Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-09-2024 01:28
Static task
static1
Behavioral task
behavioral1
Sample
eed02915913c93f4803c5a73355e3f6d_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
eed02915913c93f4803c5a73355e3f6d_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
eed02915913c93f4803c5a73355e3f6d_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
eed02915913c93f4803c5a73355e3f6d
-
SHA1
ff6545c958fbe1d4bc5a0e6358e98f8caac4fd54
-
SHA256
2849b86afd181845a44fec47757e6e28779e63b8a4b69b74ed9c5b51b79b4bd3
-
SHA512
d6900c4048b2dc4491746cf5463b2e1f2d0dfe8dc43789291914b0d04ba6c4a772b8656d2f5f04a26ea9c53b7518648ec3448260ebc24b7b4ebac0674ae27ef9
-
SSDEEP
24576:oWj1c3bhxuC2mG/89P3TvLmFNcZKL7R4vk0eheDxeQ9Mzlsn+eW0:oW+rh2m/9PmFNcMS7ehup9/+0
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" teste1.exe -
ModiLoader Second Stage 19 IoCs
resource yara_rule behavioral1/memory/2468-21-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2468-25-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2468-41-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2468-42-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2468-43-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2468-44-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2468-48-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2468-52-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2468-56-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2468-60-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2468-64-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2468-68-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2468-72-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2468-76-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2468-80-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2468-84-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2468-88-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2468-92-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2468-96-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 2468 teste1.exe -
Loads dropped DLL 6 IoCs
pid Process 2380 eed02915913c93f4803c5a73355e3f6d_JaffaCakes118.exe 2380 eed02915913c93f4803c5a73355e3f6d_JaffaCakes118.exe 2468 teste1.exe 2468 teste1.exe 2876 DllHost.exe 2380 eed02915913c93f4803c5a73355e3f6d_JaffaCakes118.exe -
resource yara_rule behavioral1/files/0x0007000000012117-7.dat upx behavioral1/memory/2380-9-0x00000000049F0000-0x0000000004A40000-memory.dmp upx behavioral1/memory/2468-16-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2468-21-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2468-25-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2468-41-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2468-42-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2468-43-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2468-44-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2468-48-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2468-52-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2468-56-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2468-60-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2468-64-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2468-68-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2468-72-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2468-76-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2468-80-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2468-84-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2468-88-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2468-92-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2468-96-0x0000000000400000-0x0000000000450000-memory.dmp upx -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA teste1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" teste1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eed02915913c93f4803c5a73355e3f6d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language teste1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2468 teste1.exe Token: SeDebugPrivilege 2468 teste1.exe Token: SeDebugPrivilege 2876 DllHost.exe Token: SeDebugPrivilege 2380 eed02915913c93f4803c5a73355e3f6d_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2876 DllHost.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2380 eed02915913c93f4803c5a73355e3f6d_JaffaCakes118.exe 2468 teste1.exe 2468 teste1.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2468 2380 eed02915913c93f4803c5a73355e3f6d_JaffaCakes118.exe 31 PID 2380 wrote to memory of 2468 2380 eed02915913c93f4803c5a73355e3f6d_JaffaCakes118.exe 31 PID 2380 wrote to memory of 2468 2380 eed02915913c93f4803c5a73355e3f6d_JaffaCakes118.exe 31 PID 2380 wrote to memory of 2468 2380 eed02915913c93f4803c5a73355e3f6d_JaffaCakes118.exe 31 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" teste1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eed02915913c93f4803c5a73355e3f6d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eed02915913c93f4803c5a73355e3f6d_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\teste1.exe"C:\Users\Admin\AppData\Local\Temp\teste1.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2468
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2876
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD5acbc3c472c0f9c05973dd6fbb780d313
SHA1e5f7648d2e1271e424e91fb4cca721e9e5e2ff13
SHA256987c9ef2f887ab3e6d3fbe8ce9187107469ddf41eb436211436951486d005b75
SHA512c6b2693e0391b4b9730d6e9e766eed8f8024168b331506e315dc7a88022f1b6460a3d95c6f022de6aae0c62f54cc418264020de5484e257c6484fc66d8b63b7f
-
Filesize
33KB
MD5a051d2b068a39cf0ca7964e9d5582e24
SHA15267e606b75dcda068a46a8f6275c7aeeee07a46
SHA2565cdb3bbcb2f22348c8671ce56f98379468acfa905b5af2172abe3bb625c93226
SHA51289f6b1922be91ff92599b1b1b4fab9192c95b9787ee81c492770c254a44ce97128f4a8d8931130752bfe2f3356b70131bed8020620dcc80b6a3a378cc09590d2
-
Filesize
7KB
MD567587e25a971a141628d7f07bd40ffa0
SHA176fcd014539a3bb247cc0b761225f68bd6055f6b
SHA256e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378
SHA5126e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350
-
Filesize
108KB
MD53befaff6e530f4209ad5c7b78701217e
SHA149271e83a37d3d49d36e7e8d4db90489657ce9b7
SHA256afae375c32162f3df6ec4612814f2fa74b55e429f91c33464b12862298d1f722
SHA5128745eb8eb7c142c957bf0bffb776257b3d1b02a9dee7edb5535d7ea6329cd12bc05b83f29fdec534ac496f98d2406ff2e0864e69f77af1204a4f821e140e98a9