Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 01:54
Behavioral task
behavioral1
Sample
185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe
-
Size
711KB
-
MD5
185e71fc9ef71619e9d58b5f61808eb7
-
SHA1
4c43005754a0a93f8f8e7804d336c06ae5e30251
-
SHA256
3775055c9d9621dcad2f62df51bd7792e66249d6321acc5aebf6b0b5fd77b66a
-
SHA512
6f40a057093b7df229ef56ffbe93344adbecd5f4f415f3184d20baf93313554d6eba4ab317ffc874ee64bd4c315d5d109e4990b156e81a6a8214a84b32c16260
-
SSDEEP
12288:YUb/XsDwvZ6e3xdprcrRKOUcPlXg5YmtGCM1MTrTEFG/po5aT6fTScrD+RVfnVC+:pc0vIe5r+8ODPl/mt41MTjDT66x4
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Processes:
NETWORK.EXEdescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NETWORK.EXE -
ModiLoader Second Stage 21 IoCs
Processes:
resource yara_rule behavioral2/memory/380-21-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/380-24-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/380-33-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/380-25-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/380-40-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/380-41-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/380-42-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/380-45-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/380-48-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/380-49-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/380-52-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/380-55-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/380-58-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/380-61-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/380-64-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/380-67-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/380-70-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/380-73-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/380-76-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/380-79-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/380-82-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
NETWORK.EXENETWORK.EXEpid process 1580 NETWORK.EXE 380 NETWORK.EXE -
Loads dropped DLL 4 IoCs
Processes:
NETWORK.EXEpid process 380 NETWORK.EXE 380 NETWORK.EXE 380 NETWORK.EXE 380 NETWORK.EXE -
Processes:
resource yara_rule C:\Windows\SysWOW64\NETWORK.EXE upx behavioral2/memory/1580-17-0x0000000000400000-0x00000000004A9000-memory.dmp upx behavioral2/memory/1580-23-0x0000000000400000-0x00000000004A9000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
NETWORK.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\SysWOW64\\NETWORK.EXE" NETWORK.EXE -
Processes:
NETWORK.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NETWORK.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NETWORK.EXE -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/1580-23-0x0000000000400000-0x00000000004A9000-memory.dmp autoit_exe -
Drops file in System32 directory 4 IoCs
Processes:
NETWORK.EXE185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\cmsetac.dll NETWORK.EXE File created C:\Windows\SysWOW64\CNETWORK.EXE 185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe File created C:\Windows\SysWOW64\NETWORK.EXE 185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe File created C:\Windows\SysWOW64\ntdtcstp.dll NETWORK.EXE -
Drops file in Windows directory 2 IoCs
Processes:
185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exedescription ioc process File created C:\Windows\CHOT-WOMEN-12.JPG 185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe File created C:\Windows\HOT-WOMEN-12.JPG 185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
NETWORK.EXEdescription pid process Token: SeDebugPrivilege 380 NETWORK.EXE Token: SeDebugPrivilege 380 NETWORK.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
NETWORK.EXEpid process 380 NETWORK.EXE 380 NETWORK.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exeNETWORK.EXEdescription pid process target process PID 1652 wrote to memory of 1580 1652 185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe NETWORK.EXE PID 1652 wrote to memory of 1580 1652 185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe NETWORK.EXE PID 1652 wrote to memory of 1580 1652 185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe NETWORK.EXE PID 1580 wrote to memory of 380 1580 NETWORK.EXE NETWORK.EXE PID 1580 wrote to memory of 380 1580 NETWORK.EXE NETWORK.EXE PID 1580 wrote to memory of 380 1580 NETWORK.EXE NETWORK.EXE PID 1580 wrote to memory of 380 1580 NETWORK.EXE NETWORK.EXE PID 1580 wrote to memory of 380 1580 NETWORK.EXE NETWORK.EXE PID 1580 wrote to memory of 380 1580 NETWORK.EXE NETWORK.EXE PID 1580 wrote to memory of 380 1580 NETWORK.EXE NETWORK.EXE PID 1580 wrote to memory of 380 1580 NETWORK.EXE NETWORK.EXE PID 1580 wrote to memory of 380 1580 NETWORK.EXE NETWORK.EXE PID 1580 wrote to memory of 380 1580 NETWORK.EXE NETWORK.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
NETWORK.EXEdescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NETWORK.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\NETWORK.EXE"C:\Windows\system32\NETWORK.EXE"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\NETWORK.EXE"C:\Windows\SysWOW64\NETWORK.EXE"3⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4364,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=3856 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\NETWORK.EXEFilesize
532KB
MD556d696dac985a514549780b2e0333f4d
SHA1a9106ed2916e892d1ad50c15a9258583fe8ed04a
SHA256007c5c3fd08b78da7237638375eedd42993cb516206226439f4a253a301bc7b7
SHA512dcd5f2a498202c64668085deb99fc81e9c0b9783d7be2d4b8e30e0b4c435c04eeb1eebee85c65182a1f3483c48dc8061845cbbfe730e9c0525e299fc784f7be0
-
C:\Windows\SysWOW64\cmsetac.dllFilesize
33KB
MD54e1d9848139e02bc9459c33c543f2217
SHA1346ca2e11efaf2cdd4c3cb1a8a5b56fd4a343d59
SHA2564eee5030facd799af5e92a948ab7ab299f51d864696104f3f00b5a7bb89fa8f0
SHA512272aff5956255fa3c6084abf6faf07196965feb54d01fc1e0bed7f0276854f216c70130ac0838efb1dbe5407abd5d0d8451922aafdeff9bc2fa0fdbdd3d9a8f6
-
C:\Windows\SysWOW64\ntdtcstp.dllFilesize
7KB
MD567587e25a971a141628d7f07bd40ffa0
SHA176fcd014539a3bb247cc0b761225f68bd6055f6b
SHA256e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378
SHA5126e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350
-
memory/380-44-0x00000000033E0000-0x00000000033EE000-memory.dmpFilesize
56KB
-
memory/380-64-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/380-43-0x0000000002420000-0x0000000002428000-memory.dmpFilesize
32KB
-
memory/380-24-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/380-45-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/380-82-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/380-33-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/380-25-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/380-37-0x00000000033E0000-0x00000000033EE000-memory.dmpFilesize
56KB
-
memory/380-40-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/380-79-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/380-48-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/380-42-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/380-76-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/380-21-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/380-73-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/380-41-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/380-49-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/380-52-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/380-55-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/380-58-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/380-61-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/380-70-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/380-67-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1580-23-0x0000000000400000-0x00000000004A9000-memory.dmpFilesize
676KB
-
memory/1580-17-0x0000000000400000-0x00000000004A9000-memory.dmpFilesize
676KB
-
memory/1652-19-0x0000000000400000-0x00000000008C2000-memory.dmpFilesize
4.8MB
-
memory/1652-0-0x0000000000400000-0x00000000008C2000-memory.dmpFilesize
4.8MB
-
memory/1652-2-0x00000000028E0000-0x00000000029D0000-memory.dmpFilesize
960KB