Analysis
-
max time kernel
147s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
22/09/2024, 13:30
General
-
Target
f21d68148deff93a17a339c28c8eca38_JaffaCakes118.exe
-
Size
288KB
-
MD5
f21d68148deff93a17a339c28c8eca38
-
SHA1
49cc7ac4d643340db8eca92ba1959987d2fd874c
-
SHA256
e9f3533696cedee49be4dcbcffea540f3462c780923f424f26736a9bc8962365
-
SHA512
3765760f36dd9804aceda46c9ff1c1a3b748b729034db00e7671248d40ff0b3a45b044cca6d8bad7ca657cb13eaac1eb3d7f5913aea6e92403819f9af3132222
-
SSDEEP
3072:+8n5i7vlWw+IgDGD7m//iTnqpdH9kDv+p89aR4igbkgmZNTBfD7Bvg+d+3Np54:J5i7vs2MS7mirpKp8aDglSNTB3fSf54
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
UAC bypass 3 TTPs 1 IoCs
-
ModiLoader Second Stage 17 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
System policy modification 1 TTPs 1 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f21d68148deff93a17a339c28c8eca38_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f21d68148deff93a17a339c28c8eca38_JaffaCakes118.exe"1⤵
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\msngsr.exe"C:\Windows\msngsr.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
769B
MD52cf9e94fe1414e8cf45fcb30c455cd63
SHA1985344611aea83b5c477fda1e1071482ffa8f297
SHA2563e01d2b3d7503e7a5203cb326123ff0dd4f18b67c941a063e2a7b5dc1c579815
SHA51281a5e097cbb2da0ee788de83741a5fac83acb8435d29c64d23b497ae637e1c509010a6598cb55b2149a2a4cfa7a8550ab676097797ddb6bde3d26f5a559ef867
-
Filesize
288KB
MD5f21d68148deff93a17a339c28c8eca38
SHA149cc7ac4d643340db8eca92ba1959987d2fd874c
SHA256e9f3533696cedee49be4dcbcffea540f3462c780923f424f26736a9bc8962365
SHA5123765760f36dd9804aceda46c9ff1c1a3b748b729034db00e7671248d40ff0b3a45b044cca6d8bad7ca657cb13eaac1eb3d7f5913aea6e92403819f9af3132222
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
320KB
-
Filesize
32KB
-
Filesize
320KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
320KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
56KB
-
Filesize
320KB
-
Filesize
4KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
32KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
32KB
-
Filesize
320KB
-
Filesize
320KB