Analysis

  • max time kernel
    147s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04/07/2024, 05:16

General

  • Target

    24c1c64d7bc92f3ce2012d0ee1cdf7e3_JaffaCakes118.exe

  • Size

    127KB

  • MD5

    24c1c64d7bc92f3ce2012d0ee1cdf7e3

  • SHA1

    39bfa0abaf6a2443d9f125a48b1f0bb93c8ab2c2

  • SHA256

    981ec3cacbb793db43a339bba424824595758d1d5d9237fe2b32dd84e7cdd726

  • SHA512

    ecab511bda2dd70df8d346998c93984241d817961e43cc3d3acdad5d6dd0251cf62575e41b4128fa4f33aecec1e594249d73a1bc4e1d32f165d2ba12d4a3bad5

  • SSDEEP

    3072:xG1PI3bAwBqsYaaB7h1TmjdjoMIipsNUdwpslJfmMC:tpqN99h1TmxjR5I7slJfmMC

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • UAC bypass 3 TTPs 1 IoCs
  • ModiLoader Second Stage 4 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 1 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\24c1c64d7bc92f3ce2012d0ee1cdf7e3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\24c1c64d7bc92f3ce2012d0ee1cdf7e3_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Users\Admin\AppData\Local\Temp\24c1c64d7bc92f3ce2012d0ee1cdf7e3_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\24c1c64d7bc92f3ce2012d0ee1cdf7e3_JaffaCakes118.exe
      2⤵
      • UAC bypass
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2368
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2120

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\cmsetac.dll

    Filesize

    32KB

    MD5

    4055398efbd17ee58472f4cce91cceee

    SHA1

    ddab5dbb06a026d994e36a28c09a1eb8b8f2886c

    SHA256

    6168316980dd3eebfdcdd977da2a2fb65ac479357380127ce700bec2130e4ba4

    SHA512

    d0c874a641c37e9932ccf08828ca1191eb3b999ccbb6247d851eb0ba8b51ed498bafb091f21604012fa60d7becf1add8491028275070db71d18b0f34ac49c5dc

  • \Users\Admin\AppData\Local\Temp\ntdtcstp.dll

    Filesize

    7KB

    MD5

    67587e25a971a141628d7f07bd40ffa0

    SHA1

    76fcd014539a3bb247cc0b761225f68bd6055f6b

    SHA256

    e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

    SHA512

    6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

  • memory/2368-12-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

  • memory/2368-5-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

  • memory/2368-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2368-2-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

  • memory/2368-8-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

  • memory/2368-9-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

  • memory/2368-10-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

  • memory/2368-11-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

  • memory/2368-30-0x0000000076CE0000-0x0000000076DD0000-memory.dmp

    Filesize

    960KB

  • memory/2368-27-0x0000000076CE0000-0x0000000076DD0000-memory.dmp

    Filesize

    960KB

  • memory/2368-24-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

  • memory/2368-18-0x0000000002810000-0x000000000281E000-memory.dmp

    Filesize

    56KB

  • memory/2368-20-0x0000000076CF0000-0x0000000076CF1000-memory.dmp

    Filesize

    4KB

  • memory/2368-21-0x0000000076CE0000-0x0000000076DD0000-memory.dmp

    Filesize

    960KB

  • memory/2368-23-0x0000000002810000-0x000000000281E000-memory.dmp

    Filesize

    56KB

  • memory/2368-22-0x0000000000370000-0x0000000000378000-memory.dmp

    Filesize

    32KB

  • memory/2924-1-0x0000000000220000-0x0000000000224000-memory.dmp

    Filesize

    16KB

  • memory/2924-6-0x0000000000600000-0x0000000000604000-memory.dmp

    Filesize

    16KB

  • memory/2924-0-0x0000000000600000-0x0000000000604000-memory.dmp

    Filesize

    16KB