Analysis
-
max time kernel
144s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 10:55
Behavioral task
behavioral1
Sample
19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe
-
Size
203KB
-
MD5
19dc3a57ed03c603c7da981158a8e8a4
-
SHA1
04016028516db80bc9f8dc3824aa175c8852da13
-
SHA256
2cf0f0256f20b1971392fadcee01d37280693338c0aaf82cda02db47bf2fc050
-
SHA512
a21112cea09493daf31ec0f089c94fe9b5a0b01e088bfb4eb8031cea74b8018e7a6bdd01f954409f30cabc2cd70e292d998e77eb339688c41f6993b0d86fd462
-
SSDEEP
6144:cGtD2qOgIEx3VrzGGvySj3bMYwu68lzr1:nx1nPVon8lt
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1808-0-0x0000000013140000-0x00000000131BA000-memory.dmp modiloader_stage2 \??\c:\windows\SysWOW64\sysn.dll modiloader_stage2 behavioral2/memory/1808-9-0x0000000013140000-0x00000000131BA000-memory.dmp modiloader_stage2 behavioral2/memory/4716-10-0x0000000000400000-0x0000000000468000-memory.dmp modiloader_stage2 -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
Processes:
19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\netrt\Parameters\ServiceDll = "C:\\Windows\\System32\\sysn.dll" 19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 4716 svchost.exe -
Processes:
resource yara_rule behavioral2/memory/1808-0-0x0000000013140000-0x00000000131BA000-memory.dmp upx behavioral2/memory/1808-9-0x0000000013140000-0x00000000131BA000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\sysn.dll 19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\sysn.dll 19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exedescription pid process Token: SeBackupPrivilege 1808 19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe Token: SeRestorePrivilege 1808 19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe Token: SeRestorePrivilege 1808 19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe Token: SeRestorePrivilege 1808 19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe Token: SeRestorePrivilege 1808 19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe Token: SeRestorePrivilege 1808 19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe Token: SeBackupPrivilege 1808 19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe Token: SeRestorePrivilege 1808 19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe Token: SeRestorePrivilege 1808 19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe Token: SeRestorePrivilege 1808 19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe Token: SeRestorePrivilege 1808 19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe Token: SeRestorePrivilege 1808 19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exedescription pid process target process PID 1808 wrote to memory of 4068 1808 19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe cmd.exe PID 1808 wrote to memory of 4068 1808 19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe cmd.exe PID 1808 wrote to memory of 4068 1808 19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe"1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe"2⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k network1⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\windows\SysWOW64\sysn.dllFilesize
391KB
MD5431d67d36495437027ef3f67326515ba
SHA13909a4cf87ec124f135f401886d12414bafe499c
SHA2564d9974222b842ceb454be5f0dfcfaac54f5a9c4cd38e1594f4636e229577f5e2
SHA512da81cbf6d820b8962c2723a543912078846dcba983f6d094c6f24c99af1c8b7659e21c05fab8880235034480536cfdf701d51bcb2b8fd5798d759a524387c96c
-
memory/1808-0-0x0000000013140000-0x00000000131BA000-memory.dmpFilesize
488KB
-
memory/1808-9-0x0000000013140000-0x00000000131BA000-memory.dmpFilesize
488KB
-
memory/4716-10-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB