Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
28-06-2024 07:47
General
-
Target
1955a32a8984766ebaaa5aa3cb9d3be5_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
1955a32a8984766ebaaa5aa3cb9d3be5
-
SHA1
af1db1824a039de18e6be79266a7528d3f566892
-
SHA256
840c182dfa32350922d1faa06df0aa41855bce36e4000aa739556e28ece9c298
-
SHA512
174e4052387c46497820496c091afeb8a1a228dae0480a09ed49109fbc676ae2b1b520db48aaaf101ff71b33ff0cf4a2fc54cad0604dd4ea824dd3d2fdeedbf5
-
SSDEEP
24576:4Jyta4AzyEYt2jmkKUeJy9fQ102LbcL8bmx5Fg3gcviZlZ2ApjZL3vEAdhNDQjTx:iwacEBNLa28bm6gcvKrjZLfEAdhNDQjl
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
UAC bypass 3 TTPs 1 IoCs
-
ModiLoader Second Stage 16 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 3 IoCs
-
Themida packer 1 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1955a32a8984766ebaaa5aa3cb9d3be5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1955a32a8984766ebaaa5aa3cb9d3be5_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\serve.exe"C:\Users\Admin\AppData\Local\Temp\serve.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\serve.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Disables RegEdit via registry modification
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Trade.jpgFilesize
3KB
MD5145c3797ff9fc84b5e429395e7230c7f
SHA19cb93ebd61bf296d2857fc051a0e16915bd303a2
SHA256b9a82c954e5004ef9fb98ad344087fe4c54bc7b68bc53107c0d54bfbdc52731b
SHA512f1407e4ced7d9c3b40a01bcf2668baf0bfb34fc41d3af6647f2eae315fe4d462e4eae14e8f4d325ace269ef92915637c7fc569c49d9259ac5e473ec9ae164b24
-
C:\Windows\cmsetac.dllFilesize
33KB
MD518b1798c02ed62e6632a9b0187e9f2ff
SHA141dab79982c21b81ea0a5acd83c93f9bd3bd8a46
SHA25661334ad4cd264eba115209e91c4ad6fa11a6b5454e3d2e13a575f72ef0bb8ab4
SHA512498c0a6b565b863278dd00aabb3719e146a7d2887dd8536432116c98e24a2b6948e3cc7c9139d53fe38a8dbeaeec96435d0ab022e3fc9b128ccf7013eb41802e
-
\Users\Admin\AppData\Local\Temp\serve.exeFilesize
270KB
MD5447b84a2afefb6f30a9b45ca3bdd4317
SHA16f1ce70b183a7141820f7890bb18c9f4584eac63
SHA256fa9ef0844a677f3800b21c790bd561de08f1af6d4d4fc8dd141b9fee66abb16b
SHA512c42992cb276084d546c8879fb2b40f115b18b88a6f9b8729eba738f0e7634abe2c992f8adeac8ff69ca693114d35af708fffb5d8eaf3b59d6fad1b49d902f35e
-
memory/1904-37-0x0000000000401000-0x0000000000407000-memory.dmpFilesize
24KB
-
memory/1904-1-0x0000000000530000-0x0000000000613000-memory.dmpFilesize
908KB
-
memory/1904-4-0x0000000000401000-0x0000000000407000-memory.dmpFilesize
24KB
-
memory/1904-0-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/1904-31-0x0000000005640000-0x000000000564E000-memory.dmpFilesize
56KB
-
memory/1904-33-0x0000000005FC0000-0x0000000005FC2000-memory.dmpFilesize
8KB
-
memory/1904-36-0x0000000005640000-0x000000000564E000-memory.dmpFilesize
56KB
-
memory/1904-35-0x0000000000400000-0x0000000000530000-memory.dmpFilesize
1.2MB
-
memory/2496-23-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2588-42-0x0000000000140000-0x000000000014E000-memory.dmpFilesize
56KB
-
memory/2588-34-0x00000000001C0000-0x00000000001C2000-memory.dmpFilesize
8KB
-
memory/2588-32-0x0000000000140000-0x000000000014E000-memory.dmpFilesize
56KB
-
memory/2880-51-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2880-63-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2880-41-0x0000000000790000-0x000000000079E000-memory.dmpFilesize
56KB
-
memory/2880-40-0x0000000000270000-0x0000000000278000-memory.dmpFilesize
32KB
-
memory/2880-43-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2880-47-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2880-39-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2880-55-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2880-59-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2880-28-0x0000000000790000-0x000000000079E000-memory.dmpFilesize
56KB
-
memory/2880-67-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2880-71-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2880-75-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2880-79-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2880-83-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2880-87-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2880-91-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
