Analysis
-
max time kernel
145s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
11-12-2024 22:04
General
-
Target
e36b5ca136805c9b6ca817be8e864d76_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
e36b5ca136805c9b6ca817be8e864d76
-
SHA1
c82fc61efe4f53197f8b706abdcbdf30cdfafe1f
-
SHA256
41431474bc761c28c6d6a1d903b3fb523c8d383032b2d10cf74df0d20229cf3d
-
SHA512
d35210836168cc3862e1d0717564c078bbac5bd182cf5a8c9465764d6e47345333210329e8b0ac7d7d3a39e967d8da491a7fa655bafb9250d59e092a93366fa5
-
SSDEEP
24576:5SVjJXq5R8zVifDiUfLSNZy1pWF/qyNGwWv0OT:eJXq5RXuNZSa/zNGwW5T
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
UAC bypass 3 TTPs 1 IoCs
-
ModiLoader Second Stage 8 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
System policy modification 1 TTPs 1 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e36b5ca136805c9b6ca817be8e864d76_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e36b5ca136805c9b6ca817be8e864d76_JaffaCakes118.exe"1⤵
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\msgms.exe"C:\Windows\msgms.exe" \erit "C:\Users\Admin\AppData\Local\Temp\e36b5ca136805c9b6ca817be8e864d76_JaffaCakes118.exe"2⤵
- UAC bypass
- Deletes itself
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
758B
MD5e072e2cee859b4dd05a8355269dd1785
SHA1e162fca29a6a23402b974903748dfc2c09a800cf
SHA256d63967ff313c7d00217fc05b07f930c064cc5bf0f0089ed01e036afcb4e65eaa
SHA512e8edb26a4f3a83291ff629f737e9e35d876f72a24386ece9095994829eda2956f796dcbd4b04a3cb910322a7f728e7c3b302a23f614bae8f600bd1c315a9784f
-
Filesize
1.3MB
MD5e36b5ca136805c9b6ca817be8e864d76
SHA1c82fc61efe4f53197f8b706abdcbdf30cdfafe1f
SHA25641431474bc761c28c6d6a1d903b3fb523c8d383032b2d10cf74df0d20229cf3d
SHA512d35210836168cc3862e1d0717564c078bbac5bd182cf5a8c9465764d6e47345333210329e8b0ac7d7d3a39e967d8da491a7fa655bafb9250d59e092a93366fa5
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
960KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
960KB
-
Filesize
4KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
960KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
56KB
-
Filesize
960KB
-
Filesize
64KB
-
Filesize
960KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
1.3MB