Overview

overview

10

Static

static

3

821aa0af9b...18.exe

windows7-x64

10

821aa0af9b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    29-05-2024 22:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    821aa0af9b1e448cb190cdb1f525f4b5_JaffaCakes118.exe

  • Size

    420KB

  • MD5

    821aa0af9b1e448cb190cdb1f525f4b5

  • SHA1

    19e2bf22c027bd993aa8a2c9ccfce07597c18f8b

  • SHA256

    6b959a28b0588409d90e02999113bd442cae3298bad61947d19ccd0787e97736

  • SHA512

    338ca5394ed0eae199294a65a908ebb6d42835d2a1ddd9b3ebf44e1085ea9dce1aa956c00dee1244b510fa813317994fd421f159c354f1c0e9b3ae9a8bb9fb39

  • SSDEEP

    6144:Na/SLBjqbdiT+3mHFfutZTP0P3gXkHclSTu8yfYsbHmze84C3SU8rp0xH:QSL8bugT0PwEhiGK8B3Op0Z

Score
10/10
modiloaderevasionpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
    evasion
  • ModiLoader Second Stage 61 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\821aa0af9b1e448cb190cdb1f525f4b5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\821aa0af9b1e448cb190cdb1f525f4b5_JaffaCakes118.exe"
    1⤵
      PID:1704
    • C:\Windows\system32\mshta.exe
      "C:\Windows\system32\mshta.exe" javascript:BAp0P5bD="Y3xX";B4E=new%20ActiveXObject("WScript.Shell");tN9RBav1="0";qbM9m=B4E.RegRead("HKLM\\software\\Wow6432Node\\dzCxnE\\nX53dQDNdz");emmirl1vD="4hoqDuYy8W";eval(qbM9m);Gs3Q3OHT="hdekCOFs";
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:xnptzdx
        2⤵
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2764
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe
          3⤵
          • Looks for VirtualBox Guest Additions in registry
          • Looks for VirtualBox drivers on disk
          • Looks for VMWare Tools registry key
          • Checks BIOS information in registry
          • Deletes itself
          • Drops startup file
          • Adds Run key to start application
          • Maps connected drives based on registry
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:756
          • C:\Windows\SysWOW64\regsvr32.exe
            "C:\Windows\SysWOW64\regsvr32.exe"
            4⤵
              PID:872

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\7358d4\2d9c5e.1879f4f
        Filesize

        32KB

        MD5

        cb5eadf560dc3b5aa149c7107893a8f7

        SHA1

        bddd7c974ce2c32ffaa7a1234791edafc16defd4

        SHA256

        1b0147420e2a24cccdc3836648fa3a67fcc5138fffd463a915886a280b4a35d7

        SHA512

        f517d8b296a6af3c2aac9b84a0e30a159de585673a65623a8b6f975ae29b8de8461f4b6df1150665c703f9e75af088a6452de11120f7f617363f8fb9f2f39550

        Download Submit

      • C:\Users\Admin\AppData\Local\7358d4\6d45a7.bat
        Filesize

        61B

        MD5

        14adc766d85da95cd0990ed6bcc1524d

        SHA1

        e3c8f83a8fbfea658c9139d3e670d609745fb848

        SHA256

        0245cf83462c2d8f2453beb1094af0133caee498c1ab5147ee361cb8a449c1c4

        SHA512

        b4172624d668b6c1e7519cca9cbb53645ecc8b9aa1e4908801fd81983b092ed7ad26e3e29047ff5dc4e7744ee9f08dc61765133fa5957926cb4518127f4b60b8

        Download Submit

      • C:\Users\Admin\AppData\Local\7358d4\e5ae70.lnk
        Filesize

        877B

        MD5

        7298e0387167c3dcd091b6d81b7669a7

        SHA1

        4373f5798221909986bc1216c68be0e91e5abeb2

        SHA256

        9b4174d31d8f2b1d55a7f73af3401ce6a5d14026b73065e98d7f3e4484d7463d

        SHA512

        6b3648468794a9a5d0cf7f4d2451a82fde239e59843dc25b0fd8c25a962f6451cb9f1ffd40aff16ed6f941c52dea4e3d511a79878c5a55c5e53f81db8a078cea

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\94d0f9.lnk
        Filesize

        987B

        MD5

        aa54e39149e392ed22125d1706f23fbc

        SHA1

        07533595a10fa8e129c01f0be80d17d370c3912a

        SHA256

        8c868e591e57a9616847f102c647e16f06fdb6d107b0a5540a37a6352e9775dd

        SHA512

        28f13c1cb6981313f1dc8de57db38734903939780d02ce14dc14673eaa918e7f458989eed29fbf364008c9f0943ceceae2a0190be406068c5fa5e9289bdb9aaa

        Download Submit

      • C:\Users\Admin\AppData\Roaming\e53183\8858ab.1879f4f
        Filesize

        17KB

        MD5

        2a880d9ffacfb5a03bdcb409c2c9c78a

        SHA1

        c8bb1f79016573f9618c9452bdc5df405d3659d0

        SHA256

        cff123dab9320d1db27beb544dbbbf9fd24c23eb0df61d5212ddae57c6664b52

        SHA512

        dfee891287091599766fb8901d217c9fae1e5c0028e85718f7df3bb1462ebabd11c964d9ad5de1b898aef87479e4be0add9cbfddc856fabf4a689912c5df1020

        Download Submit

      • memory/756-31-0x0000000000230000-0x000000000036E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/756-41-0x0000000000230000-0x000000000036E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/756-29-0x0000000000230000-0x000000000036E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/756-21-0x0000000000230000-0x000000000036E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/756-24-0x0000000000230000-0x000000000036E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/756-38-0x0000000000230000-0x000000000036E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/756-45-0x0000000000230000-0x000000000036E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/756-25-0x0000000000230000-0x000000000036E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/756-26-0x0000000000230000-0x000000000036E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/756-46-0x0000000000230000-0x000000000036E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/756-44-0x0000000000230000-0x000000000036E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/756-43-0x0000000000230000-0x000000000036E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/756-42-0x0000000000230000-0x000000000036E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/756-28-0x0000000000230000-0x000000000036E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/756-40-0x0000000000230000-0x000000000036E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/756-39-0x0000000000230000-0x000000000036E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/756-37-0x0000000000230000-0x000000000036E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/756-36-0x0000000000230000-0x000000000036E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/756-35-0x0000000000230000-0x000000000036E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/756-34-0x0000000000230000-0x000000000036E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/756-33-0x0000000000230000-0x000000000036E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/756-54-0x0000000000230000-0x000000000036E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/756-57-0x0000000000230000-0x000000000036E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/756-63-0x0000000000230000-0x000000000036E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/756-55-0x0000000000230000-0x000000000036E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/756-53-0x0000000000230000-0x000000000036E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/756-52-0x0000000000230000-0x000000000036E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/756-51-0x0000000000230000-0x000000000036E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/756-32-0x0000000000230000-0x000000000036E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/756-20-0x0000000000230000-0x000000000036E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/756-30-0x0000000000230000-0x000000000036E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/756-27-0x0000000000230000-0x000000000036E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/872-70-0x0000000000130000-0x000000000026E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/872-79-0x0000000000130000-0x000000000026E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/872-65-0x0000000000130000-0x000000000026E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/872-78-0x0000000000130000-0x000000000026E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/872-64-0x0000000000130000-0x000000000026E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/872-76-0x0000000000130000-0x000000000026E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/872-77-0x0000000000130000-0x000000000026E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/872-66-0x0000000000130000-0x000000000026E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/872-67-0x0000000000130000-0x000000000026E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/872-68-0x0000000000130000-0x000000000026E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/872-81-0x0000000000130000-0x000000000026E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/872-82-0x0000000000130000-0x000000000026E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/872-80-0x0000000000130000-0x000000000026E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/872-69-0x0000000000130000-0x000000000026E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/872-71-0x0000000000130000-0x000000000026E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/872-75-0x0000000000130000-0x000000000026E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/872-72-0x0000000000130000-0x000000000026E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/872-74-0x0000000000130000-0x000000000026E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/872-73-0x0000000000130000-0x000000000026E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1704-9-0x00000000020F0000-0x00000000021C4000-memory.dmp

        Filesize

        848KB

        Download

      • memory/1704-7-0x00000000020F0000-0x00000000021C4000-memory.dmp

        Filesize

        848KB

        Download

      • memory/1704-1-0x0000000000530000-0x000000000056A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/1704-0-0x0000000000400000-0x000000000046C000-memory.dmp

        Filesize

        432KB

        Download

      • memory/1704-6-0x00000000020F0000-0x00000000021C4000-memory.dmp

        Filesize

        848KB

        Download

      • memory/1704-3-0x00000000020F0000-0x00000000021C4000-memory.dmp

        Filesize

        848KB

        Download

      • memory/1704-5-0x00000000020F0000-0x00000000021C4000-memory.dmp

        Filesize

        848KB

        Download

      • memory/1704-4-0x00000000020F0000-0x00000000021C4000-memory.dmp

        Filesize

        848KB

        Download

      • memory/1704-8-0x00000000020F0000-0x00000000021C4000-memory.dmp

        Filesize

        848KB

        Download

      • memory/1704-2-0x0000000000400000-0x000000000046C000-memory.dmp

        Filesize

        432KB

        Download

      • memory/2764-23-0x0000000006170000-0x0000000006244000-memory.dmp

        Filesize

        848KB

        Download

      • memory/2764-19-0x0000000006170000-0x0000000006244000-memory.dmp

        Filesize

        848KB

        Download