modiloader | fca7ad5c5619d248df1b82d1dc8fdc61682ea89192ce61dff70c6e3621032988

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
Size

841KB
MD5

e143087e244e6bced278e4a16f9f1445
SHA1

70c17b71957e185cd09181ac0a317135e7a797db
SHA256

fca7ad5c5619d248df1b82d1dc8fdc61682ea89192ce61dff70c6e3621032988
SHA512

cf47d36d1e673065066f1184c4457b157b3c7c37425e59be0726f250de4b3afac85522ab1f2154b6043d32c985bffa77ac7b1aba2e46acf4e3d0ea3d147b59ef
SSDEEP

24576:Y1ckvnJDH7oH1haz/5qgxuLh62tLqazx5QwLzyUSSykQ59aIkPTr:Y1vvJz8H1hU/5qgQ62Bqad5g0yksxkrr

Score

10^/10

modiloader discovery evasion persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	miGRu6Gcu2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	pauhea.exe

ModiLoader Second Stage 9 IoCs

resource	yara_rule
behavioral2/memory/3480-4-0x0000000000400000-0x0000000000419000-memory.dmp	modiloader_stage2
behavioral2/memory/3268-7-0x0000000000400000-0x000000000051D000-memory.dmp	modiloader_stage2
behavioral2/memory/3268-6-0x0000000000400000-0x000000000051D000-memory.dmp	modiloader_stage2
behavioral2/files/0x00090000000233d9-21.dat	modiloader_stage2
behavioral2/memory/3320-48-0x0000000000400000-0x0000000000418000-memory.dmp	modiloader_stage2
behavioral2/files/0x000a0000000233dc-50.dat	modiloader_stage2
behavioral2/memory/764-57-0x0000000000400000-0x0000000000418000-memory.dmp	modiloader_stage2
behavioral2/memory/3268-67-0x0000000000400000-0x000000000051D000-memory.dmp	modiloader_stage2
behavioral2/memory/3268-88-0x0000000000400000-0x000000000051D000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	miGRu6Gcu2.exe

Executes dropped EXE 9 IoCs

pid	Process
2772	miGRu6Gcu2.exe
3320	alhost.exe
3604	pauhea.exe
3280	alhost.exe
764	blhost.exe
2484	blhost.exe
3000	clhost.exe
4820	dlhost.exe
4408	elhost.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3268-1-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral2/memory/3268-5-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral2/memory/3268-0-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral2/memory/3268-7-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral2/memory/3268-6-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral2/memory/2484-53-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/2484-52-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/2484-58-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/2484-59-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/3268-67-0x0000000000400000-0x000000000051D000-memory.dmp	upx
behavioral2/memory/2484-70-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/3268-88-0x0000000000400000-0x000000000051D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /K"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /a"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /g"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /L"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /x"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /j"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /A"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /I"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /F"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /R"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /V"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /h"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /Q"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /H"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /z"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /o"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /r"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /n"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /M"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /b"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /i"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /K"	miGRu6Gcu2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /S"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /m"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /D"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /B"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /W"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /Y"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /E"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /c"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /d"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /y"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /k"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /T"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /e"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /G"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /t"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /s"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /w"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /Z"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /f"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /O"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /l"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /N"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /u"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /v"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /q"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /X"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /p"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /C"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /P"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /U"	pauhea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pauhea = "C:\\Users\\Admin\\pauhea.exe /J"	pauhea.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	alhost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	alhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	blhost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	blhost.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1308	tasklist.exe
2336	tasklist.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3480 set thread context of 3268	3480	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	86
PID 3320 set thread context of 3280	3320	alhost.exe	98
PID 764 set thread context of 2484	764	blhost.exe	100
PID 4820 set thread context of 1168	4820	dlhost.exe	108

