Overview

overview

10

Static

static

10

2edeb2ff18...18.exe

windows7-x64

10

2edeb2ff18...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    10-05-2024 11:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe

  • Size

    719KB

  • MD5

    2edeb2ff18dbc657dfb2e8aa3fd9fbc8

  • SHA1

    821705cee1712031bfea83c1673ec59c83fa6693

  • SHA256

    e275e10bea80834252aea1b5dba9a817b278b5c4a6d0594b01b1605de0b66f79

  • SHA512

    d8899f5f928ddb48396c8351c31a65a8627010ac466b4c47b8e8af7a2a529f26e499a50cebbf84a563e762f4b986543b343835d67ce1b802651bcceaed632733

  • SSDEEP

    12288:Z9s0WkglhZbd1S2XgKsIpCGUy7tkEccMtXVuOdeTqlTKFbso:ZnOhZbd1SbnKayxFKVu72lTKF/

Score
10/10
modiloaderpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 6 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Program Files (x86)\Server.exe
      "C:\Program Files (x86)\Server.exe" -k
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1728
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files (x86)\Delsx.bat""
      2⤵
      • Deletes itself
      PID:2616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Delsx.bat
    Filesize

    218B

    MD5

    c180c739e96486267d2a4b547ef358f6

    SHA1

    962691696b51120ad9118987f2876ec48fa40525

    SHA256

    ee2b6a347d5aa3af3e18e46a61ccd0565b107e9736560bc21284da4c4e6adfba

    SHA512

    1a411af0a545dfc36e3a93c7ce637eedd55ba8a85e2053201e359c7b43e631c9aa7e6da081620635b3cf82d06ba58c38af88a81f8d529dc24987d99d8a953a93

    Download Submit
  • \Program Files (x86)\Server.exe
    Filesize

    719KB

    MD5

    2edeb2ff18dbc657dfb2e8aa3fd9fbc8

    SHA1

    821705cee1712031bfea83c1673ec59c83fa6693

    SHA256

    e275e10bea80834252aea1b5dba9a817b278b5c4a6d0594b01b1605de0b66f79

    SHA512

    d8899f5f928ddb48396c8351c31a65a8627010ac466b4c47b8e8af7a2a529f26e499a50cebbf84a563e762f4b986543b343835d67ce1b802651bcceaed632733

    Download Submit
  • memory/1716-1-0x00000000002D0000-0x00000000002D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1716-14-0x0000000000400000-0x00000000007BB000-memory.dmp
    Filesize

    3.7MB

    Download
  • memory/1728-6-0x0000000000280000-0x0000000000281000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1728-16-0x0000000000400000-0x00000000007BB000-memory.dmp
    Filesize

    3.7MB

    Download
  • memory/1728-18-0x0000000000400000-0x00000000007BB000-memory.dmp
    Filesize

    3.7MB

    Download
  • memory/1728-23-0x0000000000400000-0x00000000007BB000-memory.dmp
    Filesize

    3.7MB

    Download
  • memory/1728-25-0x0000000000400000-0x00000000007BB000-memory.dmp
    Filesize

    3.7MB

    Download