Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/09/2024, 00:08 UTC

General

  • Target

    e14ff5720919d978167f77802233e5e2_JaffaCakes118.exe

  • Size

    126KB

  • MD5

    e14ff5720919d978167f77802233e5e2

  • SHA1

    bd5c3b127d0984d342bad7220297fbc7a7e4eab6

  • SHA256

    ad6f4877428647bc79ab0f84c9636e5d758d8200af7d635b1346d93ab82d7c41

  • SHA512

    db7da02a7e77e0e9a828f4ee1619f2ccd729d8ad8dfc72e55ea9abd1ab49702244f194495682ed93e259ff153ab0f76b3ec25e31bf22ae9598e4470c572db1fe

  • SSDEEP

    3072:r59NJVpMXqfEn20TTEE5TuP9XknZ9/GtedHB/l:rDHWFn7AENmmNdHD

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • UAC bypass 3 TTPs 1 IoCs
  • ModiLoader Second Stage 6 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • System policy modification 1 TTPs 1 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\e14ff5720919d978167f77802233e5e2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e14ff5720919d978167f77802233e5e2_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2616
    • C:\Users\Admin\AppData\Local\Temp\e14ff5720919d978167f77802233e5e2_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\e14ff5720919d978167f77802233e5e2_JaffaCakes118.exe
      2⤵
      • Checks whether UAC is enabled
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2900
      • C:\Windows\mstwain32.exe
        "C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\e14ff5720919d978167f77802233e5e2_JaffaCakes118.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2872
        • C:\Windows\mstwain32.exe
          C:\Windows\mstwain32.exe
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • System policy modification
          PID:2764
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2624

Network

  • flag-us
    DNS
    tro3.no-ip.biz
    mstwain32.exe
    Remote address:
    8.8.8.8:53
    Request
    tro3.no-ip.biz
    IN A
    Response
No results found
  • 8.8.8.8:53
    tro3.no-ip.biz
    dns
    mstwain32.exe
    60 B
    120 B
    1
    1

    DNS Request

    tro3.no-ip.biz

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mstwain32.exe

    Filesize

    126KB

    MD5

    e14ff5720919d978167f77802233e5e2

    SHA1

    bd5c3b127d0984d342bad7220297fbc7a7e4eab6

    SHA256

    ad6f4877428647bc79ab0f84c9636e5d758d8200af7d635b1346d93ab82d7c41

    SHA512

    db7da02a7e77e0e9a828f4ee1619f2ccd729d8ad8dfc72e55ea9abd1ab49702244f194495682ed93e259ff153ab0f76b3ec25e31bf22ae9598e4470c572db1fe

  • memory/2616-0-0x0000000010000000-0x0000000010027000-memory.dmp

    Filesize

    156KB

  • memory/2616-1-0x00000000001B0000-0x00000000001D7000-memory.dmp

    Filesize

    156KB

  • memory/2616-7-0x0000000010000000-0x0000000010027000-memory.dmp

    Filesize

    156KB

  • memory/2764-51-0x0000000076730000-0x0000000076820000-memory.dmp

    Filesize

    960KB

  • memory/2764-45-0x0000000076740000-0x0000000076741000-memory.dmp

    Filesize

    4KB

  • memory/2764-48-0x0000000076730000-0x0000000076820000-memory.dmp

    Filesize

    960KB

  • memory/2764-49-0x0000000000380000-0x0000000000388000-memory.dmp

    Filesize

    32KB

  • memory/2764-47-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

  • memory/2764-50-0x00000000004E0000-0x00000000004EE000-memory.dmp

    Filesize

    56KB

  • memory/2764-46-0x0000000076730000-0x0000000076820000-memory.dmp

    Filesize

    960KB

  • memory/2764-30-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

  • memory/2764-35-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

  • memory/2764-42-0x0000000000320000-0x0000000000321000-memory.dmp

    Filesize

    4KB

  • memory/2764-43-0x00000000004E0000-0x00000000004EE000-memory.dmp

    Filesize

    56KB

  • memory/2764-38-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

  • memory/2764-37-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

  • memory/2764-36-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

  • memory/2872-25-0x0000000010000000-0x0000000010027000-memory.dmp

    Filesize

    156KB

  • memory/2872-34-0x0000000010000000-0x0000000010027000-memory.dmp

    Filesize

    156KB

  • memory/2872-24-0x0000000000220000-0x0000000000247000-memory.dmp

    Filesize

    156KB

  • memory/2900-11-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

  • memory/2900-20-0x0000000002EB0000-0x0000000002ED7000-memory.dmp

    Filesize

    156KB

  • memory/2900-22-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

  • memory/2900-15-0x0000000002D70000-0x0000000002D80000-memory.dmp

    Filesize

    64KB

  • memory/2900-10-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

  • memory/2900-9-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

  • memory/2900-2-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

  • memory/2900-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2900-5-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.