modiloader | 9ee2e7cde7ca3f435d5f7181bd6bfc87265e0ab6bc37ac4baed7df25592d4cb9

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Size

411KB
MD5

d3ae974787cd3df37a32a50d6c6ee685
SHA1

392447bc7716ff86ebfe2b2abe98f36439ff093e
SHA256

9ee2e7cde7ca3f435d5f7181bd6bfc87265e0ab6bc37ac4baed7df25592d4cb9
SHA512

5a67e24013c3ea34fe333c696eaefd0d4974e7884093a759b978f8f60f61840e0355e50078e0b091438b3d2f7093b3c96d27c4a34e785058dd46c5d0238ec27f
SSDEEP

6144:PD+CwJPn8zetqMawiAtUTXcH1Iidwp6/amfPcZU+JrGXGkIprW8YgB/H14BcQAX6:xsnBEDiUydGp6HiKIk8Yvxz

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015cfd-5.dat	modiloader_stage2
behavioral1/memory/2092-16-0x0000000000400000-0x00000000004BC000-memory.dmp	modiloader_stage2

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavsvc.exe	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVXP.exe	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\debugger = "IFEOFILE"	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvMonXP.exe	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavsvc.exe\debugger = "IFEOFILE"	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav.exe	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe\debugger = "IFEOFILE"	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe\debugger = "IFEOFILE"	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVXP.exe\debugger = "IFEOFILE"	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guard.exe	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\debugger = "IFEOFILE"	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe\debugger = "IFEOFILE"	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.exe	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe\debugger = "IFEOFILE"	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscntfy.exe	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe\debugger = "IFEOFILE"	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\debugger = "IFEOFILE"	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.exe\debugger = "IFEOFILE"	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\debugger = "IFEOFILE"	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvMonXP.exe\debugger = "IFEOFILE"	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavmonD.exe\debugger = "IFEOFILE"	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwproxy.exe	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravmon.exe	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe\debugger = "IFEOFILE"	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe\debugger = "IFEOFILE"	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscntfy.exe\debugger = "IFEOFILE"	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe\debugger = "IFEOFILE"	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avast.exe	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe\debugger = "IFEOFILE"	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravmon.exe\debugger = "IFEOFILE"	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe\debugger = "IFEOFILE"	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwproxy.exe\debugger = "IFEOFILE"	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avast.exe\debugger = "IFEOFILE"	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\debugger = "IFEOFILE"	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavmonD.exe	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav.exe\debugger = "IFEOFILE"	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe\debugger = "IFEOFILE"	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guard.exe\debugger = "IFEOFILE"	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe\debugger = "IFEOFILE"	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe\debugger = "IFEOFILE"	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe\debugger = "IFEOFILE"	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe\debugger = "IFEOFILE"	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe\debugger = "IFEOFILE"	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2092	qhsuc72b2008_server.exe

Loads dropped DLL 2 IoCs

pid	Process
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt	qhsuc72b2008_server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qhsuc72b2008_server.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2092	2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe	31
PID 2524 wrote to memory of 2092	2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe	31
PID 2524 wrote to memory of 2092	2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe	31
PID 2524 wrote to memory of 2092	2524	d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d3ae974787cd3df37a32a50d6c6ee685_JaffaCakes118.exe"
1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Temp\qhsuc72b2008_server.exe
  "C:\Temp\qhsuc72b2008_server.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Temp\qhsuc72b2008_server.exe

Filesize
685KB

MD5
f715f7756df044f2b534482d4ed22060

SHA1
9cab7c2bfb55726e88921a11e59cc4b45125cab7

SHA256
bbec42d4c897009cada58196afb79f940db2852bcc4a962c794cfb5730680d43

SHA512
34b197524e6250c3d63798dd8420545b6c3a80eefda9868a459fb7826976b483a9279c8960a219e5189136d82194a66ef59db976f6c576d97ae90fa2c9e91e28

Download Submit
memory/2092-16-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2092-14-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2524-0-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2524-13-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download