Analysis Overview
SHA256
4dde47ad729e17327906605b20359031be76f032585bf7a67622e7229d5c8a68
Threat Level: Known bad
The file JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676 was found to be: Known bad.
Malicious Activity Summary
Modiloader family
ModiLoader, DBatLoader
ModiLoader Second Stage
LatentBot
Latentbot family
UAC bypass
ModiLoader Second Stage
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
UPX packed file
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
System policy modification
Suspicious use of SetWindowsHookEx
Uses Volume Shadow Copy service COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-05 17:34
Signatures
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modiloader family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-05 17:34
Reported
2025-03-05 17:36
Platform
win10v2004-20250217-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
LatentBot
Latentbot family
ModiLoader, DBatLoader
Modiloader family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe | N/A |
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe | N/A |
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe | N/A |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | ragnarokmetal.zapto.org | udp |
| US | 8.8.8.8:53 | ragnarokmetal.zapto.org | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | ragnarokmetal.zapto.org | udp |
| US | 8.8.8.8:53 | ragnarokmetal.zapto.org | udp |
| US | 8.8.8.8:53 | ragnarokmetal.zapto.org | udp |
| US | 8.8.8.8:53 | ragnarokmetal.zapto.org | udp |
| US | 8.8.8.8:53 | ragnarokmetal.zapto.org | udp |
| US | 8.8.8.8:53 | ragnarokmetal.zapto.org | udp |
Files
memory/876-0-0x0000000000400000-0x0000000000450000-memory.dmp
memory/876-1-0x00000000006D0000-0x00000000006D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ntdtcstp.dll
| MD5 | 67587e25a971a141628d7f07bd40ffa0 |
| SHA1 | 76fcd014539a3bb247cc0b761225f68bd6055f6b |
| SHA256 | e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378 |
| SHA512 | 6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350 |
C:\Users\Admin\AppData\Local\Temp\cmsetac.dll
| MD5 | 5916979db28b2291a0de89fa2ea1c4ef |
| SHA1 | 89b50c7c64294cc18d058d7d82e43f293c96911c |
| SHA256 | c4546d55d0635d5e110f7674ba986d47082ec8352a4a1da4fb5724accc49b71b |
| SHA512 | 8f485f3da27655a248fbe2667859130448461725af5ea679a5e85f13fe83652e6f0a3f92321b0b714e9b75d5f050f45800f88b7f198455c1ea523d17fc17946d |
memory/876-12-0x00000000029E0000-0x00000000029EE000-memory.dmp
memory/876-15-0x00000000029D0000-0x00000000029D1000-memory.dmp
memory/876-16-0x0000000000400000-0x0000000000450000-memory.dmp
memory/876-18-0x00000000029E0000-0x00000000029EE000-memory.dmp
memory/876-17-0x0000000002440000-0x0000000002448000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-05 17:34
Reported
2025-03-05 17:36
Platform
win7-20241010-en
Max time kernel
143s
Max time network
19s
Command Line
Signatures
LatentBot
Latentbot family
ModiLoader, DBatLoader
Modiloader family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe | N/A |
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe | N/A |
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe | N/A |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_52fe5e914606343e4e11e4d7f7f34676.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ragnarokmetal.zapto.org | udp |
Files
memory/2148-0-0x0000000000400000-0x0000000000450000-memory.dmp
memory/2148-1-0x0000000000400000-0x0000000000450000-memory.dmp
memory/2148-2-0x0000000000550000-0x0000000000551000-memory.dmp
\Users\Admin\AppData\Local\Temp\ntdtcstp.dll
| MD5 | 67587e25a971a141628d7f07bd40ffa0 |
| SHA1 | 76fcd014539a3bb247cc0b761225f68bd6055f6b |
| SHA256 | e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378 |
| SHA512 | 6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350 |
\Users\Admin\AppData\Local\Temp\cmsetac.dll
| MD5 | 5916979db28b2291a0de89fa2ea1c4ef |
| SHA1 | 89b50c7c64294cc18d058d7d82e43f293c96911c |
| SHA256 | c4546d55d0635d5e110f7674ba986d47082ec8352a4a1da4fb5724accc49b71b |
| SHA512 | 8f485f3da27655a248fbe2667859130448461725af5ea679a5e85f13fe83652e6f0a3f92321b0b714e9b75d5f050f45800f88b7f198455c1ea523d17fc17946d |
memory/2148-8-0x00000000027E0000-0x00000000027EE000-memory.dmp
memory/2148-10-0x0000000076B00000-0x0000000076B01000-memory.dmp
memory/2148-11-0x0000000076AF0000-0x0000000076BE0000-memory.dmp
memory/2148-12-0x0000000076AF0000-0x0000000076BE0000-memory.dmp
memory/2148-13-0x0000000001F30000-0x0000000001F38000-memory.dmp
memory/2148-14-0x00000000027E0000-0x00000000027EE000-memory.dmp
memory/2148-15-0x0000000076AF0000-0x0000000076BE0000-memory.dmp