Analysis
-
max time kernel
145s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 05:21
Behavioral task
behavioral1
Sample
18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exe
-
Size
1.6MB
-
MD5
18ecedd05a561043f3a0a4722e8a2020
-
SHA1
5133b1b6c6c59a9d84333111bd7cb03681eedf26
-
SHA256
1ee45a4e1b2d7a2f49858318ef228e834df6ba8808e73b0a9a0dd7a5d1b41286
-
SHA512
d40d2a23662b34b61a45c63e0ec25fae4ac1ec39cfbeac78d92ee7c50417245cafbe28a31ab46262d46519e932137dbb0e5eec6361995ee2485dd83032f0c6e6
-
SSDEEP
24576:KpVS6LqavBMtOqBYubxNwWklFiaKWjZbOR8K38lujuXg4kbOQ2K8+FXp:KpXvvU6uPmVt9xK383g4kF2Y
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Processes:
services.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe -
ModiLoader Second Stage 24 IoCs
Processes:
resource yara_rule behavioral1/memory/2052-3-0x0000000000400000-0x00000000005C9000-memory.dmp modiloader_stage2 behavioral1/memory/2052-15-0x0000000000400000-0x00000000005C9000-memory.dmp modiloader_stage2 behavioral1/memory/2608-19-0x0000000000400000-0x00000000005C9000-memory.dmp modiloader_stage2 behavioral1/memory/2608-23-0x0000000000400000-0x00000000005C9000-memory.dmp modiloader_stage2 behavioral1/memory/2608-26-0x0000000000400000-0x00000000005C9000-memory.dmp modiloader_stage2 behavioral1/memory/2608-27-0x0000000000400000-0x00000000005C9000-memory.dmp modiloader_stage2 behavioral1/memory/2608-28-0x0000000000400000-0x00000000005C9000-memory.dmp modiloader_stage2 behavioral1/memory/2608-31-0x0000000000400000-0x00000000005C9000-memory.dmp modiloader_stage2 behavioral1/memory/2608-32-0x0000000000400000-0x00000000005C9000-memory.dmp modiloader_stage2 behavioral1/memory/2608-33-0x0000000000400000-0x00000000005C9000-memory.dmp modiloader_stage2 behavioral1/memory/2608-34-0x0000000000400000-0x00000000005C9000-memory.dmp modiloader_stage2 behavioral1/memory/2608-37-0x0000000000400000-0x00000000005C9000-memory.dmp modiloader_stage2 behavioral1/memory/2608-38-0x0000000000400000-0x00000000005C9000-memory.dmp modiloader_stage2 behavioral1/memory/2608-41-0x0000000000400000-0x00000000005C9000-memory.dmp modiloader_stage2 behavioral1/memory/2608-44-0x0000000000400000-0x00000000005C9000-memory.dmp modiloader_stage2 behavioral1/memory/2608-48-0x0000000000400000-0x00000000005C9000-memory.dmp modiloader_stage2 behavioral1/memory/2608-51-0x0000000000400000-0x00000000005C9000-memory.dmp modiloader_stage2 behavioral1/memory/2608-54-0x0000000000400000-0x00000000005C9000-memory.dmp modiloader_stage2 behavioral1/memory/2608-57-0x0000000000400000-0x00000000005C9000-memory.dmp modiloader_stage2 behavioral1/memory/2608-60-0x0000000000400000-0x00000000005C9000-memory.dmp modiloader_stage2 behavioral1/memory/2608-63-0x0000000000400000-0x00000000005C9000-memory.dmp modiloader_stage2 behavioral1/memory/2608-66-0x0000000000400000-0x00000000005C9000-memory.dmp modiloader_stage2 behavioral1/memory/2608-69-0x0000000000400000-0x00000000005C9000-memory.dmp modiloader_stage2 behavioral1/memory/2608-72-0x0000000000400000-0x00000000005C9000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 2608 services.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exeservices.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine 18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine services.exe -
Processes:
