Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/01/2025, 13:18
Behavioral task
behavioral1
Sample
JaffaCakes118_e884c8639a6e449cd7b42b6564e78972.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_e884c8639a6e449cd7b42b6564e78972.exe
-
Size
1.2MB
-
MD5
e884c8639a6e449cd7b42b6564e78972
-
SHA1
e2ee3571fc9b89d664f94e2a4e3046f31c1b00e3
-
SHA256
1a11a573468395c178bcd689dda500a55140d21c70860c1b727c3fedbfbff836
-
SHA512
9c2127f348ac756304548bf6586bb35fe210bc8f900031fb82703f88d0915cc27aa715d60998bd976ffd412653b94cfd1edaeebfbfe91d8a4fb84e1beb20a588
-
SSDEEP
24576:kuGkPWqtpDX9iD0jG371rTaOO5+Uc6JlxXRq4F:kuG4WqHXQ0STN4la4F
Malware Config
Signatures
-
Darkcomet family
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 4 IoCs
resource yara_rule behavioral1/memory/2672-1-0x0000000000401000-0x0000000000409000-memory.dmp modiloader_stage2 behavioral1/memory/2672-3-0x0000000000400000-0x0000000000595000-memory.dmp modiloader_stage2 behavioral1/memory/2672-16-0x0000000000400000-0x0000000000595000-memory.dmp modiloader_stage2 behavioral1/memory/2672-17-0x0000000000401000-0x0000000000409000-memory.dmp modiloader_stage2 -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 346356326.scr -
Executes dropped EXE 1 IoCs
pid Process 2808 346356326.scr -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine JaffaCakes118_e884c8639a6e449cd7b42b6564e78972.exe -
Loads dropped DLL 2 IoCs
pid Process 2672 JaffaCakes118_e884c8639a6e449cd7b42b6564e78972.exe 2672 JaffaCakes118_e884c8639a6e449cd7b42b6564e78972.exe -
resource yara_rule behavioral1/memory/2672-0-0x0000000000400000-0x0000000000595000-memory.dmp themida behavioral1/memory/2672-3-0x0000000000400000-0x0000000000595000-memory.dmp themida behavioral1/memory/2672-16-0x0000000000400000-0x0000000000595000-memory.dmp themida -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2672 JaffaCakes118_e884c8639a6e449cd7b42b6564e78972.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 346356326.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_e884c8639a6e449cd7b42b6564e78972.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 346356326.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 346356326.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 346356326.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 346356326.scr -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 346356326.scr -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2672 JaffaCakes118_e884c8639a6e449cd7b42b6564e78972.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2808 346356326.scr Token: SeSecurityPrivilege 2808 346356326.scr Token: SeTakeOwnershipPrivilege 2808 346356326.scr Token: SeLoadDriverPrivilege 2808 346356326.scr Token: SeSystemProfilePrivilege 2808 346356326.scr Token: SeSystemtimePrivilege 2808 346356326.scr Token: SeProfSingleProcessPrivilege 2808 346356326.scr Token: SeIncBasePriorityPrivilege 2808 346356326.scr Token: SeCreatePagefilePrivilege 2808 346356326.scr Token: SeBackupPrivilege 2808 346356326.scr Token: SeRestorePrivilege 2808 346356326.scr Token: SeShutdownPrivilege 2808 346356326.scr Token: SeDebugPrivilege 2808 346356326.scr Token: SeSystemEnvironmentPrivilege 2808 346356326.scr Token: SeChangeNotifyPrivilege 2808 346356326.scr Token: SeRemoteShutdownPrivilege 2808 346356326.scr Token: SeUndockPrivilege 2808 346356326.scr Token: SeManageVolumePrivilege 2808 346356326.scr Token: SeImpersonatePrivilege 2808 346356326.scr Token: SeCreateGlobalPrivilege 2808 346356326.scr Token: 33 2808 346356326.scr Token: 34 2808 346356326.scr Token: 35 2808 346356326.scr -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2788 DllHost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2788 DllHost.exe 2788 DllHost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2672 wrote to memory of 2808 2672 JaffaCakes118_e884c8639a6e449cd7b42b6564e78972.exe 31 PID 2672 wrote to memory of 2808 2672 JaffaCakes118_e884c8639a6e449cd7b42b6564e78972.exe 31 PID 2672 wrote to memory of 2808 2672 JaffaCakes118_e884c8639a6e449cd7b42b6564e78972.exe 31 PID 2672 wrote to memory of 2808 2672 JaffaCakes118_e884c8639a6e449cd7b42b6564e78972.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e884c8639a6e449cd7b42b6564e78972.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e884c8639a6e449cd7b42b6564e78972.exe"1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\346356326.scr"C:\Users\Admin\AppData\Local\Temp\346356326.scr" /S2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
712KB
MD5211b5f2b0388d20ee28e8682c86b3664
SHA1a8dfb9767284f9ac96baa95a8918487607eceabb
SHA256fd1d6217a3c70f0809297e61e9213b8c41fa5df822e62edc2deaeab1e008e731
SHA5124963313e3ddbb4fe79593d5cfcb5d11d71389adbd894add96dc1c3c07adaba43c50432122bc1c3002b27b1f6f25734f3029485b58b814e1de426b79d1c835692
-
Filesize
7KB
MD54f67e46669703411d4d3521f8e7dcd1b
SHA171488659cdbfd9efe10f8a051054c20c4e2134de
SHA2568f5994e316c345ef0d21393a0deecfa7d5fd1c60592327a51605d729ad3759f9
SHA512db234ad40f267097cead6a5ecea141fb6920f029fdfa991b0da35b95e0c49d1be422ad47173b49a4701266d5620af9ef6e2f63580810ef10dfd6348610d935b0