Overview

overview

10

Static

static

3

5a0ff9ac2b...18.exe

windows7-x64

10

5a0ff9ac2b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2024 12:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5a0ff9ac2b1f64038aaeb077e4c7daca_JaffaCakes118.exe

  • Size

    389KB

  • MD5

    5a0ff9ac2b1f64038aaeb077e4c7daca

  • SHA1

    39d389ac45a1f2736d8b5958005c506ddeb9dc7b

  • SHA256

    ed995d2142c3bf0e319996e4608c6f3a2fe9573d34b29dbbc2ed1e6bc9b27245

  • SHA512

    7b16d5df1a860908b0ac0fbcfa59601eab8771d6afbec2eba8126fd1253f627b918ab0bdbc3b92f92b3812d1b205d82463edf263319224fd9ce36785944460ec

  • SSDEEP

    12288:hY2ogHxQhEEL/xdbe2Xjnh1vuyTWnlxc3ouxsxj:vpHxQOYDzTTuyLouxKj

Score
10/10
modiloaderevasionpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
    evasion
  • ModiLoader Second Stage 57 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5a0ff9ac2b1f64038aaeb077e4c7daca_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5a0ff9ac2b1f64038aaeb077e4c7daca_JaffaCakes118.exe"
    1⤵
      PID:2880
    • C:\Windows\system32\mshta.exe
      "C:\Windows\system32\mshta.exe" javascript:ac7QNa="mbpM";eB4=new%20ActiveXObject("WScript.Shell");rrTCA0jC="JEjpW";YL8Um=eB4.RegRead("HKCU\\software\\9PjE8PL\\QyQMLU3");Y4tqvfSf="trn4XVG";eval(YL8Um);vwq13z="jsN";
      1⤵
      • Process spawned unexpected child process
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:2088
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:htwmel
        2⤵
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe
          3⤵
          • Looks for VirtualBox Guest Additions in registry
          • Looks for VirtualBox drivers on disk
          • Looks for VMWare Tools registry key
          • Checks BIOS information in registry
          • Deletes itself
          • Adds Run key to start application
          • Maps connected drives based on registry
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2724
          • C:\Windows\SysWOW64\regsvr32.exe
            "C:\Windows\SysWOW64\regsvr32.exe"
            4⤵
              PID:1188

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\d866a3c3\1ac3c0ce.5ad3c886b
        Filesize

        2KB

        MD5

        9292c1258bebaefe45fcd0bba0b474d4

        SHA1

        c703ab62cf1a76f2f4cdef77da92362821474815

        SHA256

        25c6ac471aa82e0e2e005201b5a84231ead3576db075ffe8ad56b406ff650a04

        SHA512

        9fd8ac61a8088ce03fb81c84acb255338b13af14be241f8738fb433594a99685b0a8f3f94e077a548a8fb605d913cda577f930970bb622c538725d4a658a36fa

        Download Submit

      • C:\Users\Admin\AppData\Local\d866a3c3\2abf568c.bat
        Filesize

        77B

        MD5

        b11ccc7015a42d2d7fe4368165fcd908

        SHA1

        68018e8defe90e940a00f8b752c3d854a2a81268

        SHA256

        c4a5e8d37523bb40e2631787e371e29bae0305d2d1022d119fbe6226361464ff

        SHA512

        e7194d23edca8dbcbaed1138a04b9739bbe094ce577f941989cbe3b420f764048c95bcff8c7b677b131c47bb421f9092752a5ee9d3f9bcf62f9d5b357099edbf

