Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/01/2025, 21:31
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe
-
Size
316KB
-
MD5
82769264acdda208929c9ca2dfcfa756
-
SHA1
1258576fb14376229c37b9bee584014757228405
-
SHA256
4baa31b982caf138fe41ad2549fe661103b3115a9834eb83d608713067f17e98
-
SHA512
632c1708a45614e4b17bbab08d504ccf3f3ecd10a32debb98ec916de63f2a49a7493f6dc560994cd0a004de50ef69e63557f5b37e7b0e8318c490f5448e26e91
-
SSDEEP
6144:b/0uoof1debxrOo4Ap3Ft7cacLOdrc4WgW76F3iaCp/C:bJj1debxrOO/gacLOdrctgK6Nup/C
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msn23.exe -
ModiLoader Second Stage 16 IoCs
resource yara_rule behavioral2/files/0x0008000000023cd9-21.dat modiloader_stage2 behavioral2/memory/3528-32-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/1452-52-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/1452-55-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/1452-58-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/1452-61-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/1452-64-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/1452-67-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/1452-70-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/1452-73-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/1452-76-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/1452-79-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/1452-82-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/1452-85-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/1452-88-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/1452-91-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation ArquivoSecundario.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation foto3.bat -
Executes dropped EXE 5 IoCs
pid Process 2024 ARQUIVO.EXE 212 ArquivoPrimario.exe 4520 ArquivoSecundario.exe 3528 foto3.bat 1452 msn23.exe -
Loads dropped DLL 6 IoCs
pid Process 1452 msn23.exe 1452 msn23.exe 1452 msn23.exe 1452 msn23.exe 212 ArquivoPrimario.exe 212 ArquivoPrimario.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msn23 = "C:\\Windows\\msn23.exe" msn23.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA foto3.bat Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msn23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msn23.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\cmsetac.dll msn23.exe File created C:\Windows\msn23.exe foto3.bat File opened for modification C:\Windows\msn23.exe foto3.bat File created C:\Windows\ntdtcstp.dll msn23.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ArquivoSecundario.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foto3.bat Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msn23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARQUIVO.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ArquivoPrimario.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 3528 foto3.bat Token: SeBackupPrivilege 4352 vssvc.exe Token: SeRestorePrivilege 4352 vssvc.exe Token: SeAuditPrivilege 4352 vssvc.exe Token: SeDebugPrivilege 1452 msn23.exe Token: SeDebugPrivilege 1452 msn23.exe Token: SeDebugPrivilege 212 ArquivoPrimario.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2024 ARQUIVO.EXE 1452 msn23.exe 1452 msn23.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3108 wrote to memory of 2024 3108 JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe 83 PID 3108 wrote to memory of 2024 3108 JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe 83 PID 3108 wrote to memory of 2024 3108 JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe 83 PID 2024 wrote to memory of 212 2024 ARQUIVO.EXE 84 PID 2024 wrote to memory of 212 2024 ARQUIVO.EXE 84 PID 2024 wrote to memory of 212 2024 ARQUIVO.EXE 84 PID 2024 wrote to memory of 4520 2024 ARQUIVO.EXE 85 PID 2024 wrote to memory of 4520 2024 ARQUIVO.EXE 85 PID 2024 wrote to memory of 4520 2024 ARQUIVO.EXE 85 PID 4520 wrote to memory of 3528 4520 ArquivoSecundario.exe 86 PID 4520 wrote to memory of 3528 4520 ArquivoSecundario.exe 86 PID 4520 wrote to memory of 3528 4520 ArquivoSecundario.exe 86 PID 3528 wrote to memory of 1452 3528 foto3.bat 90 PID 3528 wrote to memory of 1452 3528 foto3.bat 90 PID 3528 wrote to memory of 1452 3528 foto3.bat 90 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msn23.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ARQUIVO.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ARQUIVO.EXE2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ArquivoPrimario.exeArquivoPrimario.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:212
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ArquivoSecundario.exeArquivoSecundario.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Users\Admin\AppData\Local\Temp\foto3.bat"C:\Users\Admin\AppData\Local\Temp\foto3.bat"4⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\msn23.exe"C:\Windows\msn23.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1452
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4352
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
365KB
MD57f50c824cab4b27167e02bde0fa935b0
SHA1043d77d7f08cbb57c1e306f8c9b6f208a6bbe11f
SHA2561e5f801f8e58dbde81c35f7dea66f71f2a719cf803faa83c280702b4ff003f31
SHA5125b854607b6f66a2806b9af1df042757a541a8bb9370725ebb5ec151cca19fbeac8c5fc83380b95df5b52f419b509fc810f2dba1e68d3258ba5a360d5d78d8ec4
-
Filesize
129KB
MD56cea0342972a909df2b23d29776fc929
SHA1b6e9164dd667d396ef37b060f57b73f1422571c0
SHA2565dc5a8e071ac99f6c65ac7c6a817d890be231eb138aa027e40bc8cb842714b9f
SHA5123ee621e4e96b93340185c7ccde1fbce58eab982bb7a23d84ba17dcb9919b70760f73c2926d264da26858433bd50611a5d801e34cde32c8b52197f53bdfcd49c3
-
Filesize
211KB
MD566bd28e4234d2a4608e10218c7338ab5
SHA12b442d3342027f8755380010852620a385eb4769
SHA256bd0e22518bc19fc6ec597d45107c977a62af85bf8600df6793704d4f563d5e3e
SHA512cae7d56e991a161be0b023a231ba335d002aae7c2f17456e1c4720a026684bc1a9ca40f246a04eafe13ee3b2be974788f855c3f83265f0758c374dd25d548a72
-
Filesize
270KB
MD57b5f1429485222465b36c6246828ecde
SHA12985afffd049285e4ada0711f196a046565fa6db
SHA256f338625fef25ee0551000bf67c01971839a7e2c056c4dcf68be290e64ee31e1e
SHA512ad2d9d029547349acdf2236277697b2da68826cf9cb661de2640666df1fafcf359f8957583e5e6553b69ba8731b06de02dab25c6a92e82225bcc1c3fca568435
-
Filesize
33KB
MD5a9d635b572166225b5da25979837923d
SHA1c37bec1b3f69077ce9d95745e3b9bb7c2ff5a4db
SHA2563d354eb117b25a7e53f5507e18601b474b7f6e5ecfb27b3c1c8c744180bca644
SHA512d943a36f188bfb03b6afd1f27fa06d7dbce2c10f65f820b7b110a714af806c1b0cb60620ae6f28b070ed0f9955635f5640964f323216543514613afd953215c2
-
Filesize
7KB
MD567587e25a971a141628d7f07bd40ffa0
SHA176fcd014539a3bb247cc0b761225f68bd6055f6b
SHA256e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378
SHA5126e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350