Analysis
-
max time kernel
145s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
29/11/2024, 09:47
General
-
Target
b06adf0b7cc598876491df473642b799_JaffaCakes118.exe
-
Size
273KB
-
MD5
b06adf0b7cc598876491df473642b799
-
SHA1
2d5b22109e4c63d4d413d6910cde0e501b7408da
-
SHA256
af6d59f54e679ae2adeeccac25fc1af47beb8c4e974acb3908c1ff7396a495eb
-
SHA512
9af08101ceb9b8059849bdf67a07fba83571051eb33db42e1a5e13391e1cae38e2f249cbd7d1ad900dfbc9dc484172790caa679b22d4c78a52507194f4ec01b2
-
SSDEEP
6144:tG377xS2Vp2CeiorXdwTBgWx4b53upcCJJvHS:Qr7xS2Vp6RwTyCfbJJvHS
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
UAC bypass 3 TTPs 1 IoCs
-
ModiLoader Second Stage 16 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Drops file in Windows directory 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b06adf0b7cc598876491df473642b799_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b06adf0b7cc598876491df473642b799_JaffaCakes118.exe"1⤵
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\b06adf0b7cc598876491df473642b799_JaffaCakes118.exe"2⤵
- UAC bypass
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
273KB
MD5b06adf0b7cc598876491df473642b799
SHA12d5b22109e4c63d4d413d6910cde0e501b7408da
SHA256af6d59f54e679ae2adeeccac25fc1af47beb8c4e974acb3908c1ff7396a495eb
SHA5129af08101ceb9b8059849bdf67a07fba83571051eb33db42e1a5e13391e1cae38e2f249cbd7d1ad900dfbc9dc484172790caa679b22d4c78a52507194f4ec01b2
-
Filesize
304KB
-
Filesize
4KB
-
Filesize
56KB
-
Filesize
960KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
304KB
-
Filesize
56KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
304KB