Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
02-12-2024 19:29
General
-
Target
b9cf03850686d71f3ae84e1f01600f2a_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
b9cf03850686d71f3ae84e1f01600f2a
-
SHA1
746d70f963ee6ec7a4dbc8c9adb906b5bde6ae09
-
SHA256
f5d984f8da9f7df520c7954dddd35fb005dcb3e9810608c9b9f329c8d3c723aa
-
SHA512
bc094a6a5fb7439e91a38bc89acdc43b628d90dd4b103baf6962c921523a35a4045f68c8b17abb3fba76298e7e1cf7191150387c218496e7b5d937e1469de208
-
SSDEEP
24576:fCwPAqhzRTLLEy8y8P6LStyJrNU9Y/t8KHYCGVEYC/:fvhzR3w6oyrNwY/HJaE5
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
UAC bypass 3 TTPs 1 IoCs
-
ModiLoader Second Stage 29 IoCs
-
ASPack v2.12-2.42 1 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Executes dropped EXE 1 IoCs
-
Themida packer 34 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
System policy modification 1 TTPs 1 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9cf03850686d71f3ae84e1f01600f2a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b9cf03850686d71f3ae84e1f01600f2a_JaffaCakes118.exe"1⤵
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5b9cf03850686d71f3ae84e1f01600f2a
SHA1746d70f963ee6ec7a4dbc8c9adb906b5bde6ae09
SHA256f5d984f8da9f7df520c7954dddd35fb005dcb3e9810608c9b9f329c8d3c723aa
SHA512bc094a6a5fb7439e91a38bc89acdc43b628d90dd4b103baf6962c921523a35a4045f68c8b17abb3fba76298e7e1cf7191150387c218496e7b5d937e1469de208
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
56KB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
4KB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
948KB
-
Filesize
64KB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
108KB
-
Filesize
2.7MB