Analysis
-
max time kernel
143s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04/11/2024, 04:57
Static task
static1
Behavioral task
behavioral1
Sample
8f435bc23b7ce73056b6736ffdbcf759_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8f435bc23b7ce73056b6736ffdbcf759_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
8f435bc23b7ce73056b6736ffdbcf759_JaffaCakes118.exe
-
Size
358KB
-
MD5
8f435bc23b7ce73056b6736ffdbcf759
-
SHA1
5100e88c835fc31be44b83347e395e428e87b2ba
-
SHA256
b8b5adae1838a7475b96c23895a711785f2d7d1dc70509366f95009801b2de82
-
SHA512
19333c0c3b2508857bd73afa3895b7ec3f380680d0ab34171af0ee076fd5e5cfaadc52b053edd555cc9c535bc95831c7f95120bec1f3b101d6f915ede5a805ed
-
SSDEEP
6144:y1vQlFJve+rvWhoI6WTTSt4RLdEpRolTiXpuEIrGT:y1ozgYWhoIbTTSt4R6CCT
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
ModiLoader Second Stage 16 IoCs
resource yara_rule behavioral1/files/0x000800000001743a-10.dat modiloader_stage2 behavioral1/memory/1856-23-0x0000000000400000-0x000000000044C000-memory.dmp modiloader_stage2 behavioral1/memory/2000-34-0x0000000000400000-0x000000000044C000-memory.dmp modiloader_stage2 behavioral1/memory/2000-38-0x0000000000400000-0x000000000044C000-memory.dmp modiloader_stage2 behavioral1/memory/2000-42-0x0000000000400000-0x000000000044C000-memory.dmp modiloader_stage2 behavioral1/memory/2000-46-0x0000000000400000-0x000000000044C000-memory.dmp modiloader_stage2 behavioral1/memory/2000-50-0x0000000000400000-0x000000000044C000-memory.dmp modiloader_stage2 behavioral1/memory/2000-54-0x0000000000400000-0x000000000044C000-memory.dmp modiloader_stage2 behavioral1/memory/2000-58-0x0000000000400000-0x000000000044C000-memory.dmp modiloader_stage2 behavioral1/memory/2000-62-0x0000000000400000-0x000000000044C000-memory.dmp modiloader_stage2 behavioral1/memory/2000-66-0x0000000000400000-0x000000000044C000-memory.dmp modiloader_stage2 behavioral1/memory/2000-70-0x0000000000400000-0x000000000044C000-memory.dmp modiloader_stage2 behavioral1/memory/2000-74-0x0000000000400000-0x000000000044C000-memory.dmp modiloader_stage2 behavioral1/memory/2000-78-0x0000000000400000-0x000000000044C000-memory.dmp modiloader_stage2 behavioral1/memory/2000-82-0x0000000000400000-0x000000000044C000-memory.dmp modiloader_stage2 behavioral1/memory/2000-86-0x0000000000400000-0x000000000044C000-memory.dmp modiloader_stage2 -
Executes dropped EXE 2 IoCs
pid Process 1856 jjjjj.exe 2000 mstwain32.exe -
Loads dropped DLL 3 IoCs
pid Process 2204 8f435bc23b7ce73056b6736ffdbcf759_JaffaCakes118.exe 2204 8f435bc23b7ce73056b6736ffdbcf759_JaffaCakes118.exe 1856 jjjjj.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe" mstwain32.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jjjjj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstwain32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\cmsetac.dll mstwain32.exe File created C:\Windows\mstwain32.exe jjjjj.exe File opened for modification C:\Windows\mstwain32.exe jjjjj.exe File created C:\Windows\ntdtcstp.dll mstwain32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mstwain32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8f435bc23b7ce73056b6736ffdbcf759_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1856 jjjjj.exe Token: SeDebugPrivilege 2000 mstwain32.exe Token: SeDebugPrivilege 2000 mstwain32.exe Token: SeDebugPrivilege 2152 DllHost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2152 DllHost.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2000 mstwain32.exe 2152 DllHost.exe 2152 DllHost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2204 wrote to memory of 1856 2204 8f435bc23b7ce73056b6736ffdbcf759_JaffaCakes118.exe 31 PID 2204 wrote to memory of 1856 2204 8f435bc23b7ce73056b6736ffdbcf759_JaffaCakes118.exe 31 PID 2204 wrote to memory of 1856 2204 8f435bc23b7ce73056b6736ffdbcf759_JaffaCakes118.exe 31 PID 2204 wrote to memory of 1856 2204 8f435bc23b7ce73056b6736ffdbcf759_JaffaCakes118.exe 31 PID 1856 wrote to memory of 2000 1856 jjjjj.exe 32 PID 1856 wrote to memory of 2000 1856 jjjjj.exe 32 PID 1856 wrote to memory of 2000 1856 jjjjj.exe 32 PID 1856 wrote to memory of 2000 1856 jjjjj.exe 32 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f435bc23b7ce73056b6736ffdbcf759_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8f435bc23b7ce73056b6736ffdbcf759_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\jjjjj.exe"C:\Users\Admin\AppData\Local\Temp\jjjjj.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2000
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2152
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
81KB
MD5070cf6787aa56fbdaa1b2fd98708c34c
SHA1fb662cbd45033e03f65e0f278f44f4206a3c4293
SHA256e073f22bff5d22fdbf3665855d2f979d300c4e28421a7edf5d616dd92c71580f
SHA51293adca8cd47db7fd07d1bb0834c92ef0460d86975ee17276573223eb378d3cc7bc8324c0cd62c024664159b0320501d37bbc97d266a40ed2a51fb3e8e163ba52
-
Filesize
273KB
MD5fded445cd6d03172ac06cf88d46a7abe
SHA16637f6749a867124c92a45aa4fd08d46554e3dec
SHA256752a869b722ac3f849302bd2ae524f0a18b3efbc1a5ba1fcb4abf87951487eee
SHA512addb458aa7a720ec9deb6da8c1f59ca9282274bd4ec7b0c00079d683870a9bf029e7f599578348c538f947dabe6e71420a33f0d63eda586739a43fcf27f6391e
-
Filesize
33KB
MD5ecd1ec35f1a108caefb815244a0c0aaa
SHA165f97469c6a840c68c1055170e3c251f72124403
SHA2567f26a2f6845092441f19ad22f0e15db14ee95c20c9ffac2a163bd8df6a827caf
SHA512569ef656848d01ec9c3075eb889d107f6ff732964f848db681456fac2c50da1c5ef5ee75badacc4c71878c92822e94ff2f7cac23e21d7ecfdb47983c56053e78