resource yara_rule behavioral1/memory/2052-0-0x0000000000400000-0x00000000005C9000-memory.dmp themida behavioral1/memory/2052-2-0x0000000000400000-0x00000000005C9000-memory.dmp themida behavioral1/memory/2052-1-0x0000000000400000-0x00000000005C9000-memory.dmp themida behavioral1/memory/2052-3-0x0000000000400000-0x00000000005C9000-memory.dmp themida C:\Windows\services.exe themida behavioral1/memory/2052-13-0x00000000051A0000-0x0000000005369000-memory.dmp themida behavioral1/memory/2608-18-0x0000000000400000-0x00000000005C9000-memory.dmp themida behavioral1/memory/2608-17-0x0000000000400000-0x00000000005C9000-memory.dmp themida behavioral1/memory/2608-16-0x0000000000400000-0x00000000005C9000-memory.dmp themida behavioral1/memory/2052-15-0x0000000000400000-0x00000000005C9000-memory.dmp themida behavioral1/memory/2608-19-0x0000000000400000-0x00000000005C9000-memory.dmp themida behavioral1/memory/2608-23-0x0000000000400000-0x00000000005C9000-memory.dmp themida behavioral1/memory/2608-26-0x0000000000400000-0x00000000005C9000-memory.dmp themida behavioral1/memory/2608-27-0x0000000000400000-0x00000000005C9000-memory.dmp themida behavioral1/memory/2608-28-0x0000000000400000-0x00000000005C9000-memory.dmp themida behavioral1/memory/2608-31-0x0000000000400000-0x00000000005C9000-memory.dmp themida behavioral1/memory/2608-32-0x0000000000400000-0x00000000005C9000-memory.dmp themida behavioral1/memory/2608-33-0x0000000000400000-0x00000000005C9000-memory.dmp themida behavioral1/memory/2608-34-0x0000000000400000-0x00000000005C9000-memory.dmp themida behavioral1/memory/2608-37-0x0000000000400000-0x00000000005C9000-memory.dmp themida behavioral1/memory/2608-38-0x0000000000400000-0x00000000005C9000-memory.dmp themida behavioral1/memory/2608-41-0x0000000000400000-0x00000000005C9000-memory.dmp themida behavioral1/memory/2608-44-0x0000000000400000-0x00000000005C9000-memory.dmp themida behavioral1/memory/2608-48-0x0000000000400000-0x00000000005C9000-memory.dmp themida behavioral1/memory/2608-51-0x0000000000400000-0x00000000005C9000-memory.dmp themida behavioral1/memory/2608-54-0x0000000000400000-0x00000000005C9000-memory.dmp themida behavioral1/memory/2608-57-0x0000000000400000-0x00000000005C9000-memory.dmp themida behavioral1/memory/2608-60-0x0000000000400000-0x00000000005C9000-memory.dmp themida behavioral1/memory/2608-63-0x0000000000400000-0x00000000005C9000-memory.dmp themida behavioral1/memory/2608-66-0x0000000000400000-0x00000000005C9000-memory.dmp themida behavioral1/memory/2608-69-0x0000000000400000-0x00000000005C9000-memory.dmp themida behavioral1/memory/2608-72-0x0000000000400000-0x00000000005C9000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
services.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\services.exe" services.exe -
Processes:
services.exe18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe -
Drops file in Windows directory 4 IoCs
Processes:
18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exeservices.exedescription ioc process File opened for modification C:\Windows\services.exe 18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exe File created C:\Windows\ntdtcstp.dll services.exe File created C:\Windows\cmsetac.dll services.exe File created C:\Windows\services.exe 18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exevssvc.exeservices.exedescription pid process Token: SeDebugPrivilege 2052 18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exe Token: SeBackupPrivilege 2624 vssvc.exe Token: SeRestorePrivilege 2624 vssvc.exe Token: SeAuditPrivilege 2624 vssvc.exe Token: SeDebugPrivilege 2608 services.exe Token: SeDebugPrivilege 2608 services.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