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2588	3000	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	blhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	miGRu6Gcu2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	elhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pauhea.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2772	miGRu6Gcu2.exe
2772	miGRu6Gcu2.exe
2772	miGRu6Gcu2.exe
2772	miGRu6Gcu2.exe
3280	alhost.exe
3280	alhost.exe
3604	pauhea.exe
3604	pauhea.exe
3280	alhost.exe
3280	alhost.exe
3280	alhost.exe
3280	alhost.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe
2484	blhost.exe
2484	blhost.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe
3280	alhost.exe
3280	alhost.exe
3280	alhost.exe
3280	alhost.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe
3280	alhost.exe
3280	alhost.exe
3280	alhost.exe
3280	alhost.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe
3604	pauhea.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2336	tasklist.exe
Token: SeDebugPrivilege	4820	dlhost.exe
Token: SeDebugPrivilege	1308	tasklist.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3268	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
2772	miGRu6Gcu2.exe
3604	pauhea.exe
4408	elhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 3268	3480	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	86
PID 3480 wrote to memory of 3268	3480	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	86
PID 3480 wrote to memory of 3268	3480	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	86
PID 3480 wrote to memory of 3268	3480	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	86
PID 3480 wrote to memory of 3268	3480	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	86
PID 3480 wrote to memory of 3268	3480	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	86
PID 3480 wrote to memory of 3268	3480	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	86
PID 3480 wrote to memory of 3268	3480	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	86
PID 3268 wrote to memory of 2772	3268	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	87
PID 3268 wrote to memory of 2772	3268	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	87
PID 3268 wrote to memory of 2772	3268	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	87
PID 3268 wrote to memory of 3320	3268	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	92
PID 3268 wrote to memory of 3320	3268	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	92
PID 3268 wrote to memory of 3320	3268	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	92
PID 2772 wrote to memory of 3604	2772	miGRu6Gcu2.exe	93
PID 2772 wrote to memory of 3604	2772	miGRu6Gcu2.exe	93
PID 2772 wrote to memory of 3604	2772	miGRu6Gcu2.exe	93
PID 2772 wrote to memory of 2132	2772	miGRu6Gcu2.exe	94
PID 2772 wrote to memory of 2132	2772	miGRu6Gcu2.exe	94
PID 2772 wrote to memory of 2132	2772	miGRu6Gcu2.exe	94
PID 2132 wrote to memory of 2336	2132	cmd.exe	96
PID 2132 wrote to memory of 2336	2132	cmd.exe	96
PID 2132 wrote to memory of 2336	2132	cmd.exe	96
PID 3320 wrote to memory of 3280	3320	alhost.exe	98
PID 3320 wrote to memory of 3280	3320	alhost.exe	98
PID 3320 wrote to memory of 3280	3320	alhost.exe	98
PID 3320 wrote to memory of 3280	3320	alhost.exe	98
PID 3320 wrote to memory of 3280	3320	alhost.exe	98
PID 3320 wrote to memory of 3280	3320	alhost.exe	98
PID 3320 wrote to memory of 3280	3320	alhost.exe	98
PID 3320 wrote to memory of 3280	3320	alhost.exe	98
PID 3320 wrote to memory of 3280	3320	alhost.exe	98
PID 3268 wrote to memory of 764	3268	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	99
PID 3268 wrote to memory of 764	3268	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	99
PID 3268 wrote to memory of 764	3268	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	99
PID 764 wrote to memory of 2484	764	blhost.exe	100
PID 764 wrote to memory of 2484	764	blhost.exe	100
PID 764 wrote to memory of 2484	764	blhost.exe	100
PID 764 wrote to memory of 2484	764	blhost.exe	100
PID 764 wrote to memory of 2484	764	blhost.exe	100
PID 764 wrote to memory of 2484	764	blhost.exe	100
PID 764 wrote to memory of 2484	764	blhost.exe	100
PID 764 wrote to memory of 2484	764	blhost.exe	100
PID 3268 wrote to memory of 3000	3268	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	103
PID 3268 wrote to memory of 3000	3268	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	103
PID 3268 wrote to memory of 3000	3268	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	103
PID 3268 wrote to memory of 4820	3268	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	107
PID 3268 wrote to memory of 4820	3268	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	107
PID 3268 wrote to memory of 4820	3268	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	107
PID 4820 wrote to memory of 1168	4820	dlhost.exe	108
PID 4820 wrote to memory of 1168	4820	dlhost.exe	108
PID 4820 wrote to memory of 1168	4820	dlhost.exe	108
PID 4820 wrote to memory of 1168	4820	dlhost.exe	108
PID 3268 wrote to memory of 4408	3268	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	110
PID 3268 wrote to memory of 4408	3268	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	110
PID 3268 wrote to memory of 4408	3268	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	110
PID 3268 wrote to memory of 1248	3268	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	113
PID 3268 wrote to memory of 1248	3268	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	113
PID 3268 wrote to memory of 1248	3268	e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe	113
PID 1248 wrote to memory of 1308	1248	cmd.exe	115
PID 1248 wrote to memory of 1308	1248	cmd.exe	115
PID 1248 wrote to memory of 1308	1248	cmd.exe	115
PID 3604 wrote to memory of 1308	3604	pauhea.exe	115
PID 3604 wrote to memory of 1308	3604	pauhea.exe	115

C:\Users\Admin\AppData\Local\Temp\e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Users\Admin\AppData\Local\Temp\e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
  e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3268
- - C:\Users\Admin\miGRu6Gcu2.exe
    C:\Users\Admin\miGRu6Gcu2.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Users\Admin\pauhea.exe
      "C:\Users\Admin\pauhea.exe"
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3604
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del miGRu6Gcu2.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2132
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
- - C:\Users\Admin\alhost.exe
    C:\Users\Admin\alhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3320
  - - C:\Users\Admin\alhost.exe
      alhost.exe
      4⤵
      Executes dropped EXE
      Maps connected drives based on registry
      Suspicious behavior: EnumeratesProcesses
      PID:3280
- - C:\Users\Admin\blhost.exe
    C:\Users\Admin\blhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:764
  - - C:\Users\Admin\blhost.exe
      blhost.exe
      4⤵
      Executes dropped EXE
      Maps connected drives based on registry
      Suspicious behavior: EnumeratesProcesses
      PID:2484
- - C:\Users\Admin\clhost.exe
    C:\Users\Admin\clhost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3000
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 396
      4⤵
      Program crash
      PID:2588
- - C:\Users\Admin\dlhost.exe
    C:\Users\Admin\dlhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4820
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:1168
- - C:\Users\Admin\elhost.exe
    C:\Users\Admin\elhost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4408
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3000 -ip 3000
1⤵
PID:3872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\alhost.exe

