Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 10:36
Static task
static1
Behavioral task
behavioral1
Sample
19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe
-
Size
485KB
-
MD5
19cecf434d6510005f4ef4ffd07489a7
-
SHA1
f2c75b32409b9e1edea4894637904cabd56de728
-
SHA256
ca8e1a906664033cb29d998d053c86d9299f30929abcad4fb565c7c62a3e6e0b
-
SHA512
bb52b987b4421a2e982aaaea8f49fc9a394820263c9027924f3574c9dad69ca457c64e30f41fb3622f8389eb95673d72efa6019b2dd2325b7a0a12ece694799f
-
SSDEEP
12288:0vwf5Vn6gSpWlHpr2yhe/zXFYGq60eVh1bCRREg:15VnSp0pr/+1YyVVh1eRRz
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Processes:
_D54D~1.EXEdescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" _D54D~1.EXE -
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\_D54D~1.EXE modiloader_stage2 -
Executes dropped EXE 2 IoCs
Processes:
مشفر من الافاست+الكاسبر2.exe_D54D~1.EXEpid process 1804 مشفر من الافاست+الكاسبر2.exe 2320 _D54D~1.EXE -
Loads dropped DLL 6 IoCs
Processes:
19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exeمشفر من الافاست+الكاسبر2.exe_D54D~1.EXEpid process 3040 19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe 1804 مشفر من الافاست+الكاسبر2.exe 1804 مشفر من الافاست+الكاسبر2.exe 2320 _D54D~1.EXE 2320 _D54D~1.EXE 2320 _D54D~1.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
مشفر من الافاست+الكاسبر2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" مشفر من الافاست+الكاسبر2.exe -
Processes:
_D54D~1.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA _D54D~1.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" _D54D~1.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exeمشفر من الافاست+الكاسبر2.exe_D54D~1.EXEdescription pid process Token: 33 3040 19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3040 19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe Token: 33 3040 19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3040 19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe Token: 33 3040 19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3040 19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe Token: 33 1804 مشفر من الافاست+الكاسبر2.exe Token: SeIncBasePriorityPrivilege 1804 مشفر من الافاست+الكاسبر2.exe Token: SeDebugPrivilege 2320 _D54D~1.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exeمشفر من الافاست+الكاسبر2.exedescription pid process target process PID 3040 wrote to memory of 1804 3040 19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe مشفر من الافاست+الكاسبر2.exe PID 3040 wrote to memory of 1804 3040 19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe مشفر من الافاست+الكاسبر2.exe PID 3040 wrote to memory of 1804 3040 19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe مشفر من الافاست+الكاسبر2.exe PID 3040 wrote to memory of 1804 3040 19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe مشفر من الافاست+الكاسبر2.exe PID 3040 wrote to memory of 1804 3040 19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe مشفر من الافاست+الكاسبر2.exe PID 3040 wrote to memory of 1804 3040 19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe مشفر من الافاست+الكاسبر2.exe PID 3040 wrote to memory of 1804 3040 19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe مشفر من الافاست+الكاسبر2.exe PID 1804 wrote to memory of 2320 1804 مشفر من الافاست+الكاسبر2.exe _D54D~1.EXE PID 1804 wrote to memory of 2320 1804 مشفر من الافاست+الكاسبر2.exe _D54D~1.EXE PID 1804 wrote to memory of 2320 1804 مشفر من الافاست+الكاسبر2.exe _D54D~1.EXE PID 1804 wrote to memory of 2320 1804 مشفر من الافاست+الكاسبر2.exe _D54D~1.EXE PID 1804 wrote to memory of 2320 1804 مشفر من الافاست+الكاسبر2.exe _D54D~1.EXE PID 1804 wrote to memory of 2320 1804 مشفر من الافاست+الكاسبر2.exe _D54D~1.EXE PID 1804 wrote to memory of 2320 1804 مشفر من الافاست+الكاسبر2.exe _D54D~1.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
_D54D~1.EXEdescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" _D54D~1.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Microsoft® Windows® Operating System\6.00.2900.2180\1432.01.22T20.53\Virtual\STUBEXE\@APPDATALOCAL@\Temp\مشفر من الافاست+الكاسبر2.exe"C:\Users\Admin\AppData\Local\Temp\مشفر من الافاست+الكاسبر2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Microsoft® Windows® Operating System\6.00.2900.2180\1432.01.22T20.53\Native\STUBEXE\@APPDATALOCAL@\Temp\IXP000.TMP\_D54D~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\_D54D~1.EXE3⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\_D54D~1.EXEFilesize