services.exepid process 2608 services.exe 2608 services.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exedescription pid process target process PID 2052 wrote to memory of 2608 2052 18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exe services.exe PID 2052 wrote to memory of 2608 2052 18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exe services.exe PID 2052 wrote to memory of 2608 2052 18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exe services.exe PID 2052 wrote to memory of 2608 2052 18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exe services.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
services.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exe"1⤵
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\services.exeFilesize
1.6MB
MD518ecedd05a561043f3a0a4722e8a2020
SHA15133b1b6c6c59a9d84333111bd7cb03681eedf26
SHA2561ee45a4e1b2d7a2f49858318ef228e834df6ba8808e73b0a9a0dd7a5d1b41286
SHA512d40d2a23662b34b61a45c63e0ec25fae4ac1ec39cfbeac78d92ee7c50417245cafbe28a31ab46262d46519e932137dbb0e5eec6361995ee2485dd83032f0c6e6
-
memory/2052-15-0x0000000000400000-0x00000000005C9000-memory.dmpFilesize
1.8MB
-
memory/2052-2-0x0000000000400000-0x00000000005C9000-memory.dmpFilesize
1.8MB
-
memory/2052-1-0x0000000000400000-0x00000000005C9000-memory.dmpFilesize
1.8MB
-
memory/2052-3-0x0000000000400000-0x00000000005C9000-memory.dmpFilesize
1.8MB
-
memory/2052-8-0x0000000005060000-0x0000000005070000-memory.dmpFilesize
64KB
-
memory/2052-13-0x00000000051A0000-0x0000000005369000-memory.dmpFilesize
1.8MB
-
memory/2052-0-0x0000000000400000-0x00000000005C9000-memory.dmpFilesize
1.8MB
-
memory/2608-28-0x0000000000400000-0x00000000005C9000-memory.dmpFilesize
1.8MB
-
memory/2608-33-0x0000000000400000-0x00000000005C9000-memory.dmpFilesize
1.8MB
-
memory/2608-17-0x0000000000400000-0x00000000005C9000-memory.dmpFilesize
1.8MB
-
memory/2608-19-0x0000000000400000-0x00000000005C9000-memory.dmpFilesize
1.8MB
-
memory/2608-24-0x0000000004650000-0x000000000465E000-memory.dmpFilesize
56KB
-
memory/2608-23-0x0000000000400000-0x00000000005C9000-memory.dmpFilesize
1.8MB
-
memory/2608-26-0x0000000000400000-0x00000000005C9000-memory.dmpFilesize
1.8MB
-
memory/2608-27-0x0000000000400000-0x00000000005C9000-memory.dmpFilesize
1.8MB
-
memory/2608-30-0x0000000004650000-0x000000000465E000-memory.dmpFilesize
56KB
-
memory/2608-29-0x0000000004500000-0x0000000004508000-memory.dmpFilesize
32KB
-
memory/2608-18-0x0000000000400000-0x00000000005C9000-memory.dmpFilesize
1.8MB
-
memory/2608-31-0x0000000000400000-0x00000000005C9000-memory.dmpFilesize
1.8MB
-
memory/2608-32-0x0000000000400000-0x00000000005C9000-memory.dmpFilesize
1.8MB
-
memory/2608-16-0x0000000000400000-0x00000000005C9000-memory.dmpFilesize
1.8MB
-
memory/2608-34-0x0000000000400000-0x00000000005C9000-memory.dmpFilesize
1.8MB
-
memory/2608-37-0x0000000000400000-0x00000000005C9000-memory.dmpFilesize
1.8MB
-
memory/2608-38-0x0000000000400000-0x00000000005C9000-memory.dmpFilesize
1.8MB
-
memory/2608-41-0x0000000000400000-0x00000000005C9000-memory.dmpFilesize
1.8MB
-
memory/2608-44-0x0000000000400000-0x00000000005C9000-memory.dmpFilesize
1.8MB
-
memory/2608-48-0x0000000000400000-0x00000000005C9000-memory.dmpFilesize
1.8MB
-
memory/2608-51-0x0000000000400000-0x00000000005C9000-memory.dmpFilesize
1.8MB
-
memory/2608-54-0x0000000000400000-0x00000000005C9000-memory.dmpFilesize
1.8MB
-
memory/2608-57-0x0000000000400000-0x00000000005C9000-memory.dmpFilesize
1.8MB
-
memory/2608-60-0x0000000000400000-0x00000000005C9000-memory.dmpFilesize
1.8MB
-
memory/2608-63-0x0000000000400000-0x00000000005C9000-memory.dmpFilesize
1.8MB
-
memory/2608-66-0x0000000000400000-0x00000000005C9000-memory.dmpFilesize
1.8MB
-
memory/2608-69-0x0000000000400000-0x00000000005C9000-memory.dmpFilesize
1.8MB
-
memory/2608-72-0x0000000000400000-0x00000000005C9000-memory.dmpFilesize
1.8MB