Analysis
-
max time kernel
148s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 04:09
Static task
static1
Behavioral task
behavioral1
Sample
18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe
-
Size
271KB
-
MD5
18b9ffa8777c84994dd00d55d1d9f279
-
SHA1
67687a599890925fd59698e574b9f4d27b5ea33e
-
SHA256
44523c55625993a786873e2ff8fcec8a09733b1d62bb8bbe3ba70472630fc531
-
SHA512
92872fb6c9ce0e3ff12393c4e735f59c5edd4db2dd86980b58d021c499dfb0d0b8608f87493c4f169106501b48f2fb84f80cfac19d8fb87cbf8c0971247cd232
-
SSDEEP
6144:Wpq2BEEea7c8L7C7FB+P72WfxX2iGZTbIeLFLjs3glZ4Z:WgqEEea7tL7C7LxWffGvjeglZ4Z
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Processes:
msvcnu32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msvcnu32.exe -
ModiLoader Second Stage 15 IoCs
Processes:
resource yara_rule behavioral1/memory/2528-49-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2752-56-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2752-61-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2752-65-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2752-69-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2752-73-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2752-78-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2752-82-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2752-86-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2752-90-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2752-94-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2752-98-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2752-102-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2752-106-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2752-110-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 -
Executes dropped EXE 4 IoCs
Processes:
57553.exe34979.exesvchost.exemsvcnu32.exepid process 2468 57553.exe 2528 34979.exe 2808 svchost.exe 2752 msvcnu32.exe -
Loads dropped DLL 4 IoCs
Processes:
57553.exe34979.exepid process 2468 57553.exe 2468 57553.exe 2468 57553.exe 2528 34979.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\34979.exe upx behavioral1/memory/2528-21-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2528-49-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2752-56-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2752-61-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2752-65-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2752-69-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2752-73-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2752-78-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2752-82-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2752-86-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2752-90-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2752-94-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2752-98-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2752-102-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2752-106-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2752-110-0x0000000000400000-0x0000000000450000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
57553.exemsvcnu32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchost.exe" 57553.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\msvcnu32 = "C:\\Windows\\msvcnu32.exe" msvcnu32.exe -
Processes:
34979.exemsvcnu32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 34979.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msvcnu32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msvcnu32.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\N: svchost.exe -
Drops file in Windows directory 4 IoCs
Processes:
34979.exemsvcnu32.exedescription ioc process File created C:\Windows\msvcnu32.exe 34979.exe File opened for modification C:\Windows\msvcnu32.exe 34979.exe File created C:\Windows\ntdtcstp.dll msvcnu32.exe File created C:\Windows\cmsetac.dll msvcnu32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
34979.exevssvc.exemsvcnu32.exedescription pid process Token: SeDebugPrivilege 2528 34979.exe Token: SeBackupPrivilege 2624 vssvc.exe Token: SeRestorePrivilege 2624 vssvc.exe Token: SeAuditPrivilege 2624 vssvc.exe Token: SeDebugPrivilege 2752 msvcnu32.exe Token: SeDebugPrivilege 2752 msvcnu32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
msvcnu32.exepid process 2752 msvcnu32.exe 2752 msvcnu32.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe57553.exe34979.exedescription pid process target process PID 3028 wrote to memory of 2468 3028 18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe 57553.exe PID 3028 wrote to memory of 2468 3028 18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe 57553.exe PID 3028 wrote to memory of 2468 3028 18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe 57553.exe PID 3028 wrote to memory of 2468 3028 18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe 57553.exe PID 3028 wrote to memory of 2528 3028 18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe 34979.exe PID 3028 wrote to memory of 2528 3028 18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe 34979.exe PID 3028 wrote to memory of 2528 3028 18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe 34979.exe PID 3028 wrote to memory of 2528 3028 18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe 34979.exe PID 2468 wrote to memory of 2808 2468 57553.exe svchost.exe PID 2468 wrote to memory of 2808 2468 57553.exe svchost.exe PID 2468 wrote to memory of 2808 2468 57553.exe svchost.exe PID 2468 wrote to memory of 2808 2468 57553.exe svchost.exe PID 2528 wrote to memory of 2752 2528 34979.exe msvcnu32.exe PID 2528 wrote to memory of 2752 2528 34979.exe msvcnu32.exe PID 2528 wrote to memory of 2752 2528 34979.exe msvcnu32.exe PID 2528 wrote to memory of 2752 2528 34979.exe msvcnu32.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
msvcnu32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msvcnu32.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\57553.exe"C:\Users\Admin\AppData\Local\Temp\57553.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
-
C:\Users\Admin\AppData\Local\Temp\34979.exe"C:\Users\Admin\AppData\Local\Temp\34979.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\msvcnu32.exe"C:\Windows\msvcnu32.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\34979.exeFilesize
109KB
MD53a1f155b71223ef8f617d73b2aad273b
SHA157df3e31536ac258e01c2f66c980468b83313f1f
SHA256898250c781d1a65e41db8817d02f11955d28215c9d432c06260706863a1b4921
SHA51256678ba5afc8e63884f3e568e9297b7f88e904376b2cafc763f9d01b544f1d1a6fa5cf18f33205fbffa1c65a8c9cfb49f251976903f20520ee43698f077e112c
-
C:\Users\Admin\AppData\Local\Temp\57553.exeFilesize
142KB
MD535aff1b50d81dbcd833b6c23ee192894
SHA185ef9c2be6669a2ee8b52988b1ecc50cac5f7f3b
SHA2568f2fa965e1ef653c1f2514d8a5a234ca7fb5a26d101f815f98adbf4307643e79
SHA5121530072a370c3ceb3e0d9428feeb4eea342604911f2f1963c905a09aa53aaec5707bcf72f70b86f577e4d7834c4101c2377abd4e1d02fff91d5cf647e44faafb
-
memory/2468-34-0x0000000003400000-0x0000000003429000-memory.dmpFilesize
164KB
-
memory/2468-12-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2468-33-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2468-26-0x0000000003400000-0x0000000003410000-memory.dmpFilesize
64KB
-
memory/2468-35-0x0000000003400000-0x0000000003429000-memory.dmpFilesize
164KB
-
memory/2528-49-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2528-42-0x0000000000540000-0x0000000000550000-memory.dmpFilesize
64KB
-
memory/2528-21-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2752-86-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2752-73-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2752-110-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2752-106-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2752-102-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2752-53-0x0000000000500000-0x000000000050E000-memory.dmpFilesize
56KB
-
memory/2752-98-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2752-56-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2752-57-0x0000000000370000-0x0000000000378000-memory.dmpFilesize
32KB
-
memory/2752-58-0x0000000000500000-0x000000000050E000-memory.dmpFilesize
56KB
-
memory/2752-94-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2752-61-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2752-90-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2752-65-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2752-82-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2752-69-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2752-78-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2808-64-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2808-101-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2808-36-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2808-81-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2808-68-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2808-85-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2808-93-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2808-89-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2808-72-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2808-109-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2808-97-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2808-59-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2808-55-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2808-77-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2808-105-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3028-2-0x000007FEF56E0000-0x000007FEF607D000-memory.dmpFilesize
9.6MB
-
memory/3028-8-0x000007FEF56E0000-0x000007FEF607D000-memory.dmpFilesize
9.6MB
-
memory/3028-22-0x000007FEF56E0000-0x000007FEF607D000-memory.dmpFilesize
9.6MB
-
memory/3028-0-0x000007FEF599E000-0x000007FEF599F000-memory.dmpFilesize
4KB