Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2024 01:28
Static task
static1
Behavioral task
behavioral1
Sample
83d4fe1681f92e2fc23d8126bfe09a98_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
83d4fe1681f92e2fc23d8126bfe09a98_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
83d4fe1681f92e2fc23d8126bfe09a98_JaffaCakes118.exe
-
Size
708KB
-
MD5
83d4fe1681f92e2fc23d8126bfe09a98
-
SHA1
03c63028537380beefa7b33badd13cefe01e1958
-
SHA256
cf1ba5405fa038f19a4e96f8f6d4f9805b531bb8e2766b6b8c7ad7ec3cb1c00a
-
SHA512
726a6e4531ca70ad9df2ada216402a96086a7e47dda3f47dcbbe2aa20f80c2022124af36696eae2bf1ecf3e28660175be964b6c68ccaefebfa6678d0acec5fb6
-
SSDEEP
12288:d4ZGLugQ5v4kYqE8xaBdot9VdeOt4l2TcJ5OFBZxhwFEdYFIx4w2Ml:d4qyv4kEBdot9V1HTb0uYFIxq+
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
Processes:
mstwain32.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
ModiLoader Second Stage 16 IoCs
Processes:
resource yara_rule behavioral2/memory/3600-29-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral2/memory/4176-47-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral2/memory/4176-48-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral2/memory/4176-51-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral2/memory/4176-54-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral2/memory/4176-57-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral2/memory/4176-60-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral2/memory/4176-63-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral2/memory/4176-66-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral2/memory/4176-69-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral2/memory/4176-72-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral2/memory/4176-75-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral2/memory/4176-78-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral2/memory/4176-81-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral2/memory/4176-84-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral2/memory/4176-87-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
server.exe83d4fe1681f92e2fc23d8126bfe09a98_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 83d4fe1681f92e2fc23d8126bfe09a98_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
Processes:
server.exetmpUI.exemstwain32.exepid Process 3600 server.exe 2536 tmpUI.exe 4176 mstwain32.exe -
Loads dropped DLL 4 IoCs
Processes:
mstwain32.exepid Process 4176 mstwain32.exe 4176 mstwain32.exe 4176 mstwain32.exe 4176 mstwain32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
mstwain32.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe" mstwain32.exe -
Processes:
server.exemstwain32.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA server.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstwain32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Processes:
resource yara_rule behavioral2/files/0x000a000000023c98-5.dat upx behavioral2/memory/3600-10-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/3600-29-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/4176-47-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/4176-48-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/4176-51-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/4176-54-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/4176-57-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/4176-60-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/4176-63-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/4176-66-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/4176-69-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/4176-72-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/4176-75-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/4176-78-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/4176-81-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/4176-84-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/4176-87-0x0000000000400000-0x0000000000450000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
Processes:
tmpUI.exedescription ioc Process File created C:\Program Files (x86)\Java\jre-08\bin\jusched.exe tmpUI.exe File created C:\Program Files (x86)\Java\jre-08\bin\UF tmpUI.exe -
Drops file in Windows directory 4 IoCs
Processes:
server.exemstwain32.exedescription ioc Process File created C:\Windows\mstwain32.exe server.exe File opened for modification C:\Windows\mstwain32.exe server.exe File created C:\Windows\ntdtcstp.dll mstwain32.exe File created C:\Windows\cmsetac.dll mstwain32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
83d4fe1681f92e2fc23d8126bfe09a98_JaffaCakes118.exeserver.exetmpUI.exemstwain32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 83d4fe1681f92e2fc23d8126bfe09a98_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpUI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mstwain32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
server.exemstwain32.exedescription pid Process Token: SeDebugPrivilege 3600 server.exe Token: SeDebugPrivilege 4176 mstwain32.exe Token: SeDebugPrivilege 4176 mstwain32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
mstwain32.exepid Process 4176 mstwain32.exe 4176 mstwain32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
83d4fe1681f92e2fc23d8126bfe09a98_JaffaCakes118.exeserver.exedescription pid Process procid_target PID 1920 wrote to memory of 3600 1920 83d4fe1681f92e2fc23d8126bfe09a98_JaffaCakes118.exe 84 PID 1920 wrote to memory of 3600 1920 83d4fe1681f92e2fc23d8126bfe09a98_JaffaCakes118.exe 84 PID 1920 wrote to memory of 3600 1920 83d4fe1681f92e2fc23d8126bfe09a98_JaffaCakes118.exe 84 PID 1920 wrote to memory of 2536 1920 83d4fe1681f92e2fc23d8126bfe09a98_JaffaCakes118.exe 85 PID 1920 wrote to memory of 2536 1920 83d4fe1681f92e2fc23d8126bfe09a98_JaffaCakes118.exe 85 PID 1920 wrote to memory of 2536 1920 83d4fe1681f92e2fc23d8126bfe09a98_JaffaCakes118.exe 85 PID 3600 wrote to memory of 4176 3600 server.exe 86 PID 3600 wrote to memory of 4176 3600 server.exe 86 PID 3600 wrote to memory of 4176 3600 server.exe 86 -
System policy modification 1 TTPs 1 IoCs
Processes:
mstwain32.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\83d4fe1681f92e2fc23d8126bfe09a98_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\83d4fe1681f92e2fc23d8126bfe09a98_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4176
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpUI.exe"C:\Users\Admin\AppData\Local\Temp\tmpUI.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2536
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
108KB
MD5b01ede28df742668118fddb3b23a3ae8
SHA1c91ae9ee382be69ef7070ab763fa70b474e518ad
SHA256fffac4a8df6a1ff85273ffc8f35021c9a3b732643f4b92aa0fd15be619a9acec
SHA5128601c0bc230a93a41eb5dbcfb470a38e29afa07c6221675e8ca00fe16b297299922ee42ed033782ca8463d00465b6c06f1e1b587813ccc8b62edbe60c150c05d
-
Filesize
63KB
MD5789c7ca95ac69631edf013583516c7ce
SHA12715941968d7606a131356cbbf5c880ddabd80f7
SHA256672e6e2d6a38d8a18b11b8c517b47ab5d79fb08b432c9af5bb9d6bce4021938a
SHA512432310a5c7e4feccb1a0e50da0c374cdcc73d3596899ad88cd634847b216786b653b487306da2330898afff74d5395af89eec0e561cfa4274e065aaf014b142d
-
Filesize
33KB
MD5e8e45be7907c8d60e5863cb9fc640021
SHA1d6cf7f32ce47fb04509f39e70d05b063487c5b1b
SHA2568f5cc82cb489141043cf4b555bb7b6c8868cae47c3d5e59d9e923d90340e27bf
SHA5126315c178e134f6bf38ebb27fd5f6ebef076a73d3da7f4129b956d19451b7d09f6d92e76658ec1853116cf6845c949551cfb76b6cc5d10dec8d5baae683017708
-
Filesize
7KB
MD567587e25a971a141628d7f07bd40ffa0
SHA176fcd014539a3bb247cc0b761225f68bd6055f6b
SHA256e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378
SHA5126e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350