Filesize
236KB

MD5
ccee7bbbd52e9e3d551451e54f85489a

SHA1
7f72be25a00d4e667f17fa106bf024fac3eb9886

SHA256
24d5bac9c9a2d7e77dc8f79ad7fe3333283028dbec964effd9020dd6473e3290

SHA512
3e2fd0abfc61741698570a600aa4f845503410bc9bef9906dced2df27e5f38c7bb06eefb653a0e199eec88044725e2c0f0238253c73979fcceecb992e3b73af4

Download Submit
C:\Users\Admin\blhost.exe

Filesize
126KB

MD5
f9482a349a998f5c9cb842705e67fea7

SHA1
196794ddf71cab834c7029dbf1c27009b06754b2

SHA256
9e5b1531710c57fad4e07c5888db6823e6634384a5ebe9d7f40b54cb9a163b44

SHA512
71ced1fbd460b833d1f422a80d5a27a893e18f7a6286cb61b1283a2c843f8fc77a68b30cba33fe988063f5db3893cb7fd8f677e023960b1999386c18389c9536

Download Submit
C:\Users\Admin\clhost.exe

Filesize
283KB

MD5
78b038f42b4e2490672f9a35a42674b5

SHA1
ca8972f311b9dab6aa917b65cfb9726447fb44f8

SHA256
99125e2bff877025e5687aa5928061cc7da65a944afcd81a66f556bf5d48730d

SHA512
13826dd7b9b1de6b08189c814487fcf6dd369059be8f70d5ba7ef6e9339a56be6f04a424e11238cc49a932e7d2988630c102109a861cb4adb5382f9e883ae515

Download Submit
C:\Users\Admin\dlhost.exe

Filesize
244KB

MD5
682907092bb50419e5b28cf99466e124

SHA1
622962a69e71cf4192f860be74249be205e9ce13

SHA256
9e08b47ad6498e8f7173eb8a9e2ce2c4aaa36d0c69cfb3365ba76938d037f98e

SHA512
cced9e3ec516c2e07182ecf012749b9b123bd70d6204d5f82afa4c0a8a8f110da8690c816e7c8d97f9a283e8e4961fbe0afa60badd4b57d21a8decfa1b527799

Download Submit
C:\Users\Admin\elhost.exe

Filesize
32KB

MD5
00a9df0a178efb6f4f44aa392186c492

SHA1
d3c3039ca41481525815bca5301d9d00f5725667

SHA256
c505d1c76b1e886de65c6b7b171a9d56870a320532c7561f7f8b162920602b18

SHA512
ae0cbce9119ec561a8084610a42f30f60ed29d6bde908dedb7394dbcd8cd24456c85a543b72aa797705130ccce851a348a5171baf1c8a2499ad599b345283a3f

Download Submit
C:\Users\Admin\miGRu6Gcu2.exe

Filesize
192KB

MD5
869d4fbc9194f74e9815f487d245fcff

SHA1
66ac3d8d447558f6389e3a8e203c1b60634af873

SHA256
b7bc5a05d5190e33bcf35bc06107881990caf3fd99643c50eb855ca8505d7113

SHA512
57700b710c9c42ed07f1959c7a17d592a5bfafadb340eaec33d769a788cb5b84de7d84b4ff5b865df9fedd966d7dc8b5a2534811e1de52f488a31a5548d4d6ce

Download Submit
C:\Users\Admin\pauhea.exe

Filesize
192KB

MD5
008c7d5d41134fce848dbbf13be7d1fc

SHA1
e39a22109a17ff126911158a174e6858c74b56c2

SHA256
13144c215793c290663e9d0154e59e42ea8c5ce0ff227dcc8da3a81d6fa8ea09

SHA512
cbb804e65afae4a9b7f90136f651664986c8cfc38c782fa144ade12a17928f292dac57563e66cc38948f00dc36d8cd7bbfe609ee10501af40f3582e19e5f3f8a

Download Submit
memory/764-57-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2484-53-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2484-70-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2484-59-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2484-58-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2484-52-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3268-5-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3268-0-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3268-7-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3268-88-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3268-6-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3268-67-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3268-1-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3280-44-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3280-41-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3280-46-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3280-69-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3280-42-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3280-43-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3320-48-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3480-4-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4820-73-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download