modiloader | 285f5fa32b21225ddcc1da2350a610c6395a51ed5e8dd79b31089c7cd32f9e3a

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Size

405KB
MD5

eabcd64c3865e4ca0d1dcafae1e09af7
SHA1

ace466e2e647f30f709ac4ebeb60e7b4089a2ead
SHA256

285f5fa32b21225ddcc1da2350a610c6395a51ed5e8dd79b31089c7cd32f9e3a
SHA512

b4aa80e247256a6f5219fadd953d8cb73d660b871e45f2b7417cac14aa088d12483b3edfa8bbe6015b061842a30f046208761d09df2a9aaeb5037eb5c2350284
SSDEEP

6144:sdw6ZYyddSLWuM9w8MOnrjAHlNEsBz7L2293x8f5SoPDk8KFtEDrp9SVUKg93HY:QZdTnF1nqaYz7Rgo86EDlo

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/files/0x000c000000014afa-5.dat	modiloader_stage2
behavioral1/memory/1072-15-0x0000000000400000-0x00000000004BC000-memory.dmp	modiloader_stage2

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe\debugger = "IFEOFILE"	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\debugger = "IFEOFILE"	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe\debugger = "IFEOFILE"	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscntfy.exe	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscntfy.exe\debugger = "IFEOFILE"	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\debugger = "IFEOFILE"	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvMonXP.exe\debugger = "IFEOFILE"	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav.exe	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avast.exe	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guard.exe	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravmon.exe\debugger = "IFEOFILE"	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVXP.exe	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe\debugger = "IFEOFILE"	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe\debugger = "IFEOFILE"	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guard.exe\debugger = "IFEOFILE"	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavsvc.exe	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe\debugger = "IFEOFILE"	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\debugger = "IFEOFILE"	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwproxy.exe\debugger = "IFEOFILE"	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavmonD.exe	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe\debugger = "IFEOFILE"	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe\debugger = "IFEOFILE"	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avast.exe\debugger = "IFEOFILE"	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe\debugger = "IFEOFILE"	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe\debugger = "IFEOFILE"	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe\debugger = "IFEOFILE"	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe\debugger = "IFEOFILE"	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav.exe\debugger = "IFEOFILE"	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe\debugger = "IFEOFILE"	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe\debugger = "IFEOFILE"	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe\debugger = "IFEOFILE"	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVXP.exe\debugger = "IFEOFILE"	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvMonXP.exe	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavsvc.exe\debugger = "IFEOFILE"	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe\debugger = "IFEOFILE"	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\debugger = "IFEOFILE"	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.exe	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.exe\debugger = "IFEOFILE"	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\debugger = "IFEOFILE"	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwproxy.exe	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavmonD.exe\debugger = "IFEOFILE"	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe\debugger = "IFEOFILE"	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravmon.exe	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1072	xghok87b2008_server.exe

Loads dropped DLL 2 IoCs

pid	Process
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt	xghok87b2008_server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xghok87b2008_server.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 1072	1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe	28
PID 1860 wrote to memory of 1072	1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe	28
PID 1860 wrote to memory of 1072	1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe	28
PID 1860 wrote to memory of 1072	1860	eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eabcd64c3865e4ca0d1dcafae1e09af7_JaffaCakes118.exe"
1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Temp\xghok87b2008_server.exe
  "C:\Temp\xghok87b2008_server.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Temp\xghok87b2008_server.exe

Filesize
685KB

MD5
f715f7756df044f2b534482d4ed22060

SHA1
9cab7c2bfb55726e88921a11e59cc4b45125cab7

SHA256
bbec42d4c897009cada58196afb79f940db2852bcc4a962c794cfb5730680d43

SHA512
34b197524e6250c3d63798dd8420545b6c3a80eefda9868a459fb7826976b483a9279c8960a219e5189136d82194a66ef59db976f6c576d97ae90fa2c9e91e28

Download Submit
memory/1072-13-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1072-15-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1860-0-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1860-12-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download