Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
26-07-2024 18:31
Static task
static1
Behavioral task
behavioral1
Sample
7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe
-
Size
735KB
-
MD5
7539ca162020130ad84e83ff3029dbd2
-
SHA1
a877e4bb37ad1e929f9b3740e5e6c5a6451211a4
-
SHA256
8afb877b0e356b29e82377ab5ca9dffaeffba6fb5695cd2c427f6643e0a2a9ef
-
SHA512
2ca2608b21908e9509a2e7a50d4ee3e0dcc0159c7612a96b8c8d90199d4c60ee50cdc9e5ace3b577fff86cb9edef5e5cacc3a1f71ad0919bb309d4a69770e0d4
-
SSDEEP
12288:Xo7YNQOX4WioPJicryGBWECToJ/FVsZHe9HOobmqMrUARtvp62DrcPeAnPaPaT:YwQ16icoECO8Z+9HOobmNrUKxF6BgO
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Processes:
services.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe -
ModiLoader Second Stage 19 IoCs
Processes:
resource yara_rule behavioral2/memory/4576-9-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral2/memory/4576-7-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral2/memory/4576-23-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral2/memory/908-34-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral2/memory/908-33-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral2/memory/908-47-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral2/memory/908-50-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral2/memory/908-53-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral2/memory/908-56-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral2/memory/908-59-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral2/memory/908-62-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral2/memory/908-65-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral2/memory/908-68-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral2/memory/908-71-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral2/memory/908-74-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral2/memory/908-77-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral2/memory/908-80-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral2/memory/908-83-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral2/memory/908-86-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation 7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
services.exeservices.exepid process 4504 services.exe 908 services.exe -
Loads dropped DLL 4 IoCs
Processes:
services.exepid process 908 services.exe 908 services.exe 908 services.exe 908 services.exe -
Processes:
resource yara_rule behavioral2/memory/4576-4-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/4576-6-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/4576-9-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/4576-7-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/4576-23-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/908-34-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/908-33-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/908-32-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/908-47-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/908-50-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/908-53-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/908-56-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/908-59-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/908-62-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/908-65-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/908-68-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/908-71-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/908-74-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/908-77-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/908-80-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/908-83-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/908-86-0x0000000000400000-0x0000000000451000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
services.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win32 = "C:\\Windows\\services.exe" services.exe -
Processes:
7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exeservices.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exeservices.exedescription pid process target process PID 3936 set thread context of 4576 3936 7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe 7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe PID 4504 set thread context of 908 4504 services.exe services.exe -
Drops file in Windows directory 4 IoCs
Processes:
7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exeservices.exedescription ioc process File opened for modification C:\Windows\services.exe 7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe File created C:\Windows\ntdtcstp.dll services.exe File created C:\Windows\cmsetac.dll services.exe File created C:\Windows\services.exe 7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exeservices.exeservices.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exevssvc.exeservices.exedescription pid process Token: SeDebugPrivilege 4576 7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe Token: SeBackupPrivilege 1364 vssvc.exe Token: SeRestorePrivilege 1364 vssvc.exe Token: SeAuditPrivilege 1364 vssvc.exe Token: SeDebugPrivilege 908 services.exe Token: SeDebugPrivilege 908 services.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exeservices.exeservices.exepid process 3936 7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe 3936 7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe 4504 services.exe 4504 services.exe 908 services.exe 908 services.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exeservices.exedescription pid process target process PID 3936 wrote to memory of 4576 3936 7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe 7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe PID 3936 wrote to memory of 4576 3936 7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe 7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe PID 3936 wrote to memory of 4576 3936 7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe 7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe PID 3936 wrote to memory of 4576 3936 7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe 7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe PID 3936 wrote to memory of 4576 3936 7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe 7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe PID 3936 wrote to memory of 4576 3936 7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe 7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe PID 3936 wrote to memory of 4576 3936 7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe 7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe PID 3936 wrote to memory of 4576 3936 7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe 7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe PID 4576 wrote to memory of 4504 4576 7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe services.exe PID 4576 wrote to memory of 4504 4576 7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe services.exe PID 4576 wrote to memory of 4504 4576 7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe services.exe PID 4504 wrote to memory of 908 4504 services.exe services.exe PID 4504 wrote to memory of 908 4504 services.exe services.exe PID 4504 wrote to memory of 908 4504 services.exe services.exe PID 4504 wrote to memory of 908 4504 services.exe services.exe PID 4504 wrote to memory of 908 4504 services.exe services.exe PID 4504 wrote to memory of 908 4504 services.exe services.exe PID 4504 wrote to memory of 908 4504 services.exe services.exe PID 4504 wrote to memory of 908 4504 services.exe services.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
services.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe2⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\services.exe"C:\Windows\services.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\services.exeC:\Windows\services.exe4⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:908
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1364
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD503b72f088ff08827946b9f11e228c76a
SHA16c54dbfe26c5b9f1dc1770f292fb168612893fb0
SHA256bbf00616e31005c1e98da5f933a570505bc2661a5ca8dfbd986961bb41bbca42
SHA512b155670aab9ce5e6d4b50d80e38b10fc62627f11f9f51c5d4eb5dcbd67555b4101d4e193be6bf0107a28aad7b2bbeab3f8292acaac9f6e0d04c0a19c2d610511
-
Filesize
7KB
MD567587e25a971a141628d7f07bd40ffa0
SHA176fcd014539a3bb247cc0b761225f68bd6055f6b
SHA256e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378
SHA5126e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350
-
Filesize
735KB
MD57539ca162020130ad84e83ff3029dbd2
SHA1a877e4bb37ad1e929f9b3740e5e6c5a6451211a4
SHA2568afb877b0e356b29e82377ab5ca9dffaeffba6fb5695cd2c427f6643e0a2a9ef
SHA5122ca2608b21908e9509a2e7a50d4ee3e0dcc0159c7612a96b8c8d90199d4c60ee50cdc9e5ace3b577fff86cb9edef5e5cacc3a1f71ad0919bb309d4a69770e0d4
-
Filesize
14B
MD5e945136a18af5e6c43b8f2af886b9a50
SHA1222dfac9c1d4f2f49e4dc501f7dd8c5ff76f41db
SHA256f2d645adae42f77eb17a8a246fdcc0299f956137a728ecfdf91ae7d430a89772
SHA51273ce8d9f33fc3be4fd8090e3ae046fdb1ae7210404bdeab032a4e88e0ff989f9be2367087106c9e29be99bde68f46e0c513c3da79f5a23ecadf9d61b840b5b9e