270KB
MD52d1b254f668f1debac0c359db4967727
SHA11fd3c82da7dcf2dfc60b4cca190d98f1e9bcdaec
SHA256e640d3e43c0c0eab65ea0dd9b61a7f7dd05a1e398331f70770ae6251e8ca1d9b
SHA512533389c088840c9607e5dc7f1a3ec61bdd06ee7ceb472000d58c3ddcc88b6e00dc93c8b0659cd472d93528b1ffc39255b83408ff1ef8f21832879f0c9ff136eb
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\cmsetac.dllFilesize
32KB
MD550f88fa1912c53e81e96300561bdc04f
SHA1353c5218e53ebbc72fff5ec7e438fd2c35d343ae
SHA256ca9efee52822b8ae28fff5571eadd37d32b5e16741083873aa8353697d7dd3e4
SHA5129572884bc583988e7c17968058e27176e8f9dad2189fa76e4c86527997703bfa10aaee54e75d403b89b131bda6bf6af89a81af9d9ec9a93958d4d57110234a89
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ntdtcstp.dllFilesize
7KB
MD54f5f71f478d62934e70e3e6f7d186f01
SHA1211475c13aa59e5dfed87e351a4607824ba6b46a
SHA25638da43c83c1aefcd095a6938ab55a79a00b1bab46e6955988a4dd33f0b784347
SHA512f207597e271f9397c411e2046ce431a70c64500186f05b911261c5c338d5ff0cdf68294d912995ea5595df2af7e66fae9c61fdf9b8cf837cb85268877cc98295
-
\Users\Admin\AppData\Local\Xenocode\Sandbox\Microsoft® Windows® Operating System\6.00.2900.2180\1432.01.22T20.53\Native\STUBEXE\@APPDATALOCAL@\Temp\IXP000.TMP\_D54D~1.EXEFilesize
17KB
MD51bf583f51e952cebc47b79120dc74bbb
SHA1e3816da53a88e86fe891cac2ecc492d807a6b68e
SHA25664f317d52dfb9946884ade0c94e6e7ac20f0b56f55875f63d3930f34566483fc
SHA51266af90f709dcf92b1b121b15ce6a54dc5bb2395c4e814ec40d4fc663d1318ea1f361f0416e32b749ec49b6718077357617dff382df19c1d98a3fd55d8b578d62
-
\Users\Admin\AppData\Local\Xenocode\Sandbox\Microsoft® Windows® Operating System\6.00.2900.2180\1432.01.22T20.53\Virtual\STUBEXE\@APPDATALOCAL@\Temp\مشفر من الافاست+الكاسبر2.exeFilesize
17KB
MD5fb15206c0c0cc44af35506ea5243f403
SHA1cf681accc8c189a4cc84a66ce1174c4279306ffa
SHA25620495fe63dceda8532557f499a83ab7c9375d398341156dddedadae7fe4e792c
SHA512295308ac36759a6c4ab80c68a030e371e7a438673732271281b6048a4f770197f50f24f5cca6f69a7ebf4dddd78671b307d348c5777a05d1dcae89052e88325c
-
memory/3040-36-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-193-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-1-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-0-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-16-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-18-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-46-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-20-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-22-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-24-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-26-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-28-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-30-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-32-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-38-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-14-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-34-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-3-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-64-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-62-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-60-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-58-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-56-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-54-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-52-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-50-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-48-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-44-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-42-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-40-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-6-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-5-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-8-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-10-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-12-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB
-
memory/3040-946-0x0000000000E20000-0x0000000000E8C000-memory.dmpFilesize
432KB