Overview

overview

10

Static

static

3

8912f84328...18.exe

windows7-x64

10

8912f84328...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01-06-2024 02:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8912f843288f3437fa4fb70864a02398_JaffaCakes118.exe

  • Size

    264KB

  • MD5

    8912f843288f3437fa4fb70864a02398

  • SHA1

    3047ba754a9afa70008df0a70828d0df88dae218

  • SHA256

    8542add4d0be5aeb3cce0ea38cc9aac309cfb773b1f260240c7e235d7e9eb418

  • SHA512

    3f7b41555e0bd3ca02eb6a96a916d992853c876b9a8acfa2bd26d8b40001045e535051d411e1eb09c3c43c2a7c6362cdf71b8f1621fb4dcfbb711d392f83bd11

  • SSDEEP

    6144:yxctHyOkXEUTl9y70I4FQdT+/snHqiFimahPg5:ttHyZXEUTnhGT+/sHXV5

Score
10/10
modiloaderevasionpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
    evasion
  • ModiLoader Second Stage 59 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8912f843288f3437fa4fb70864a02398_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8912f843288f3437fa4fb70864a02398_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2792
    • C:\Users\Admin\AppData\Local\Temp\8912f843288f3437fa4fb70864a02398_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\8912f843288f3437fa4fb70864a02398_JaffaCakes118.exe"
      2⤵
        PID:1496
    • C:\Windows\system32\mshta.exe
      "C:\Windows\system32\mshta.exe" javascript:IQLf6Oy="pzvpjIy";Ld03=new%20ActiveXObject("WScript.Shell");BVwHN8h="qPsoxE";L7NY1u=Ld03.RegRead("HKLM\\software\\Wow6432Node\\IPnNciJu\\u5ElzLs9");HjRwW3o="XSSDig";eval(L7NY1u);G8Ku6CKqx="e0sE";
      1⤵
      • Process spawned unexpected child process
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:zgslvw
        2⤵
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2608
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe
          3⤵
          • Looks for VirtualBox Guest Additions in registry
          • Looks for VirtualBox drivers on disk
          • Looks for VMWare Tools registry key
          • Checks BIOS information in registry
          • Deletes itself
          • Drops startup file
          • Adds Run key to start application
          • Maps connected drives based on registry
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1968
          • C:\Windows\SysWOW64\regsvr32.exe
            "C:\Windows\SysWOW64\regsvr32.exe"
            4⤵
              PID:1984

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Virtualization/Sandbox Evasion

      3
      T1497

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Software Discovery

      1
      T1518

      Query Registry

      4
      T1012

      Virtualization/Sandbox Evasion

      3
      T1497

      File and Directory Discovery

      1
      T1083

      System Information Discovery

      3
      T1082

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\d3afae00\52d5d4d8.73caeeca8
        Filesize

        16KB

        MD5

        de39fa8d8dbce4a973ad2e08e7e51a59

        SHA1

        9196ef29fe4266f79e6790f4edf3f5439b136bd2

        SHA256

        e7e0191e1a6a35168eb22c0e95728994c86a1ae481f391f90db98ad1183fa6b8

        SHA512

        3cb82ea9ac9b1ed5497861bd514f80eb1ddab0829718996b205ab7c8b91dafd48f6254fefeee5d10f6b94801d244452897a5842debf58ce402edd44ae4332c82

        Download Submit
      • C:\Users\Admin\AppData\Local\d3afae00\9a86c6c3.lnk
        Filesize

        897B

        MD5

        90633547768400ecdcde5c13022ed3db

        SHA1

        e167b8df4a8a6d7962d659fe0dcd3fb7b3880cb2

        SHA256

        7808b407430ba9946d902fedeb8a8c1e1c75533eb6d7d561e318698d9e01b8db

        SHA512

        1cf195350d2b55b703604924908d7bdf2279e9cb28ffef97c519f3da99af2ca8633af4956410e1772272be372b0dad6d2983c073aaa34c138f51a2bb3e76d750

        Download Submit
      • C:\Users\Admin\AppData\Local\d3afae00\d2239679.bat
        Filesize

        67B

        MD5

        f2ae417dcfcbe11a00d1102e6b587247

        SHA1

        0078bd4798af0b8a717425f1a85a1ff2a70c4c37

        SHA256

        0dc66bcd192c0da909958e43407fb9c4eb212c0471e715e32555f9399549255b

        SHA512

        8fd8d7af58ce744f505ec537830104bab71f86e87f7184bb6f0b699c8eed5f68ffd97211c435771b76aae94c8a74f782b656923c0f61f7189349b744d76f7dea

