Analysis
-
max time kernel
147s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/07/2024, 05:16
Static task
static1
Behavioral task
behavioral1
Sample
24c1c64d7bc92f3ce2012d0ee1cdf7e3_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
24c1c64d7bc92f3ce2012d0ee1cdf7e3_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
24c1c64d7bc92f3ce2012d0ee1cdf7e3_JaffaCakes118.exe
-
Size
127KB
-
MD5
24c1c64d7bc92f3ce2012d0ee1cdf7e3
-
SHA1
39bfa0abaf6a2443d9f125a48b1f0bb93c8ab2c2
-
SHA256
981ec3cacbb793db43a339bba424824595758d1d5d9237fe2b32dd84e7cdd726
-
SHA512
ecab511bda2dd70df8d346998c93984241d817961e43cc3d3acdad5d6dd0251cf62575e41b4128fa4f33aecec1e594249d73a1bc4e1d32f165d2ba12d4a3bad5
-
SSDEEP
3072:xG1PI3bAwBqsYaaB7h1TmjdjoMIipsNUdwpslJfmMC:tpqN99h1TmxjR5I7slJfmMC
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 24c1c64d7bc92f3ce2012d0ee1cdf7e3_JaffaCakes118.exe -
ModiLoader Second Stage 4 IoCs
resource yara_rule behavioral1/memory/2368-9-0x0000000000400000-0x0000000000452000-memory.dmp modiloader_stage2 behavioral1/memory/2368-10-0x0000000000400000-0x0000000000452000-memory.dmp modiloader_stage2 behavioral1/memory/2368-12-0x0000000000400000-0x0000000000452000-memory.dmp modiloader_stage2 behavioral1/memory/2368-24-0x0000000000400000-0x0000000000452000-memory.dmp modiloader_stage2 -
Loads dropped DLL 2 IoCs
pid Process 2368 24c1c64d7bc92f3ce2012d0ee1cdf7e3_JaffaCakes118.exe 2368 24c1c64d7bc92f3ce2012d0ee1cdf7e3_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2368-5-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral1/memory/2368-8-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral1/memory/2368-9-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral1/memory/2368-10-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral1/memory/2368-12-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral1/memory/2368-24-0x0000000000400000-0x0000000000452000-memory.dmp upx -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 24c1c64d7bc92f3ce2012d0ee1cdf7e3_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 24c1c64d7bc92f3ce2012d0ee1cdf7e3_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2924 set thread context of 2368 2924 24c1c64d7bc92f3ce2012d0ee1cdf7e3_JaffaCakes118.exe 28 -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2368 24c1c64d7bc92f3ce2012d0ee1cdf7e3_JaffaCakes118.exe Token: SeBackupPrivilege 2120 vssvc.exe Token: SeRestorePrivilege 2120 vssvc.exe Token: SeAuditPrivilege 2120 vssvc.exe Token: SeDebugPrivilege 2368 24c1c64d7bc92f3ce2012d0ee1cdf7e3_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2368 24c1c64d7bc92f3ce2012d0ee1cdf7e3_JaffaCakes118.exe 2368 24c1c64d7bc92f3ce2012d0ee1cdf7e3_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2924 wrote to memory of 2368 2924 24c1c64d7bc92f3ce2012d0ee1cdf7e3_JaffaCakes118.exe 28 PID 2924 wrote to memory of 2368 2924 24c1c64d7bc92f3ce2012d0ee1cdf7e3_JaffaCakes118.exe 28 PID 2924 wrote to memory of 2368 2924 24c1c64d7bc92f3ce2012d0ee1cdf7e3_JaffaCakes118.exe 28 PID 2924 wrote to memory of 2368 2924 24c1c64d7bc92f3ce2012d0ee1cdf7e3_JaffaCakes118.exe 28 PID 2924 wrote to memory of 2368 2924 24c1c64d7bc92f3ce2012d0ee1cdf7e3_JaffaCakes118.exe 28 PID 2924 wrote to memory of 2368 2924 24c1c64d7bc92f3ce2012d0ee1cdf7e3_JaffaCakes118.exe 28 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 24c1c64d7bc92f3ce2012d0ee1cdf7e3_JaffaCakes118.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\24c1c64d7bc92f3ce2012d0ee1cdf7e3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\24c1c64d7bc92f3ce2012d0ee1cdf7e3_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\24c1c64d7bc92f3ce2012d0ee1cdf7e3_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\24c1c64d7bc92f3ce2012d0ee1cdf7e3_JaffaCakes118.exe2⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2368
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2120
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD54055398efbd17ee58472f4cce91cceee
SHA1ddab5dbb06a026d994e36a28c09a1eb8b8f2886c
SHA2566168316980dd3eebfdcdd977da2a2fb65ac479357380127ce700bec2130e4ba4
SHA512d0c874a641c37e9932ccf08828ca1191eb3b999ccbb6247d851eb0ba8b51ed498bafb091f21604012fa60d7becf1add8491028275070db71d18b0f34ac49c5dc
-
Filesize
7KB
MD567587e25a971a141628d7f07bd40ffa0
SHA176fcd014539a3bb247cc0b761225f68bd6055f6b
SHA256e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378
SHA5126e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350