Analysis
-
max time kernel
144s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/01/2025, 21:31
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe
-
Size
316KB
-
MD5
82769264acdda208929c9ca2dfcfa756
-
SHA1
1258576fb14376229c37b9bee584014757228405
-
SHA256
4baa31b982caf138fe41ad2549fe661103b3115a9834eb83d608713067f17e98
-
SHA512
632c1708a45614e4b17bbab08d504ccf3f3ecd10a32debb98ec916de63f2a49a7493f6dc560994cd0a004de50ef69e63557f5b37e7b0e8318c490f5448e26e91
-
SSDEEP
6144:b/0uoof1debxrOo4Ap3Ft7cacLOdrc4WgW76F3iaCp/C:bJj1debxrOO/gacLOdrctgK6Nup/C
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msn23.exe -
ModiLoader Second Stage 16 IoCs
resource yara_rule behavioral1/files/0x001700000001866d-38.dat modiloader_stage2 behavioral1/memory/2640-52-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1900-61-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1900-65-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1900-69-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1900-73-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1900-77-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1900-82-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1900-86-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1900-90-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1900-94-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1900-98-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1900-102-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1900-106-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1900-110-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral1/memory/1900-114-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 -
Executes dropped EXE 5 IoCs
pid Process 2344 ARQUIVO.EXE 3012 ArquivoPrimario.exe 2148 ArquivoSecundario.exe 2640 foto3.bat 1900 msn23.exe -
Loads dropped DLL 9 IoCs
pid Process 2296 JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe 2296 JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe 2344 ARQUIVO.EXE 2344 ARQUIVO.EXE 3012 ArquivoPrimario.exe 2344 ARQUIVO.EXE 2148 ArquivoSecundario.exe 2148 ArquivoSecundario.exe 2148 ArquivoSecundario.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\msn23 = "C:\\Windows\\msn23.exe" msn23.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA foto3.bat Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msn23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msn23.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\msn23.exe foto3.bat File opened for modification C:\Windows\msn23.exe foto3.bat File created C:\Windows\ntdtcstp.dll msn23.exe File created C:\Windows\cmsetac.dll msn23.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foto3.bat Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msn23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARQUIVO.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ArquivoPrimario.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ArquivoSecundario.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2640 foto3.bat Token: SeBackupPrivilege 2552 vssvc.exe Token: SeRestorePrivilege 2552 vssvc.exe Token: SeAuditPrivilege 2552 vssvc.exe Token: SeDebugPrivilege 1900 msn23.exe Token: SeDebugPrivilege 1900 msn23.exe Token: SeDebugPrivilege 2688 DllHost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2688 DllHost.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2344 ARQUIVO.EXE 1900 msn23.exe 1900 msn23.exe 2688 DllHost.exe 2688 DllHost.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 2296 wrote to memory of 2344 2296 JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe 31 PID 2296 wrote to memory of 2344 2296 JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe 31 PID 2296 wrote to memory of 2344 2296 JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe 31 PID 2296 wrote to memory of 2344 2296 JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe 31 PID 2296 wrote to memory of 2344 2296 JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe 31 PID 2296 wrote to memory of 2344 2296 JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe 31 PID 2296 wrote to memory of 2344 2296 JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe 31 PID 2344 wrote to memory of 3012 2344 ARQUIVO.EXE 32 PID 2344 wrote to memory of 3012 2344 ARQUIVO.EXE 32 PID 2344 wrote to memory of 3012 2344 ARQUIVO.EXE 32 PID 2344 wrote to memory of 3012 2344 ARQUIVO.EXE 32 PID 2344 wrote to memory of 3012 2344 ARQUIVO.EXE 32 PID 2344 wrote to memory of 3012 2344 ARQUIVO.EXE 32 PID 2344 wrote to memory of 3012 2344 ARQUIVO.EXE 32 PID 2344 wrote to memory of 2148 2344 ARQUIVO.EXE 33 PID 2344 wrote to memory of 2148 2344 ARQUIVO.EXE 33 PID 2344 wrote to memory of 2148 2344 ARQUIVO.EXE 33 PID 2344 wrote to memory of 2148 2344 ARQUIVO.EXE 33 PID 2344 wrote to memory of 2148 2344 ARQUIVO.EXE 33 PID 2344 wrote to memory of 2148 2344 ARQUIVO.EXE 33 PID 2344 wrote to memory of 2148 2344 ARQUIVO.EXE 33 PID 2148 wrote to memory of 2640 2148 ArquivoSecundario.exe 35 PID 2148 wrote to memory of 2640 2148 ArquivoSecundario.exe 35 PID 2148 wrote to memory of 2640 2148 ArquivoSecundario.exe 35 PID 2148 wrote to memory of 2640 2148 ArquivoSecundario.exe 35 PID 2148 wrote to memory of 2640 2148 ArquivoSecundario.exe 35 PID 2148 wrote to memory of 2640 2148 ArquivoSecundario.exe 35 PID 2148 wrote to memory of 2640 2148 ArquivoSecundario.exe 35 PID 2640 wrote to memory of 1900 2640 foto3.bat 39 PID 2640 wrote to memory of 1900 2640 foto3.bat 39 PID 2640 wrote to memory of 1900 2640 foto3.bat 39 PID 2640 wrote to memory of 1900 2640 foto3.bat 39 PID 2640 wrote to memory of 1900 2640 foto3.bat 39 PID 2640 wrote to memory of 1900 2640 foto3.bat 39 PID 2640 wrote to memory of 1900 2640 foto3.bat 39 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msn23.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ARQUIVO.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ARQUIVO.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ArquivoPrimario.exeArquivoPrimario.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3012
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ArquivoSecundario.exeArquivoSecundario.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\foto3.bat"C:\Users\Admin\AppData\Local\Temp\foto3.bat"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\msn23.exe"C:\Windows\msn23.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1900
-
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2688
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2552
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
270KB
MD57b5f1429485222465b36c6246828ecde
SHA12985afffd049285e4ada0711f196a046565fa6db
SHA256f338625fef25ee0551000bf67c01971839a7e2c056c4dcf68be290e64ee31e1e
SHA512ad2d9d029547349acdf2236277697b2da68826cf9cb661de2640666df1fafcf359f8957583e5e6553b69ba8731b06de02dab25c6a92e82225bcc1c3fca568435
-
Filesize
60KB
MD55d4f1deedcd7ff59a3ad0e4ae50d6ea8
SHA189710ec4fbeea6ad261d4938ca35a1e4db6b7bd8
SHA25609bc951a07ea9eb9ade81323a9280457f8c55a9e439862705ddbb1d191e3bee8
SHA5120547b9f86b1ec931c9ad02cd3a2290481fc2fa219188cc11d77bfa8870685d4a6f4e435c9e4ee83b54f8c7a243e1650d8f889c79f6e426c6b209ef1e4c88dfe6
-
Filesize
33KB
MD5a9d635b572166225b5da25979837923d
SHA1c37bec1b3f69077ce9d95745e3b9bb7c2ff5a4db
SHA2563d354eb117b25a7e53f5507e18601b474b7f6e5ecfb27b3c1c8c744180bca644
SHA512d943a36f188bfb03b6afd1f27fa06d7dbce2c10f65f820b7b110a714af806c1b0cb60620ae6f28b070ed0f9955635f5640964f323216543514613afd953215c2
-
Filesize
365KB
MD57f50c824cab4b27167e02bde0fa935b0
SHA1043d77d7f08cbb57c1e306f8c9b6f208a6bbe11f
SHA2561e5f801f8e58dbde81c35f7dea66f71f2a719cf803faa83c280702b4ff003f31
SHA5125b854607b6f66a2806b9af1df042757a541a8bb9370725ebb5ec151cca19fbeac8c5fc83380b95df5b52f419b509fc810f2dba1e68d3258ba5a360d5d78d8ec4
-
Filesize
129KB
MD56cea0342972a909df2b23d29776fc929
SHA1b6e9164dd667d396ef37b060f57b73f1422571c0
SHA2565dc5a8e071ac99f6c65ac7c6a817d890be231eb138aa027e40bc8cb842714b9f
SHA5123ee621e4e96b93340185c7ccde1fbce58eab982bb7a23d84ba17dcb9919b70760f73c2926d264da26858433bd50611a5d801e34cde32c8b52197f53bdfcd49c3
-
Filesize
211KB
MD566bd28e4234d2a4608e10218c7338ab5
SHA12b442d3342027f8755380010852620a385eb4769
SHA256bd0e22518bc19fc6ec597d45107c977a62af85bf8600df6793704d4f563d5e3e
SHA512cae7d56e991a161be0b023a231ba335d002aae7c2f17456e1c4720a026684bc1a9ca40f246a04eafe13ee3b2be974788f855c3f83265f0758c374dd25d548a72