Analysis
-
max time kernel
143s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
-
submitted
28-06-2024 10:28
General
-
Target
19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe
-
Size
7.7MB
-
MD5
19c9bec1f75d5ca7edb86310660a6c7b
-
SHA1
2ff805f3f29ea16e0dad096de62c7ce87ca9357a
-
SHA256
1ded4c387a4292edcf04a920c5e129a74dc246f2cf2785561b708dacb554cf96
-
SHA512
dd944946244d1b90bae729dc714cf0fe579d28983eace8341f0910bd71590f35c7a76a8b2528fea0050fd96d2b0503b7f7082e12a29e2608b185d956cb52c72b
-
SSDEEP
196608:U3GEEoPZJSRkkcj8aNGLtQhGEEoPZJSRkkcj8aNGLtQM:U3GEdPuktIiGEdPuktIz
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
UAC bypass 3 TTPs 1 IoCs
-
ModiLoader Second Stage 15 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
Executes dropped EXE 5 IoCs
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 13 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
-
Modifies registry key 1 TTPs 20 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe"1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CCleaner.exe"C:\Users\Admin\AppData\Local\Temp\CCleaner.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Disables RegEdit via registry modification
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\ccsetup236.exe"C:\Users\Admin\AppData\Local\Temp\ccsetup236.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\CCleaner.exe"C:\Users\Admin\AppData\Local\Temp\CCleaner.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\ccsetup236.exe"C:\Users\Admin\AppData\Local\Temp\ccsetup236.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsd167F.tmp\ioSpecial.iniFilesize
696B
MD5caafe35106e3e19f3d8f7af875dad9b3
SHA113de20fea009bae91a32df12e7247e97e41b63fd
SHA25622aaf55c86029c107fa13f3539bccc987828e8530cd20c375db80f9642d40086
SHA5126795e993f973cb1a484293f687a49a6ad9a1f7eede615567e4443901f4f2a2e704ce3d7c698891c4e098b5bb872f63ecb54de03ebda727ee356e01e1cc03c63d
-
C:\Users\Admin\AppData\Local\Temp\nst194D.tmp\ioSpecial.iniFilesize
696B
MD54b3775087ec310b8b2c2a9c001e2a0d6
SHA190470cdb23764ccef2511e41a6bb297bfaba1770
SHA2560331dfb69ce2f6521a792b291dac97907488acbfc3b447d52946a1309d236dc3
SHA512ee9f3346dacc4d77a0b1046a726b1ffd69647f8cf667503ee06f888a92651abedc923592d2cb547a136e1b35d8df78e9e284dc1471bd62375bb90092afe09977
-
C:\Windows\cmsetac.dllFilesize
33KB
MD5192c8da340572eae08f8510d90c822ed
SHA1c621836688d9a6f7fe7837f6ccac3d06fd77da8a
SHA256ea1f8f26287ae62e732b2bd2d591e0779dbac144a2096ce159402dc6b8f088d0
SHA51266f942b601dd4fe8a6a80a161e4b6927145a06eba4b3edb37ef541ee19d3a076bb19870ff5f74d2727d054d97fed4773bfb85951d7d69fecba5f64d34afa2fd2
-
\Users\Admin\AppData\Local\Temp\CCleaner.exeFilesize
270KB
MD516e11c0d0af86560a376b1b3ef69afe2
SHA1567d4be42eb29b28b62e8cf6255c3459d25f2e3c
SHA2563ff60728b28ee54d13a91e52d71c73211e3e67800635e4dd21196f60fab78cf3
SHA5127b4b396d5fdc4bc2d632bfb56587736ee0e0782f20a0be588fd1a680a87e4cd28c65f92b54040e574799973756a96937d37b5ce39a36ef7a7b0588990bc7a335
-
\Users\Admin\AppData\Local\Temp\ccsetup236.exeFilesize
3.3MB
MD5832fdaa7e21a755ad2016493fe2b1ae0
SHA16dd7b298899d1d40d9d5f0e89c40a40f69ac90c9
SHA2568ceafddab004733568fff7cf34572d41a866421fe3e6f8f7864fe0270cc115ad
SHA512bfc1867fa2a4bb2800f0bd461666335a290c6780205eb6d1d6f721f6ca1045e3e826a84f3814f0a580a90ca063787b3dad0f19ea893d3ea41c71d61f66a4f1b5
-
\Users\Admin\AppData\Local\Temp\nsd167F.tmp\InstallOptions.dllFilesize
14KB
MD5325b008aec81e5aaa57096f05d4212b5
SHA127a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA51218362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf
-
\Users\Admin\AppData\Local\Temp\nsd167F.tmp\LangDLL.dllFilesize
5KB
MD59384f4007c492d4fa040924f31c00166
SHA1aba37faef30d7c445584c688a0b5638f5db31c7b
SHA25660a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA51268f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf
-
\Users\Admin\AppData\Local\Temp\nsd167F.tmp\System.dllFilesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
memory/620-162-0x0000000000240000-0x000000000024E000-memory.dmpFilesize
56KB
-
memory/620-67-0x0000000000240000-0x000000000024E000-memory.dmpFilesize
56KB
-
memory/1632-43-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2468-57-0x0000000004540000-0x000000000454E000-memory.dmpFilesize
56KB
-
memory/2468-59-0x0000000000401000-0x0000000000407000-memory.dmpFilesize
24KB
-
memory/2468-52-0x0000000004540000-0x000000000454E000-memory.dmpFilesize
56KB
-
memory/2468-0-0x0000000000400000-0x00000000004A9000-memory.dmpFilesize
676KB
-
memory/2468-58-0x0000000000400000-0x00000000004A9000-memory.dmpFilesize
676KB
-
memory/2468-2-0x0000000000401000-0x0000000000407000-memory.dmpFilesize
24KB
-
memory/2592-161-0x00000000001D0000-0x00000000001DE000-memory.dmpFilesize
56KB
-
memory/2592-45-0x00000000001D0000-0x00000000001DE000-memory.dmpFilesize
56KB
-
memory/2632-32-0x0000000000490000-0x000000000049E000-memory.dmpFilesize
56KB
-
memory/2632-253-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2632-159-0x00000000003C0000-0x00000000003C8000-memory.dmpFilesize
32KB
-
memory/2632-160-0x0000000000490000-0x000000000049E000-memory.dmpFilesize
56KB
-
memory/2632-158-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2632-243-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2632-248-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2632-293-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2632-258-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2632-263-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2632-268-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2632-273-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2632-278-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2632-283-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2632-288-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2664-24-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB