Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
-
submitted
26-07-2024 18:31
General
-
Target
7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe
-
Size
735KB
-
MD5
7539ca162020130ad84e83ff3029dbd2
-
SHA1
a877e4bb37ad1e929f9b3740e5e6c5a6451211a4
-
SHA256
8afb877b0e356b29e82377ab5ca9dffaeffba6fb5695cd2c427f6643e0a2a9ef
-
SHA512
2ca2608b21908e9509a2e7a50d4ee3e0dcc0159c7612a96b8c8d90199d4c60ee50cdc9e5ace3b577fff86cb9edef5e5cacc3a1f71ad0919bb309d4a69770e0d4
-
SSDEEP
12288:Xo7YNQOX4WioPJicryGBWECToJ/FVsZHe9HOobmqMrUARtvp62DrcPeAnPaPaT:YwQ16icoECO8Z+9HOobmNrUKxF6BgO
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
UAC bypass 3 TTPs 1 IoCs
-
ModiLoader Second Stage 19 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 4 IoCs
-
UPX packed file 22 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
-
System policy modification 1 TTPs 1 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\7539ca162020130ad84e83ff3029dbd2_JaffaCakes118.exe2⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\services.exe"C:\Windows\services.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\services.exeC:\Windows\services.exe4⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD503b72f088ff08827946b9f11e228c76a
SHA16c54dbfe26c5b9f1dc1770f292fb168612893fb0
SHA256bbf00616e31005c1e98da5f933a570505bc2661a5ca8dfbd986961bb41bbca42
SHA512b155670aab9ce5e6d4b50d80e38b10fc62627f11f9f51c5d4eb5dcbd67555b4101d4e193be6bf0107a28aad7b2bbeab3f8292acaac9f6e0d04c0a19c2d610511
-
Filesize
7KB
MD567587e25a971a141628d7f07bd40ffa0
SHA176fcd014539a3bb247cc0b761225f68bd6055f6b
SHA256e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378
SHA5126e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350
-
Filesize
735KB
MD57539ca162020130ad84e83ff3029dbd2
SHA1a877e4bb37ad1e929f9b3740e5e6c5a6451211a4
SHA2568afb877b0e356b29e82377ab5ca9dffaeffba6fb5695cd2c427f6643e0a2a9ef
SHA5122ca2608b21908e9509a2e7a50d4ee3e0dcc0159c7612a96b8c8d90199d4c60ee50cdc9e5ace3b577fff86cb9edef5e5cacc3a1f71ad0919bb309d4a69770e0d4
-
Filesize
14B
MD5e945136a18af5e6c43b8f2af886b9a50
SHA1222dfac9c1d4f2f49e4dc501f7dd8c5ff76f41db
SHA256f2d645adae42f77eb17a8a246fdcc0299f956137a728ecfdf91ae7d430a89772
SHA51273ce8d9f33fc3be4fd8090e3ae046fdb1ae7210404bdeab032a4e88e0ff989f9be2367087106c9e29be99bde68f46e0c513c3da79f5a23ecadf9d61b840b5b9e
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
56KB
-
Filesize
324KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
3.6MB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB
-
Filesize
324KB