000003A51000-memory.dmp upx behavioral1/memory/2504-12-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral1/memory/2424-13-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral1/memory/2504-21-0x0000000076010000-0x0000000076100000-memory.dmp upx behavioral1/memory/2504-24-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral1/memory/2504-27-0x0000000076010000-0x0000000076100000-memory.dmp upx behavioral1/memory/2504-28-0x0000000076010000-0x0000000076100000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
mstwain32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe" mstwain32.exe -
Processes:
09064c3bbdf291a2f85c1a049d8bd9df_JaffaCakes118.exemstwain32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 09064c3bbdf291a2f85c1a049d8bd9df_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstwain32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Drops file in Windows directory 4 IoCs
Processes:
mstwain32.exe09064c3bbdf291a2f85c1a049d8bd9df_JaffaCakes118.exedescription ioc process File created C:\Windows\cmsetac.dll mstwain32.exe File created C:\Windows\mstwain32.exe 09064c3bbdf291a2f85c1a049d8bd9df_JaffaCakes118.exe File opened for modification C:\Windows\mstwain32.exe 09064c3bbdf291a2f85c1a049d8bd9df_JaffaCakes118.exe File created C:\Windows\ntdtcstp.dll mstwain32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
09064c3bbdf291a2f85c1a049d8bd9df_JaffaCakes118.exevssvc.exemstwain32.exedescription pid process Token: SeDebugPrivilege 2424 09064c3bbdf291a2f85c1a049d8bd9df_JaffaCakes118.exe Token: SeBackupPrivilege 3056 vssvc.exe Token: SeRestorePrivilege 3056 vssvc.exe Token: SeAuditPrivilege 3056 vssvc.exe Token: SeDebugPrivilege 2504 mstwain32.exe Token: SeDebugPrivilege 2504 mstwain32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
mstwain32.exepid process 2504 mstwain32.exe 2504 mstwain32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
09064c3bbdf291a2f85c1a049d8bd9df_JaffaCakes118.exedescription pid process target process PID 2424 wrote to memory of 2504 2424 09064c3bbdf291a2f85c1a049d8bd9df_JaffaCakes118.exe mstwain32.exe PID 2424 wrote to memory of 2504 2424 09064c3bbdf291a2f85c1a049d8bd9df_JaffaCakes118.exe mstwain32.exe PID 2424 wrote to memory of 2504 2424 09064c3bbdf291a2f85c1a049d8bd9df_JaffaCakes118.exe mstwain32.exe PID 2424 wrote to memory of 2504 2424 09064c3bbdf291a2f85c1a049d8bd9df_JaffaCakes118.exe mstwain32.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
mstwain32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\09064c3bbdf291a2f85c1a049d8bd9df_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\09064c3bbdf291a2f85c1a049d8bd9df_JaffaCakes118.exe"1⤵
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2504
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3056
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
572KB
MD509064c3bbdf291a2f85c1a049d8bd9df
SHA1320eacbd12d6f117885364bd64f1f9e9f99b54b2
SHA256da42c9b97c23142f2d08d9d042995a69a687c2d18019d0c21c53ed683f618f10
SHA512726d73dbe57fd33bcc47e499b348ddafdfd5b20b504d51274ca906ba1054d91db355438667e86d8c4342b9ec09fdcbb8ff5d8a9272e9cd9c1e5810f88a670fe6