Overview

overview

10

Static

static

3

309aa62b90...18.exe

windows7-x64

10

309aa62b90...18.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

25.html

windows7-x64

1

25.html

windows10-2004-x64

1

catalog.js

windows7-x64

3

catalog.js

windows10-2004-x64

3

constants$...100.js

windows7-x64

3

constants$...100.js

windows10-2004-x64

3

cua700985938.html

windows7-x64

1

cua700985938.html

windows10-2004-x64

1

cua768556328.html

windows7-x64

1

cua768556328.html

windows10-2004-x64

1

cua811702334.html

windows7-x64

1

cua811702334.html

windows10-2004-x64

1

gkamus-uninst.exe

windows7-x64

7

gkamus-uninst.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

navigation.js

windows7-x64

3

navigation.js

windows10-2004-x64

3

writing.html

windows7-x64

1

writing.html

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10-05-2024 19:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    309aa62b90a286c54ffcae887aadbf0b_JaffaCakes118.exe

  • Size

    347KB

  • MD5

    309aa62b90a286c54ffcae887aadbf0b

  • SHA1

    9194f50d1c11e0bbc7e8b3697ba2f3fac42ee853

  • SHA256

    692878ac81e6439a2af9d3e558b4456a5abae4c029a196b62e8b5b316fd3571b

  • SHA512

    e28840eca6e3c82b5808faed56c7a332515f9fe9ddd7af25b839f6fade25f6a3319e4f8b514d66a10ff1434906bc42a9e2fb18c28acf36ce3e970787a1eea09f

  • SSDEEP

    6144:YZ/qRrMhvBX9YuyY3qj8Qlb5D6WWhJAqDhUNEH09XA4pMj:YBZhvd9Yu5aj8Qld25wcv4pMj

Score
10/10
modiloaderevasionpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
    evasion
  • ModiLoader Second Stage 56 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\309aa62b90a286c54ffcae887aadbf0b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\309aa62b90a286c54ffcae887aadbf0b_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of UnmapMainImage
    PID:1948
  • C:\Windows\system32\mshta.exe
    "C:\Windows\system32\mshta.exe" javascript:Is9cKX7qW="w";HY28=new%20ActiveXObject("WScript.Shell");BLh8YF6="lt";xa1aP=HY28.RegRead("HKCU\\software\\v97cqOOsJW\\CwDh0EXzX0");V8YjEd="I";eval(xa1aP);kRKv9sKH="ZtuMH";
    1⤵
    • Process spawned unexpected child process
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2664
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:xqmsgw
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe
        3⤵
        • Looks for VirtualBox Guest Additions in registry
        • Looks for VirtualBox drivers on disk
        • Looks for VMWare Tools registry key
        • Checks BIOS information in registry
        • Deletes itself
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Suspicious use of SetThreadContext
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2524
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\SysWOW64\regsvr32.exe"
          4⤵
            PID:1812

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\nst2A5C.tmp\System.dll
      Filesize

      11KB

      MD5

      ee260c45e97b62a5e42f17460d406068

      SHA1

      df35f6300a03c4d3d3bd69752574426296b78695

      SHA256

      e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27

      SHA512

      a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3

      Download Submit
    • memory/1812-95-0x0000000000210000-0x0000000000357000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1812-92-0x0000000000210000-0x0000000000357000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1812-93-0x0000000000210000-0x0000000000357000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1812-94-0x0000000000210000-0x0000000000357000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1812-102-0x0000000000210000-0x0000000000357000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1812-101-0x0000000000210000-0x0000000000357000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1812-100-0x0000000000210000-0x0000000000357000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1812-99-0x0000000000210000-0x0000000000357000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1812-98-0x0000000000210000-0x0000000000357000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1812-97-0x0000000000210000-0x0000000000357000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1812-96-0x0000000000210000-0x0000000000357000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1948-31-0x0000000002CB0000-0x0000000002D8A000-memory.dmp
      Filesize

      872KB

      Download
    • memory/1948-32-0x0000000002CB0000-0x0000000002D8A000-memory.dmp
      Filesize

      872KB

      Download
    • memory/1948-37-0x00000000004A0000-0x00000000004DB000-memory.dmp
      Filesize

      236KB

      Download
    • memory/1948-34-0x0000000002CB0000-0x0000000002D8A000-memory.dmp
      Filesize

      872KB

      Download
    • memory/1948-33-0x0000000002CB0000-0x0000000002D8A000-memory.dmp
      Filesize

      872KB

      Download
    • memory/1948-29-0x0000000002CB0000-0x0000000002D8A000-memory.dmp
      Filesize

      872KB

      Download
    • memory/1948-30-0x0000000002CB0000-0x0000000002D8A000-memory.dmp
      Filesize

      872KB

      Download
    • memory/1948-38-0x0000000002CB0000-0x0000000002D8A000-memory.dmp
      Filesize

      872KB

      Download
    • memory/1948-28-0x0000000002CB0000-0x0000000002D8A000-memory.dmp
      Filesize

      872KB

      Download
    • memory/1948-27-0x0000000002CB0000-0x0000000002D8A000-memory.dmp
      Filesize

      872KB

      Download
    • memory/1948-22-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1948-19-0x00000000004A0000-0x00000000004DB000-memory.dmp
      Filesize

      236KB

      Download
    • memory/1948-89-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1948-91-0x0000000002CB0000-0x0000000002D8A000-memory.dmp
      Filesize

      872KB

      Download
    • memory/2524-52-0x00000000001E0000-0x0000000000327000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2524-78-0x00000000001E0000-0x0000000000327000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2524-55-0x00000000001E0000-0x0000000000327000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2524-51-0x00000000001E0000-0x0000000000327000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2524-50-0x00000000001E0000-0x0000000000327000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2524-49-0x00000000001E0000-0x0000000000327000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2524-47-0x00000000001E0000-0x0000000000327000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2524-46-0x00000000001E0000-0x0000000000327000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2524-48-0x00000000001E0000-0x0000000000327000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2524-66-0x00000000001E0000-0x0000000000327000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2524-68-0x00000000001E0000-0x0000000000327000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2524-70-0x00000000001E0000-0x0000000000327000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2524-69-0x00000000001E0000-0x0000000000327000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2524-75-0x00000000001E0000-0x0000000000327000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2524-67-0x00000000001E0000-0x0000000000327000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2524-65-0x00000000001E0000-0x0000000000327000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2524-79-0x00000000001E0000-0x0000000000327000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2524-53-0x00000000001E0000-0x0000000000327000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2524-77-0x00000000001E0000-0x0000000000327000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2524-76-0x00000000001E0000-0x0000000000327000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2524-56-0x00000000001E0000-0x0000000000327000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2524-57-0x00000000001E0000-0x0000000000327000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2524-58-0x00000000001E0000-0x0000000000327000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2524-63-0x00000000001E0000-0x0000000000327000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2524-62-0x00000000001E0000-0x0000000000327000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2524-59-0x00000000001E0000-0x0000000000327000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2524-60-0x00000000001E0000-0x0000000000327000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2524-61-0x00000000001E0000-0x0000000000327000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2524-54-0x00000000001E0000-0x0000000000327000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2524-42-0x00000000001E0000-0x0000000000327000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2524-43-0x00000000001E0000-0x0000000000327000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2560-45-0x00000000061E0000-0x00000000062BA000-memory.dmp
      Filesize

      872KB

      Download
    • memory/2560-41-0x00000000061E0000-0x00000000062BA000-memory.dmp
      Filesize

      872KB

      Download