        Download Submit

      • memory/1188-68-0x00000000001E0000-0x000000000032A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1188-61-0x00000000001E0000-0x000000000032A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1188-62-0x00000000001E0000-0x000000000032A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1188-65-0x00000000001E0000-0x000000000032A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1188-63-0x00000000001E0000-0x000000000032A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1188-70-0x00000000001E0000-0x000000000032A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1188-72-0x00000000001E0000-0x000000000032A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1188-64-0x00000000001E0000-0x000000000032A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1188-66-0x00000000001E0000-0x000000000032A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1188-67-0x00000000001E0000-0x000000000032A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1188-69-0x00000000001E0000-0x000000000032A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1188-71-0x00000000001E0000-0x000000000032A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1188-73-0x00000000001E0000-0x000000000032A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2724-35-0x00000000001F0000-0x000000000033A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2724-15-0x00000000001F0000-0x000000000033A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2724-46-0x00000000001F0000-0x000000000033A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2724-52-0x00000000001F0000-0x000000000033A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2724-51-0x00000000001F0000-0x000000000033A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2724-50-0x00000000001F0000-0x000000000033A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2724-49-0x00000000001F0000-0x000000000033A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2724-48-0x00000000001F0000-0x000000000033A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2724-47-0x00000000001F0000-0x000000000033A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2724-41-0x00000000001F0000-0x000000000033A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2724-40-0x00000000001F0000-0x000000000033A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2724-39-0x00000000001F0000-0x000000000033A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2724-34-0x00000000001F0000-0x000000000033A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2724-38-0x00000000001F0000-0x000000000033A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2724-37-0x00000000001F0000-0x000000000033A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2724-18-0x00000000001F0000-0x000000000033A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2724-33-0x00000000001F0000-0x000000000033A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2724-32-0x00000000001F0000-0x000000000033A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2724-31-0x00000000001F0000-0x000000000033A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2724-30-0x00000000001F0000-0x000000000033A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2724-29-0x00000000001F0000-0x000000000033A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2724-27-0x00000000001F0000-0x000000000033A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2724-26-0x00000000001F0000-0x000000000033A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2724-25-0x00000000001F0000-0x000000000033A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2724-24-0x00000000001F0000-0x000000000033A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2724-23-0x00000000001F0000-0x000000000033A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2724-36-0x00000000001F0000-0x000000000033A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2724-21-0x00000000001F0000-0x000000000033A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2724-19-0x00000000001F0000-0x000000000033A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2724-28-0x00000000001F0000-0x000000000033A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2724-22-0x00000000001F0000-0x000000000033A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2724-20-0x00000000001F0000-0x000000000033A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2740-14-0x0000000005850000-0x000000000592C000-memory.dmp

        Filesize

        880KB

        Download

      • memory/2740-17-0x0000000005850000-0x000000000592C000-memory.dmp

        Filesize

        880KB

        Download

      • memory/2740-13-0x0000000002F70000-0x0000000002F71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2880-8-0x0000000001E70000-0x0000000001F4C000-memory.dmp

        Filesize

        880KB

        Download

      • memory/2880-53-0x0000000001E70000-0x0000000001F4C000-memory.dmp

        Filesize

        880KB

        Download

      • memory/2880-9-0x0000000001E70000-0x0000000001F4C000-memory.dmp

        Filesize

        880KB

        Download

      • memory/2880-0-0x0000000000400000-0x000000000046A120-memory.dmp

        Filesize

        424KB

        Download

      • memory/2880-5-0x0000000001E70000-0x0000000001F4C000-memory.dmp

        Filesize

        880KB

        Download

      • memory/2880-6-0x0000000001E70000-0x0000000001F4C000-memory.dmp

        Filesize

        880KB

        Download

      • memory/2880-3-0x0000000001E70000-0x0000000001F4C000-memory.dmp

        Filesize

        880KB

        Download

      • memory/2880-7-0x0000000000400000-0x000000000046A120-memory.dmp

        Filesize

        424KB

        Download

      • memory/2880-4-0x0000000001E70000-0x0000000001F4C000-memory.dmp

        Filesize

        880KB

        Download

      • memory/2880-2-0x0000000001E70000-0x0000000001F4C000-memory.dmp

        Filesize

        880KB

        Download

      • memory/2880-1-0x0000000000457000-0x0000000000459000-memory.dmp

        Filesize

        8KB

        Download