Analysis
-
max time kernel
149s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/01/2025, 13:46
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_589550b043dc1cabc26bd81a6e226000.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_589550b043dc1cabc26bd81a6e226000.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_589550b043dc1cabc26bd81a6e226000.exe
-
Size
282KB
-
MD5
589550b043dc1cabc26bd81a6e226000
-
SHA1
28474e51357f3812bf2d0bd28d58cb68524f6e1d
-
SHA256
24307e6bfa579f50214f3b625f17f77292758bf31d47d4d075956d955ddbe98f
-
SHA512
3ce4218ffb8683c79126c1bc528d9a595e04d96b70329809193bf77e0ee1d7a01874768a71fa5fa6672f7cd5403ca320481086e43e5e8e9ff621b16268fda092
-
SSDEEP
6144:D94pAd9wbddDTA7R4gSNiX27v/3MJbhuEVKnte:ix84g4iX2v/3eEE2t
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WinLogon.exe -
ModiLoader Second Stage 16 IoCs
resource yara_rule behavioral1/files/0x0007000000012117-9.dat modiloader_stage2 behavioral1/memory/2656-20-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1656-27-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1656-30-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1656-33-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1656-36-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1656-39-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1656-43-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1656-46-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1656-49-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1656-52-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1656-55-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1656-58-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1656-61-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1656-64-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1656-67-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 -
Executes dropped EXE 2 IoCs
pid Process 2656 qMYeem2xSq7QCOl9373.exe 1656 WinLogon.exe -
Loads dropped DLL 1 IoCs
pid Process 2656 qMYeem2xSq7QCOl9373.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\WinLogon.exe" WinLogon.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qMYeem2xSq7QCOl9373.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WinLogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WinLogon.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\WinLogon.exe qMYeem2xSq7QCOl9373.exe File opened for modification C:\Windows\WinLogon.exe qMYeem2xSq7QCOl9373.exe File created C:\Windows\ntdtcstp.dll WinLogon.exe File created C:\Windows\cmsetac.dll WinLogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qMYeem2xSq7QCOl9373.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinLogon.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2812 JaffaCakes118_589550b043dc1cabc26bd81a6e226000.exe Token: SeDebugPrivilege 2656 qMYeem2xSq7QCOl9373.exe Token: SeBackupPrivilege 2448 vssvc.exe Token: SeRestorePrivilege 2448 vssvc.exe Token: SeAuditPrivilege 2448 vssvc.exe Token: SeDebugPrivilege 1656 WinLogon.exe Token: SeDebugPrivilege 1656 WinLogon.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1656 WinLogon.exe 1656 WinLogon.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2812 wrote to memory of 2656 2812 JaffaCakes118_589550b043dc1cabc26bd81a6e226000.exe 29 PID 2812 wrote to memory of 2656 2812 JaffaCakes118_589550b043dc1cabc26bd81a6e226000.exe 29 PID 2812 wrote to memory of 2656 2812 JaffaCakes118_589550b043dc1cabc26bd81a6e226000.exe 29 PID 2812 wrote to memory of 2656 2812 JaffaCakes118_589550b043dc1cabc26bd81a6e226000.exe 29 PID 2656 wrote to memory of 1656 2656 qMYeem2xSq7QCOl9373.exe 33 PID 2656 wrote to memory of 1656 2656 qMYeem2xSq7QCOl9373.exe 33 PID 2656 wrote to memory of 1656 2656 qMYeem2xSq7QCOl9373.exe 33 PID 2656 wrote to memory of 1656 2656 qMYeem2xSq7QCOl9373.exe 33 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WinLogon.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_589550b043dc1cabc26bd81a6e226000.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_589550b043dc1cabc26bd81a6e226000.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\qMYeem2xSq7QCOl9373.exe"C:\Users\Admin\AppData\Local\Temp\qMYeem2xSq7QCOl9373.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\WinLogon.exe"C:\Windows\WinLogon.exe" \melt "C:\Users\Admin\AppData\Local\Temp\qMYeem2xSq7QCOl9373.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1656
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2448
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
270KB
MD582781f428db2ae778562e46e3783d750
SHA1303e906a1e83f1726b7ee5961ca22844ba25f4d0
SHA256e3106be2d49821617465af99dd634a329315efe54c15ca3cc7284be522aed05b
SHA5127dc281a1f2affb7ed735ca30dd474e7381f896dada2dd2054e65ab4ce5dc661947ba8c8e32e27195ebea4e804e14f326ae182def9863435d2c49f2a98d964e40