Overview

overview

10

Static

static

3

62d8c34458...18.exe

windows7-x64

10

62d8c34458...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    21-05-2024 09:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    62d8c344581658b5473a6408f412fbfc_JaffaCakes118.exe

  • Size

    455KB

  • MD5

    62d8c344581658b5473a6408f412fbfc

  • SHA1

    e9842759865ca9413f9980559847b146aae46443

  • SHA256

    89a26293c1eb0f538c722381c9061390c7ffec985c2a1416265740a08dc45ffd

  • SHA512

    ac26e3f0936af799ea2a894744ce815b151ed870c663607752b4ef39b7b7c0e236e89d69249f804c76681e432558aa623ff1c729921dd1e817d2ac80e3afecb1

  • SSDEEP

    12288:WBJIgdhv77hsELGmmrJATawH9Ho1vEQJN88:i2Ihf6EqmmrJAH9IpL88

Score
10/10
modiloaderevasionpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
    evasion
  • ModiLoader Second Stage 53 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\62d8c344581658b5473a6408f412fbfc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\62d8c344581658b5473a6408f412fbfc_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2124
    • C:\Users\Admin\AppData\Local\Temp\62d8c344581658b5473a6408f412fbfc_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\62d8c344581658b5473a6408f412fbfc_JaffaCakes118.exe
      2⤵
        PID:2820
    • C:\Windows\system32\mshta.exe
      "C:\Windows\system32\mshta.exe" javascript:uZJrrY21wd="XlnaYBgKLd";tq7=new%20ActiveXObject("WScript.Shell");OxoZU4Bnj="ggf";VQ8Nw=tq7.RegRead("HKLM\\software\\Wow6432Node\\P6bDX7\\GHaKJxo");HK30BeNNy="Ostl";eval(VQ8Nw);cDI4pnFY8O="eg4lhQS9vm";
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:cpydx
        2⤵
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe
          3⤵
          • Looks for VirtualBox Guest Additions in registry
          • Looks for VirtualBox drivers on disk
          • Looks for VMWare Tools registry key
          • Checks BIOS information in registry
          • Deletes itself
          • Drops startup file
          • Adds Run key to start application
          • Maps connected drives based on registry
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1968
          • C:\Windows\SysWOW64\regsvr32.exe
            "C:\Windows\SysWOW64\regsvr32.exe"
            4⤵
              PID:2016

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\43e4\8d79.6f350
        Filesize

        45KB

        MD5

        f4b1f0fa1439e16e54af5048e6a5be50

        SHA1

        2bfe85fa9460cded773f1f0870194d6021c43b52

        SHA256

        ae7916250049c6d9afac2d780e823a62f3c2ce03e43aab853343c6ab47029fd3

        SHA512

        f9afdbf4c2870b18646ed1978e6e2586f63166619a3ecc57396358496833120785c69ce1af2f1cfcf963c70a38187b916ddf922f82fb385c494a5afded1d6ad3

        Download Submit
      • C:\Users\Admin\AppData\Local\43e4\b67d.bat
        Filesize

        55B

        MD5

        27ce144177a8617384899301a2b4330f

        SHA1

        1dead7588f1982006065dc8a25deb05385fbe649

        SHA256

        fa24ed9d8ea201f657bfea7f56fc698a39216eecccdc29fc0a12dc3592badce4

        SHA512

        0724ac2a3c9321241afdaad3fed8923b5748a47fde6319daf4fd320420a0a20e5487c5c1e36bdea009c5e686371fd172832ba92e4e9086f307afb7d8c741608b

        Download Submit
      • C:\Users\Admin\AppData\Local\43e4\fa89.lnk
        Filesize

        857B

        MD5

        2b535668b544743e4bc668e9ed874c57

        SHA1

        7c13ba4057ce136b513f4d9d1aa795a6888f329c

        SHA256

        25bf42eeccf1eed57162e9c545ad86478bf97afbc361c8ba1ae3fe9ba7d877c3

        SHA512

        25c48edd37b3fb247f22ef6d917b1363bd43a4322fc235a3cf4e1a4d3d870a22df968a4dd92d740e96f6ba98385ae523400c3fda9862ba261ddd52d4b579c52c

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3011.lnk
        Filesize

        975B

        MD5

        2e89280c9363ca619866349da34d3828

        SHA1

        c5e5e3ec730679ffd58516d74a9b08c7de0ebfa5

        SHA256

        d9bb8e174f79b76fbcf8017dde6b2d286dd38bc1b556b27c281e3c7f170499a9

        SHA512

        08b99422c54626b47043f2608e9887b647eca2521798c85cf58d376bed061b318e70344a28572b7647f43dd40937341a9c625004b5060ca7564537d4c0e42351

        Download Submit
      • C:\Users\Admin\AppData\Roaming\ef44\0b63.6f350
        Filesize

