Analysis
-
max time kernel
144s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-09-2024 13:03
Static task
static1
Behavioral task
behavioral1
Sample
eda5cb8441f6ef8697d408d56b204987_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
eda5cb8441f6ef8697d408d56b204987_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
eda5cb8441f6ef8697d408d56b204987_JaffaCakes118.exe
-
Size
324KB
-
MD5
eda5cb8441f6ef8697d408d56b204987
-
SHA1
db43e61f1efbebf53badb8d9d2d837997558111a
-
SHA256
de367bcc96caeabc2aa72840b40dc3ff5f322ff0644da0c89497e8aa63a55fec
-
SHA512
cef2b6372c867802f42ea1e66831bfd5f61683f2ff4ab9aeb57f2f96243bb0dc46315cc28ddb406f0ea29befd691f417866d7da6af3c6cf1e36deefbeba3a93e
-
SSDEEP
6144:yzG8nriOnW/rGgGwyJbZo3qZ+8VfFm/fqONx6Ge8wcA5KpDI:y1DYr6m3qZjlrUwn59
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
ModiLoader Second Stage 16 IoCs
resource yara_rule behavioral1/files/0x0006000000018742-20.dat modiloader_stage2 behavioral1/memory/2496-43-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/808-50-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/808-52-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/808-54-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/808-56-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/808-58-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/808-61-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/808-63-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/808-65-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/808-67-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/808-69-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/808-71-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/808-73-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/808-75-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/808-77-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 -
Executes dropped EXE 2 IoCs
pid Process 2496 serveur.exe 808 mstwain32.exe -
Loads dropped DLL 3 IoCs
pid Process 2672 eda5cb8441f6ef8697d408d56b204987_JaffaCakes118.exe 2672 eda5cb8441f6ef8697d408d56b204987_JaffaCakes118.exe 2496 serveur.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe" mstwain32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA serveur.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstwain32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\381276_285870914781402_100000754863670_686692_1772577515_n.jpg DllHost.exe File opened for modification C:\Program Files (x86)\serveur.exe eda5cb8441f6ef8697d408d56b204987_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\381276_285870914781402_100000754863670_686692_1772577515_n.jpg eda5cb8441f6ef8697d408d56b204987_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\photo\photo\Uninstall.exe eda5cb8441f6ef8697d408d56b204987_JaffaCakes118.exe File created C:\Program Files (x86)\photo\photo\Uninstall.ini eda5cb8441f6ef8697d408d56b204987_JaffaCakes118.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\mstwain32.exe serveur.exe File opened for modification C:\Windows\mstwain32.exe serveur.exe File created C:\Windows\ntdtcstp.dll mstwain32.exe File created C:\Windows\cmsetac.dll mstwain32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eda5cb8441f6ef8697d408d56b204987_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language serveur.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mstwain32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2496 serveur.exe Token: SeBackupPrivilege 2892 vssvc.exe Token: SeRestorePrivilege 2892 vssvc.exe Token: SeAuditPrivilege 2892 vssvc.exe Token: SeDebugPrivilege 808 mstwain32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2116 DllHost.exe 2496 serveur.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2672 wrote to memory of 2496 2672 eda5cb8441f6ef8697d408d56b204987_JaffaCakes118.exe 30 PID 2672 wrote to memory of 2496 2672 eda5cb8441f6ef8697d408d56b204987_JaffaCakes118.exe 30 PID 2672 wrote to memory of 2496 2672 eda5cb8441f6ef8697d408d56b204987_JaffaCakes118.exe 30 PID 2672 wrote to memory of 2496 2672 eda5cb8441f6ef8697d408d56b204987_JaffaCakes118.exe 30 PID 2496 wrote to memory of 808 2496 serveur.exe 36 PID 2496 wrote to memory of 808 2496 serveur.exe 36 PID 2496 wrote to memory of 808 2496 serveur.exe 36 PID 2496 wrote to memory of 808 2496 serveur.exe 36 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\eda5cb8441f6ef8697d408d56b204987_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eda5cb8441f6ef8697d408d56b204987_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Program Files (x86)\serveur.exe"C:\Program Files (x86)\serveur.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:808
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2116
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2892
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5f34bdd553baa319bcf70479f0bb8f889
SHA1d968edd9a42122f21382070f9a41bd16408a4e98
SHA256b74ee9ed7126e3ce9e6aa8d1f83f99b3c95d6f917a71ba71da5a38d4553a05b8
SHA512487e44f84025c1950df3b95eb5f8d4d501fc39970bce298181a08e6b0262a9834506bed133e7f5dbe172fc22d00f6c2c4e3514822b1a4a40a711027d46a788a1
-
Filesize
270KB
MD57cca2c09685f1b76e64d710096e17f2f
SHA189448deba857c2f43811e1c351d4c066475ad23f
SHA256f67c75c2a2b5ff48fc8223f4731cef48cebe69e0bc72e16a7df5e4092eec7126
SHA5129d14bd5b8e2e80cbeefdf9140e32ee27d486ce4c9425b772236a5848fea82a01139061a686155c1e5b567f328adc374160cccabccf89ddfd7eebbbf079613113