modiloader | b9760d63f70290e90850fffda2ee2eaeb56dc3b1ae9601c05eec646235f8223d

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Size

414KB
MD5

d4a25d72abc17784b36d917ee79e2b97
SHA1

faaf50b36c2f35e128df818dffcee1d9efc515be
SHA256

b9760d63f70290e90850fffda2ee2eaeb56dc3b1ae9601c05eec646235f8223d
SHA512

b1d3b8d5c9e713196b9404c7939bd35d9e63b81e7d2bb0c59d36e420da67e4b84153595b705e04a0ba2e9fbe456e6488cd27c6da468ab8f6a840db2ecc2f228f
SSDEEP

6144:ZyMPAyG+r4CctiM0Qittco4Uz2mZHO5/vM7xVaweXV8YOlvF9fTcF3ZEMa:kyG+UCctp0QOtDK0O5/vM7xVnE8ng

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016c58-5.dat	modiloader_stage2
behavioral1/memory/2004-16-0x0000000000400000-0x00000000004B9000-memory.dmp	modiloader_stage2

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavmonD.exe\debugger = "IFEOFILE"	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe\debugger = "IFEOFILE"	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avast.exe	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avast.exe\debugger = "IFEOFILE"	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav.exe\debugger = "IFEOFILE"	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\debugger = "IFEOFILE"	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe\debugger = "IFEOFILE"	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavsvc.exe	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavsvc.exe\debugger = "IFEOFILE"	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvMonXP.exe	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\debugger = "IFEOFILE"	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe\debugger = "IFEOFILE"	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav.exe	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.exe\debugger = "IFEOFILE"	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwproxy.exe	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\debugger = "IFEOFILE"	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe\debugger = "IFEOFILE"	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwproxy.exe\debugger = "IFEOFILE"	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscntfy.exe\debugger = "IFEOFILE"	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscntfy.exe	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.exe	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvMonXP.exe\debugger = "IFEOFILE"	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe\debugger = "IFEOFILE"	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe\debugger = "IFEOFILE"	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe\debugger = "IFEOFILE"	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravmon.exe\debugger = "IFEOFILE"	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVXP.exe	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guard.exe\debugger = "IFEOFILE"	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe\debugger = "IFEOFILE"	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe\debugger = "IFEOFILE"	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe\debugger = "IFEOFILE"	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe\debugger = "IFEOFILE"	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavmonD.exe	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe\debugger = "IFEOFILE"	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\debugger = "IFEOFILE"	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe\debugger = "IFEOFILE"	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe\debugger = "IFEOFILE"	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravmon.exe	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guard.exe	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVXP.exe\debugger = "IFEOFILE"	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe\debugger = "IFEOFILE"	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe\debugger = "IFEOFILE"	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\debugger = "IFEOFILE"	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2004	dmymz32008a.exe

Loads dropped DLL 2 IoCs

pid	Process
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt	dmymz32008a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dmymz32008a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2004	1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe	30
PID 1740 wrote to memory of 2004	1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe	30
PID 1740 wrote to memory of 2004	1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe	30
PID 1740 wrote to memory of 2004	1740	d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d4a25d72abc17784b36d917ee79e2b97_JaffaCakes118.exe"
1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Temp\dmymz32008a.exe
  "C:\Temp\dmymz32008a.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Temp\dmymz32008a.exe

Filesize
673KB

MD5
7b189dbe5a577db50e38379debdc5681

SHA1
def708588d42e533ecf2d04a0a8b2433240d59ad

SHA256
d56b75be72ac5ad9a80648f520210c24eb828b7758863ba52b2d318687db567f

SHA512
2ed6ab2b563b170923c59fe482e5a9ac9d380ffd748ba71d61e4e3a9768ef56556154c560b6d282763f02baef8abefc6457a98a603dc799770115054f37c5450

Download Submit
memory/1740-0-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1740-13-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2004-14-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2004-16-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download