Analysis
-
max time kernel
141s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
30-09-2024 03:01
General
-
Target
ffd2b60afb1bca2bcb10f837c46f074d_JaffaCakes118.exe
-
Size
818KB
-
MD5
ffd2b60afb1bca2bcb10f837c46f074d
-
SHA1
4af2f056647ad58f775ae5715e0e349c45ee0ce7
-
SHA256
a610aef74fae3f178f3c3752ba83a6e7b8ea82bab12d66471eb48240c02779c1
-
SHA512
d88932d047ee5dd4d8fcc01eba3562f944ecd27cfc951682d4cf1a3edf5d4c15e05d117036952564c669a72a8cae8d33f6b0d7adab5b23f0cda71d204b1d3bd8
-
SSDEEP
12288:cUDrWv1r25ge9RHRvcJvKe8uabWhM/QZLAgtvDLkegot1ysvRDvMc2qCGe6XsHAY:cUDS9q51RxyKe8uLdZsgtvkJ/KbMVAN
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
UAC bypass 3 TTPs 1 IoCs
-
ModiLoader Second Stage 27 IoCs
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Themida packer 27 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffd2b60afb1bca2bcb10f837c46f074d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ffd2b60afb1bca2bcb10f837c46f074d_JaffaCakes118.exe"1⤵
- UAC bypass
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD57260ca481a976e31b4881aeff40bad24
SHA1d10cdae0bd9f6c359d33cef8fdee2020d961bcb4
SHA2562de804cc33e693d3c52db8d05b3f637808fdcfb0e466dd1e463b8299747bf1ca
SHA51262178b33b37646a626b9bf655a1c68c2860f6937a37e378849a3f942fc2360f06528a849e6088381683eb1f86e68961a70c111b0122100a70cf7df832343637c
-
Filesize
7KB
MD567587e25a971a141628d7f07bd40ffa0
SHA176fcd014539a3bb247cc0b761225f68bd6055f6b
SHA256e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378
SHA5126e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
56KB
-
Filesize
108KB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
56KB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
32KB