        40KB

        MD5

        3940c2b75fc92c258a4c5dc8b8e7d906

        SHA1

        566d48e2a2a12648f310778deffa35580e7eb5cb

        SHA256

        3cd2d93d945ba612a14a910bd5fc2f159dc01568eae6e791662388db685b4f8b

        SHA512

        01342503022c577b6deabd6c7f488f7a2ffeab176bd2e1b287b5af67947550ea3a4a59e96c50e4a9de5944a01f2e94e1e359f1f445975ff85b64fd3f68781bf3

        Download Submit
      • memory/1968-48-0x0000000000110000-0x000000000024E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1968-50-0x0000000000110000-0x000000000024E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1968-54-0x0000000000110000-0x000000000024E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1968-43-0x0000000000110000-0x000000000024E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1968-44-0x0000000000110000-0x000000000024E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1968-45-0x0000000000110000-0x000000000024E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1968-49-0x0000000000110000-0x000000000024E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1968-74-0x0000000000110000-0x000000000024E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1968-67-0x0000000000110000-0x000000000024E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1968-51-0x0000000000110000-0x000000000024E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1968-52-0x0000000000110000-0x000000000024E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1968-31-0x0000000000110000-0x000000000024E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1968-33-0x0000000000110000-0x000000000024E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1968-53-0x0000000000110000-0x000000000024E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1968-38-0x0000000000110000-0x000000000024E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1968-42-0x0000000000110000-0x000000000024E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1968-47-0x0000000000110000-0x000000000024E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1968-35-0x0000000000110000-0x000000000024E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1968-36-0x0000000000110000-0x000000000024E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1968-37-0x0000000000110000-0x000000000024E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1968-39-0x0000000000110000-0x000000000024E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1968-40-0x0000000000110000-0x000000000024E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1968-72-0x0000000000110000-0x000000000024E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1968-46-0x0000000000110000-0x000000000024E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1968-56-0x0000000000110000-0x000000000024E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1968-55-0x0000000000110000-0x000000000024E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1968-41-0x0000000000110000-0x000000000024E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1968-57-0x0000000000110000-0x000000000024E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1968-62-0x0000000000110000-0x000000000024E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1968-66-0x0000000000110000-0x000000000024E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1968-65-0x0000000000110000-0x000000000024E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1968-64-0x0000000000110000-0x000000000024E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2016-80-0x0000000000200000-0x000000000033E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2016-76-0x0000000000200000-0x000000000033E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2016-77-0x0000000000200000-0x000000000033E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2016-78-0x0000000000200000-0x000000000033E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2016-79-0x0000000000200000-0x000000000033E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2016-75-0x0000000000200000-0x000000000033E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2716-34-0x0000000006180000-0x0000000006254000-memory.dmp
        Filesize

        848KB

        Download
      • memory/2716-29-0x0000000006180000-0x0000000006254000-memory.dmp
        Filesize

        848KB

        Download
      • memory/2820-19-0x0000000001D70000-0x0000000001E44000-memory.dmp
        Filesize

        848KB

        Download
      • memory/2820-6-0x0000000000400000-0x0000000000439000-memory.dmp
        Filesize

        228KB

        Download
      • memory/2820-2-0x0000000000400000-0x0000000000439000-memory.dmp
        Filesize

        228KB

        Download
      • memory/2820-0-0x0000000000400000-0x0000000000439000-memory.dmp
        Filesize

        228KB

        Download
      • memory/2820-16-0x0000000001D70000-0x0000000001E44000-memory.dmp
        Filesize

        848KB

        Download
      • memory/2820-14-0x0000000001D70000-0x0000000001E44000-memory.dmp
        Filesize

        848KB

        Download
      • memory/2820-15-0x0000000001D70000-0x0000000001E44000-memory.dmp
        Filesize

        848KB

        Download
      • memory/2820-4-0x0000000000400000-0x0000000000439000-memory.dmp
        Filesize

        228KB

        Download
      • memory/2820-20-0x0000000001D70000-0x0000000001E44000-memory.dmp
        Filesize

        848KB

        Download
      • memory/2820-13-0x0000000000400000-0x0000000000439000-memory.dmp
        Filesize

        228KB

        Download
      • memory/2820-8-0x0000000000400000-0x0000000000439000-memory.dmp
        Filesize

        228KB

        Download
      • memory/2820-10-0x0000000000400000-0x0000000000439000-memory.dmp
        Filesize

        228KB

        Download
      • memory/2820-18-0x0000000001D70000-0x0000000001E44000-memory.dmp
        Filesize

        848KB

        Download
      • memory/2820-12-0x0000000000400000-0x0000000000439000-memory.dmp
        Filesize

        228KB

        Download
      • memory/2820-17-0x0000000001D70000-0x0000000001E44000-memory.dmp
        Filesize

        848KB

        Download