Analysis

  • max time kernel
    144s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2024 10:55

General

  • Target

    19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe

  • Size

    203KB

  • MD5

    19dc3a57ed03c603c7da981158a8e8a4

  • SHA1

    04016028516db80bc9f8dc3824aa175c8852da13

  • SHA256

    2cf0f0256f20b1971392fadcee01d37280693338c0aaf82cda02db47bf2fc050

  • SHA512

    a21112cea09493daf31ec0f089c94fe9b5a0b01e088bfb4eb8031cea74b8018e7a6bdd01f954409f30cabc2cd70e292d998e77eb339688c41f6993b0d86fd462

  • SSDEEP

    6144:cGtD2qOgIEx3VrzGGvySj3bMYwu68lzr1:nx1nPVon8lt

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • ModiLoader Second Stage 4 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe"
    1⤵
    • Server Software Component: Terminal Services DLL
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del "C:\Users\Admin\AppData\Local\Temp\19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe"
      2⤵
        PID:4068
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k network
      1⤵
      • Loads dropped DLL
      PID:4716

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Persistence

    Server Software Component

    1
    T1505

    Terminal Services DLL

    1
    T1505.005

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \??\c:\windows\SysWOW64\sysn.dll
      Filesize

      391KB

      MD5

      431d67d36495437027ef3f67326515ba

      SHA1

      3909a4cf87ec124f135f401886d12414bafe499c

      SHA256

      4d9974222b842ceb454be5f0dfcfaac54f5a9c4cd38e1594f4636e229577f5e2

      SHA512

      da81cbf6d820b8962c2723a543912078846dcba983f6d094c6f24c99af1c8b7659e21c05fab8880235034480536cfdf701d51bcb2b8fd5798d759a524387c96c

    • memory/1808-0-0x0000000013140000-0x00000000131BA000-memory.dmp
      Filesize

      488KB

    • memory/1808-9-0x0000000013140000-0x00000000131BA000-memory.dmp
      Filesize

      488KB

    • memory/4716-10-0x0000000000400000-0x0000000000468000-memory.dmp
      Filesize

      416KB