Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
31-10-2024 20:55
Static task
static1
Behavioral task
behavioral1
Sample
83ab44c6582e324d494469d600848ce7_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
83ab44c6582e324d494469d600848ce7_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
83ab44c6582e324d494469d600848ce7_JaffaCakes118.exe
-
Size
590KB
-
MD5
83ab44c6582e324d494469d600848ce7
-
SHA1
ea0e2a9134433db766fe94942303c0b0594f9095
-
SHA256
e577636ec322c86e56a814973a5cbff0c1f66c97c4269f9d7db3f9c7a9cb2eb7
-
SHA512
3bf0d4db1e93c08043f5559ce4bd0d575d571ff32708e211aa38bb838f4b7932f01e3d8c780cd5d6b9b12ad945ef2f21b3cdb632c415cc733e5b89ceefb043e4
-
SSDEEP
6144:tUeqreW6n5nVB7xL5+MMaBcE/0T4LRPU9FFUa/a9z2yeX75x5rVxekrfZgj83ui8:tZVgMTcs0TlFGavtX75r5rSBl
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
Processes:
mstwain32.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
ModiLoader Second Stage 16 IoCs
Processes:
resource yara_rule behavioral1/memory/2860-15-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2860-29-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/1916-37-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/1916-38-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/1916-41-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/1916-44-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/1916-47-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/1916-51-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/1916-54-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/1916-57-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/1916-60-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/1916-63-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/1916-66-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/1916-69-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/1916-72-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/1916-75-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 -
Executes dropped EXE 2 IoCs
Processes:
Crypted.exemstwain32.exepid Process 2860 Crypted.exe 1916 mstwain32.exe -
Loads dropped DLL 1 IoCs
Processes:
Crypted.exepid Process 2860 Crypted.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
mstwain32.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe" mstwain32.exe -
Processes:
Crypted.exemstwain32.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Crypted.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstwain32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Processes:
resource yara_rule behavioral1/files/0x001500000001756e-10.dat upx behavioral1/memory/2860-13-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2860-15-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/1916-31-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2860-29-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/1916-37-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/1916-38-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/1916-41-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/1916-44-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/1916-47-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/1916-51-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/1916-54-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/1916-57-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/1916-60-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/1916-63-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/1916-66-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/1916-69-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/1916-72-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/1916-75-0x0000000000400000-0x0000000000450000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
Processes:
Crypted.exemstwain32.exedescription ioc Process File created C:\Windows\mstwain32.exe Crypted.exe File opened for modification C:\Windows\mstwain32.exe Crypted.exe File created C:\Windows\ntdtcstp.dll mstwain32.exe File created C:\Windows\cmsetac.dll mstwain32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Crypted.exemstwain32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Crypted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mstwain32.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Crypted.exevssvc.exemstwain32.exedescription pid Process Token: SeDebugPrivilege 2860 Crypted.exe Token: SeBackupPrivilege 2976 vssvc.exe Token: SeRestorePrivilege 2976 vssvc.exe Token: SeAuditPrivilege 2976 vssvc.exe Token: SeDebugPrivilege 1916 mstwain32.exe Token: SeDebugPrivilege 1916 mstwain32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
mstwain32.exepid Process 1916 mstwain32.exe 1916 mstwain32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
83ab44c6582e324d494469d600848ce7_JaffaCakes118.exeCrypted.exedescription pid Process procid_target PID 2856 wrote to memory of 2860 2856 83ab44c6582e324d494469d600848ce7_JaffaCakes118.exe 30 PID 2856 wrote to memory of 2860 2856 83ab44c6582e324d494469d600848ce7_JaffaCakes118.exe 30 PID 2856 wrote to memory of 2860 2856 83ab44c6582e324d494469d600848ce7_JaffaCakes118.exe 30 PID 2856 wrote to memory of 2860 2856 83ab44c6582e324d494469d600848ce7_JaffaCakes118.exe 30 PID 2860 wrote to memory of 1916 2860 Crypted.exe 34 PID 2860 wrote to memory of 1916 2860 Crypted.exe 34 PID 2860 wrote to memory of 1916 2860 Crypted.exe 34 PID 2860 wrote to memory of 1916 2860 Crypted.exe 34 -
System policy modification 1 TTPs 1 IoCs
Processes:
mstwain32.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\83ab44c6582e324d494469d600848ce7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\83ab44c6582e324d494469d600848ce7_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\Crypted.exe"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1916
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2976
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
109KB
MD540e0b3ca04c717fc3053103801f86831
SHA18b1c9dd11725296ee73f0d69ec6966565dec26ee
SHA256c97d755cae7d36fd58f268d5f4e935433aa420a3c75e80528fd36f8d37ada00f
SHA512c0df0da2df2dc0e0c0c2e61e45806a68adbe68b688fc2cedbff71a58a53e734483b4d12f304b280f93314426c11abe28f31344fb4640618ac4a05cce9ad3d9af