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e795bdc5.lnk
        Filesize

        999B

        MD5

        332d89cdd9f7093aaaded03628ac09c5

        SHA1

        b23a6de9c5bfa36378126b59bf0917176ece44c2

        SHA256

        05c93c5f985005cbab0c87d6490a0e79dc4851f6b889c0a9f97dc01ae4204c1c

        SHA512

        152a18e6c3dc4f4fd8f54d98383e5ca170508f6f98baf4850f1a22a73db587b498854387e5d57f788ced3dfc025ff24168dc748fc8cf9f35d23b6849fecc5a9b

        Download Submit
      • C:\Users\Admin\AppData\Roaming\e00a3efa\fe73a489.73caeeca8
        Filesize

        3KB

        MD5

        33d030283c123ff7cb1fbb9535f2ad54

        SHA1

        e8f20f82cc16ce8f4f52e742ce347e41d8e47a25

        SHA256

        eb6878c40e1c46100f461f4d89236f98f2f5435cdda9c28d4cd4ecb8b573aa57

        SHA512

        53dd27df6639f7a627916f218382b1ccf6c43ef94fa777dd0a7fd18c5d2dc4b4552a6958114c3f432059fd656c04207833a884d293f49e49289e14ca5d3c7491

        Download Submit
      • memory/1496-9-0x0000000001D90000-0x0000000001E66000-memory.dmp
        Filesize

        856KB

        Download
      • memory/1496-10-0x0000000001D90000-0x0000000001E66000-memory.dmp
        Filesize

        856KB

        Download
      • memory/1496-8-0x0000000001D90000-0x0000000001E66000-memory.dmp
        Filesize

        856KB

        Download
      • memory/1496-7-0x0000000001D90000-0x0000000001E66000-memory.dmp
        Filesize

        856KB

        Download
      • memory/1496-12-0x0000000001D90000-0x0000000001E66000-memory.dmp
        Filesize

        856KB

        Download
      • memory/1496-13-0x0000000001D90000-0x0000000001E66000-memory.dmp
        Filesize

        856KB

        Download
      • memory/1496-11-0x0000000001D90000-0x0000000001E66000-memory.dmp
        Filesize

        856KB

        Download
      • memory/1496-6-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download
      • memory/1496-5-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download
      • memory/1496-3-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download
      • memory/1968-56-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1968-38-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1968-30-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1968-31-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1968-29-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1968-48-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1968-32-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1968-34-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1968-60-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1968-59-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1968-66-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1968-45-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1968-49-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1968-47-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1968-67-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1968-50-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1968-57-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1968-37-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1968-55-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1968-46-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1968-44-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1968-43-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1968-42-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1968-40-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1968-39-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1968-41-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1968-36-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1968-35-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1968-24-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1968-25-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1968-28-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1968-33-0x0000000000220000-0x0000000000361000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1984-78-0x0000000000190000-0x00000000002D1000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1984-83-0x0000000000190000-0x00000000002D1000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1984-74-0x0000000000190000-0x00000000002D1000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1984-87-0x0000000000190000-0x00000000002D1000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1984-79-0x0000000000190000-0x00000000002D1000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1984-77-0x0000000000190000-0x00000000002D1000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1984-82-0x0000000000190000-0x00000000002D1000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1984-80-0x0000000000190000-0x00000000002D1000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1984-84-0x0000000000190000-0x00000000002D1000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1984-86-0x0000000000190000-0x00000000002D1000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1984-81-0x0000000000190000-0x00000000002D1000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1984-85-0x0000000000190000-0x00000000002D1000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1984-76-0x0000000000190000-0x00000000002D1000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1984-75-0x0000000000190000-0x00000000002D1000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1984-73-0x0000000000190000-0x00000000002D1000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2608-22-0x0000000006240000-0x0000000006316000-memory.dmp
        Filesize

        856KB

        Download
      • memory/2608-27-0x0000000006240000-0x0000000006316000-memory.dmp
        Filesize

        856KB

        Download
      • memory/2792-0-0x0000000000400000-0x000000000040D000-memory.dmp
        Filesize

        52KB

        Download