Analysis
-
max time kernel
135s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 02:45
Static task
static1
Behavioral task
behavioral1
Sample
188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe
-
Size
302KB
-
MD5
188153f381a3b62bad11dd2f6ea6b498
-
SHA1
1468ddf7ad4464c787e216bf3a2f6a8f9e454778
-
SHA256
568bb20f086c3b66c94ac2bdc7bff91d5452d118aebe74d81dfdd70633e6ab50
-
SHA512
4dd529ba660261eedc5a152dd7cca11a2033440579f273f1edea2ff2ac882b8e6d6962450e29d702ff0e91725f8d407cb8d3d7db2b3b6139737b49f248726686
-
SSDEEP
6144:3q3W2JBfvGQopEnL3L+Z4i14RjzgKQQI697orKOYwUiJ+KRH0NNe3:6NopoLKZx1U9QssrswUYRHye3
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 5 IoCs
Processes:
resource yara_rule \??\c:\windows\SysWOW64\sysns.dll modiloader_stage2 behavioral1/memory/2588-10-0x00000000009D0000-0x0000000000A4C000-memory.dmp modiloader_stage2 behavioral1/memory/2996-11-0x0000000013140000-0x0000000013222000-memory.dmp modiloader_stage2 behavioral1/memory/2588-15-0x00000000009D0000-0x0000000000A4C000-memory.dmp modiloader_stage2 behavioral1/memory/2588-17-0x00000000009D0000-0x0000000000A4C000-memory.dmp modiloader_stage2 -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
Processes:
188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\netns\Parameters\ServiceDll = "C:\\Windows\\System32\\sysns.dll" 188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2600 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
svchost.exepid process 2588 svchost.exe 2588 svchost.exe -
Drops file in System32 directory 5 IoCs
Processes:
188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\netservice.exe 188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\netservice.exe 188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe File created C:\Windows\SysWOW64\sysns.dll 188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\sysns.dll 188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe File created C:\Windows\SysWOW64\plugin\001.dll 188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exepid process 2996 188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exedescription pid process Token: SeBackupPrivilege 2996 188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe Token: SeRestorePrivilege 2996 188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe Token: SeRestorePrivilege 2996 188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe Token: SeRestorePrivilege 2996 188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe Token: SeRestorePrivilege 2996 188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe Token: SeRestorePrivilege 2996 188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe Token: SeBackupPrivilege 2996 188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe Token: SeRestorePrivilege 2996 188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe Token: SeRestorePrivilege 2996 188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe Token: SeRestorePrivilege 2996 188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe Token: SeRestorePrivilege 2996 188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe Token: SeRestorePrivilege 2996 188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exedescription pid process target process PID 2996 wrote to memory of 2600 2996 188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe cmd.exe PID 2996 wrote to memory of 2600 2996 188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe cmd.exe PID 2996 wrote to memory of 2600 2996 188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe cmd.exe PID 2996 wrote to memory of 2600 2996 188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe"1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe"2⤵
- Deletes itself
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k network1⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\plugin\001.dllFilesize
19KB
MD5279ddab68e523c810d457eebda80a8ad
SHA1596b4ccd79c548d05346fd2c22a6a8d8eddc13af
SHA2561d316b0a0d0b607e61f7ec6d4336855a0fd229733c90ba6baed5fd3b847628e8
SHA5125281706afe3d0859770ba458ec083fd5abf4c78b62ef68bd8d8bf6b846d50f1f4c017f81898b71ebfd731d938c8f5e742dd08dec62df29b305ac13c051dbf2f9
-
\??\c:\windows\SysWOW64\sysns.dllFilesize
475KB
MD5813a5af74a429a664eaa2623eaa3b390
SHA171db501ac359ac462e3af5419b888dc43b58a9f9
SHA25651b0294a20a1e958bab85e607e5500bb4bea26fe4f41846851befc4d54f3e93f
SHA51266a547b4db3a6c270fa3adb4b0f089544ebcd93ad56e10822d959e9a7630b1c573ed040185b401195a6e6da9349f7bf390768bb0b132bc3f4c52f76a7899a259
-
memory/2588-10-0x00000000009D0000-0x0000000000A4C000-memory.dmpFilesize
496KB
-
memory/2588-16-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/2588-15-0x00000000009D0000-0x0000000000A4C000-memory.dmpFilesize
496KB
-
memory/2588-17-0x00000000009D0000-0x0000000000A4C000-memory.dmpFilesize
496KB
-
memory/2996-1-0x0000000013140000-0x0000000013222000-memory.dmpFilesize
904KB
-
memory/2996-2-0x00000000131D5000-0x0000000013221000-memory.dmpFilesize
304KB
-
memory/2996-0-0x0000000013140000-0x0000000013222000-memory.dmpFilesize
904KB
-
memory/2996-11-0x0000000013140000-0x0000000013222000-memory.dmpFilesize
904KB
-
memory/2996-12-0x00000000131D5000-0x0000000013221000-memory.dmpFilesize
304KB