Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
25/06/2024, 02:39
General
-
Target
0c18f1d5de9f1ab42a589a42cb896b47_JaffaCakes118.exe
-
Size
308KB
-
MD5
0c18f1d5de9f1ab42a589a42cb896b47
-
SHA1
cd08a0658ff67e5f9a3d46aa4b3def6723d44daa
-
SHA256
db21ac534c69e06f52c0472f166c5dff008e424925fafff2cbbb588ff1eb9ebc
-
SHA512
77c52995cecdec5ba68d70f9665603c130152770664afcd5113d218d8b41e06ab843fa742a9486daf54be44e7f14c7d4c8408c199e967c8987ea24d7857aff58
-
SSDEEP
6144:eWUpnrzmyFbWaIgBzbl9CsTxs6+qtBeDjavM3BJ5SozZl:qZnmyFbWvgVb3CsF/+qtBeDjavM3BJ5T
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
UAC bypass 3 TTPs 1 IoCs
-
ModiLoader Second Stage 18 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 19 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c18f1d5de9f1ab42a589a42cb896b47_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0c18f1d5de9f1ab42a589a42cb896b47_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\579.exeC:\Users\Admin\AppData\Local\Temp\579.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\579.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
108KB
MD56e7293ddc25d207e12fdb99d803ee1d9
SHA1375315b2fbd7ea4c0176e12b64d6b7cd0962685b
SHA256ddb96f3f81d7ec2c29cf08f79ded45c3596febbfc26448dddf6a64c9625bf9f4
SHA51275c33e0c90f5cf68e5bea9bd3f9c419bd70f2dbdfc26398f75d11a767f727025abe79fe210817c44c3e8955097971e0bdf2c7194e14fff7ff11cab60a199991c
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
320KB
-
Filesize
960KB
-
Filesize
4KB
-
Filesize
320KB
-
Filesize
56KB
-
Filesize
4KB
-
Filesize
960KB
-
Filesize
320KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
960KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB