Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/01/2025, 21:31

General

  • Target

    JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe

  • Size

    316KB

  • MD5

    82769264acdda208929c9ca2dfcfa756

  • SHA1

    1258576fb14376229c37b9bee584014757228405

  • SHA256

    4baa31b982caf138fe41ad2549fe661103b3115a9834eb83d608713067f17e98

  • SHA512

    632c1708a45614e4b17bbab08d504ccf3f3ecd10a32debb98ec916de63f2a49a7493f6dc560994cd0a004de50ef69e63557f5b37e7b0e8318c490f5448e26e91

  • SSDEEP

    6144:b/0uoof1debxrOo4Ap3Ft7cacLOdrc4WgW76F3iaCp/C:bJj1debxrOO/gacLOdrctgK6Nup/C

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Modiloader family
  • UAC bypass 3 TTPs 1 IoCs
  • ModiLoader Second Stage 16 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • System policy modification 1 TTPs 1 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3108
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ARQUIVO.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ARQUIVO.EXE
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ArquivoPrimario.exe
        ArquivoPrimario.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:212
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ArquivoSecundario.exe
        ArquivoSecundario.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4520
        • C:\Users\Admin\AppData\Local\Temp\foto3.bat
          "C:\Users\Admin\AppData\Local\Temp\foto3.bat"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3528
          • C:\Windows\msn23.exe
            "C:\Windows\msn23.exe"
            5⤵
            • UAC bypass
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • System policy modification
            PID:1452
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4352

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ARQUIVO.EXE

    Filesize

    365KB

    MD5

    7f50c824cab4b27167e02bde0fa935b0

    SHA1

    043d77d7f08cbb57c1e306f8c9b6f208a6bbe11f

    SHA256

    1e5f801f8e58dbde81c35f7dea66f71f2a719cf803faa83c280702b4ff003f31

    SHA512

    5b854607b6f66a2806b9af1df042757a541a8bb9370725ebb5ec151cca19fbeac8c5fc83380b95df5b52f419b509fc810f2dba1e68d3258ba5a360d5d78d8ec4

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ArquivoPrimario.exe

    Filesize

    129KB

    MD5

    6cea0342972a909df2b23d29776fc929

    SHA1

    b6e9164dd667d396ef37b060f57b73f1422571c0

    SHA256

    5dc5a8e071ac99f6c65ac7c6a817d890be231eb138aa027e40bc8cb842714b9f

    SHA512

    3ee621e4e96b93340185c7ccde1fbce58eab982bb7a23d84ba17dcb9919b70760f73c2926d264da26858433bd50611a5d801e34cde32c8b52197f53bdfcd49c3

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ArquivoSecundario.exe

    Filesize

    211KB

    MD5

    66bd28e4234d2a4608e10218c7338ab5

    SHA1

    2b442d3342027f8755380010852620a385eb4769

    SHA256

    bd0e22518bc19fc6ec597d45107c977a62af85bf8600df6793704d4f563d5e3e

    SHA512

    cae7d56e991a161be0b023a231ba335d002aae7c2f17456e1c4720a026684bc1a9ca40f246a04eafe13ee3b2be974788f855c3f83265f0758c374dd25d548a72

  • C:\Users\Admin\AppData\Local\Temp\foto3.bat

    Filesize

    270KB

    MD5

    7b5f1429485222465b36c6246828ecde

    SHA1

    2985afffd049285e4ada0711f196a046565fa6db

    SHA256

    f338625fef25ee0551000bf67c01971839a7e2c056c4dcf68be290e64ee31e1e

    SHA512

    ad2d9d029547349acdf2236277697b2da68826cf9cb661de2640666df1fafcf359f8957583e5e6553b69ba8731b06de02dab25c6a92e82225bcc1c3fca568435

  • C:\Windows\cmsetac.dll

    Filesize

    33KB

    MD5

    a9d635b572166225b5da25979837923d

    SHA1

    c37bec1b3f69077ce9d95745e3b9bb7c2ff5a4db

    SHA256

    3d354eb117b25a7e53f5507e18601b474b7f6e5ecfb27b3c1c8c744180bca644

    SHA512

    d943a36f188bfb03b6afd1f27fa06d7dbce2c10f65f820b7b110a714af806c1b0cb60620ae6f28b070ed0f9955635f5640964f323216543514613afd953215c2

  • C:\Windows\ntdtcstp.dll

    Filesize

    7KB

    MD5

    67587e25a971a141628d7f07bd40ffa0

    SHA1

    76fcd014539a3bb247cc0b761225f68bd6055f6b

    SHA256

    e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

    SHA512

    6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

  • memory/212-49-0x0000000003430000-0x000000000343E000-memory.dmp

    Filesize

    56KB

  • memory/212-51-0x0000000003430000-0x000000000343E000-memory.dmp

    Filesize

    56KB

  • memory/212-50-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

  • memory/212-47-0x0000000003430000-0x000000000343E000-memory.dmp

    Filesize

    56KB

  • memory/212-48-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

  • memory/1452-52-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1452-64-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1452-91-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1452-88-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1452-53-0x0000000000780000-0x0000000000788000-memory.dmp

    Filesize

    32KB

  • memory/1452-54-0x00000000030E0000-0x00000000030EE000-memory.dmp

    Filesize

    56KB

  • memory/1452-55-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1452-58-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1452-61-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1452-42-0x00000000030E0000-0x00000000030EE000-memory.dmp

    Filesize

    56KB

  • memory/1452-67-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1452-70-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1452-73-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1452-76-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1452-79-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1452-82-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1452-85-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/3528-32-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/4520-23-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB