Analysis

  • max time kernel
    144s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16/01/2025, 21:31

General

  • Target

    JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe

  • Size

    316KB

  • MD5

    82769264acdda208929c9ca2dfcfa756

  • SHA1

    1258576fb14376229c37b9bee584014757228405

  • SHA256

    4baa31b982caf138fe41ad2549fe661103b3115a9834eb83d608713067f17e98

  • SHA512

    632c1708a45614e4b17bbab08d504ccf3f3ecd10a32debb98ec916de63f2a49a7493f6dc560994cd0a004de50ef69e63557f5b37e7b0e8318c490f5448e26e91

  • SSDEEP

    6144:b/0uoof1debxrOo4Ap3Ft7cacLOdrc4WgW76F3iaCp/C:bJj1debxrOO/gacLOdrctgK6Nup/C

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Modiloader family
  • UAC bypass 3 TTPs 1 IoCs
  • ModiLoader Second Stage 16 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs
  • System policy modification 1 TTPs 1 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ARQUIVO.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ARQUIVO.EXE
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2344
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ArquivoPrimario.exe
        ArquivoPrimario.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:3012
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ArquivoSecundario.exe
        ArquivoSecundario.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2148
        • C:\Users\Admin\AppData\Local\Temp\foto3.bat
          "C:\Users\Admin\AppData\Local\Temp\foto3.bat"
          4⤵
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2640
          • C:\Windows\msn23.exe
            "C:\Windows\msn23.exe"
            5⤵
            • UAC bypass
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • System policy modification
            PID:1900
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2688
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2552

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\foto3.bat

    Filesize

    270KB

    MD5

    7b5f1429485222465b36c6246828ecde

    SHA1

    2985afffd049285e4ada0711f196a046565fa6db

    SHA256

    f338625fef25ee0551000bf67c01971839a7e2c056c4dcf68be290e64ee31e1e

    SHA512

    ad2d9d029547349acdf2236277697b2da68826cf9cb661de2640666df1fafcf359f8957583e5e6553b69ba8731b06de02dab25c6a92e82225bcc1c3fca568435

  • C:\Users\Admin\AppData\Local\Temp\paula2.jpg

    Filesize

    60KB

    MD5

    5d4f1deedcd7ff59a3ad0e4ae50d6ea8

    SHA1

    89710ec4fbeea6ad261d4938ca35a1e4db6b7bd8

    SHA256

    09bc951a07ea9eb9ade81323a9280457f8c55a9e439862705ddbb1d191e3bee8

    SHA512

    0547b9f86b1ec931c9ad02cd3a2290481fc2fa219188cc11d77bfa8870685d4a6f4e435c9e4ee83b54f8c7a243e1650d8f889c79f6e426c6b209ef1e4c88dfe6

  • C:\Windows\cmsetac.dll

    Filesize

    33KB

    MD5

    a9d635b572166225b5da25979837923d

    SHA1

    c37bec1b3f69077ce9d95745e3b9bb7c2ff5a4db

    SHA256

    3d354eb117b25a7e53f5507e18601b474b7f6e5ecfb27b3c1c8c744180bca644

    SHA512

    d943a36f188bfb03b6afd1f27fa06d7dbce2c10f65f820b7b110a714af806c1b0cb60620ae6f28b070ed0f9955635f5640964f323216543514613afd953215c2

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\ARQUIVO.EXE

    Filesize

    365KB

    MD5

    7f50c824cab4b27167e02bde0fa935b0

    SHA1

    043d77d7f08cbb57c1e306f8c9b6f208a6bbe11f

    SHA256

    1e5f801f8e58dbde81c35f7dea66f71f2a719cf803faa83c280702b4ff003f31

    SHA512

    5b854607b6f66a2806b9af1df042757a541a8bb9370725ebb5ec151cca19fbeac8c5fc83380b95df5b52f419b509fc810f2dba1e68d3258ba5a360d5d78d8ec4

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\ArquivoPrimario.exe

    Filesize

    129KB

    MD5

    6cea0342972a909df2b23d29776fc929

    SHA1

    b6e9164dd667d396ef37b060f57b73f1422571c0

    SHA256

    5dc5a8e071ac99f6c65ac7c6a817d890be231eb138aa027e40bc8cb842714b9f

    SHA512

    3ee621e4e96b93340185c7ccde1fbce58eab982bb7a23d84ba17dcb9919b70760f73c2926d264da26858433bd50611a5d801e34cde32c8b52197f53bdfcd49c3

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\ArquivoSecundario.exe

    Filesize

    211KB

    MD5

    66bd28e4234d2a4608e10218c7338ab5

    SHA1

    2b442d3342027f8755380010852620a385eb4769

    SHA256

    bd0e22518bc19fc6ec597d45107c977a62af85bf8600df6793704d4f563d5e3e

    SHA512

    cae7d56e991a161be0b023a231ba335d002aae7c2f17456e1c4720a026684bc1a9ca40f246a04eafe13ee3b2be974788f855c3f83265f0758c374dd25d548a72

  • memory/1900-82-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1900-86-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1900-114-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1900-110-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1900-56-0x0000000001D40000-0x0000000001D4E000-memory.dmp

    Filesize

    56KB

  • memory/1900-106-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1900-102-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1900-98-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1900-61-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1900-63-0x0000000001D40000-0x0000000001D4E000-memory.dmp

    Filesize

    56KB

  • memory/1900-62-0x0000000000290000-0x0000000000298000-memory.dmp

    Filesize

    32KB

  • memory/1900-65-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1900-69-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1900-73-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1900-77-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1900-94-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1900-90-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/2148-43-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

  • memory/2640-52-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/2688-60-0x0000000000D20000-0x0000000000D2E000-memory.dmp

    Filesize

    56KB

  • memory/2688-41-0x00000000001D0000-0x00000000001D2000-memory.dmp

    Filesize

    8KB

  • memory/2688-59-0x0000000000D20000-0x0000000000D2E000-memory.dmp

    Filesize

    56KB

  • memory/3012-40-0x0000000000470000-0x0000000000472000-memory.dmp

    Filesize

    8KB

  • memory/3012-44-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB