Overview

overview

10

Static

static

3

8a9f7738f9...18.exe

windows7-x64

10

8a9f7738f9...18.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    01-06-2024 13:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8a9f7738f925764c5b4e8807eab49b72_JaffaCakes118.exe

  • Size

    407KB

  • MD5

    8a9f7738f925764c5b4e8807eab49b72

  • SHA1

    a752060182a95ddb7514330a63853362dc13a10e

  • SHA256

    4e3b31344f80b1693ee28cedb5109a9a4e522c8ef225f6087e480954fa76b3d6

  • SHA512

    fb0a687fb4507d1b3d3bf3dcbbe1b2972294a8562df74651a726d7246058b58fcb01c1c332da56cc81b87ccf522211811e7654772017193766b801e10201127e

  • SSDEEP

    6144:/BemJ2TYhimZQWM3Ac7zfW2geZToVBkjM+jcBCvvU83FLOV3bDOz6ABivpPFO:/B0T2imZEQcX+2g0ToVBIcIvvU8dudJy

Score
10/10
modiloaderevasionpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
    evasion
  • ModiLoader Second Stage 53 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a9f7738f925764c5b4e8807eab49b72_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8a9f7738f925764c5b4e8807eab49b72_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2264
    • C:\Users\Admin\AppData\Local\Temp\8a9f7738f925764c5b4e8807eab49b72_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\8a9f7738f925764c5b4e8807eab49b72_JaffaCakes118.exe
      2⤵
        PID:1524
    • C:\Windows\system32\mshta.exe
      "C:\Windows\system32\mshta.exe" javascript:HjPXTq8="HYBflixP";ll6=new%20ActiveXObject("WScript.Shell");ozg4aQ="P";lKq4e=ll6.RegRead("HKLM\\software\\Wow6432Node\\jZByuJf7\\gMOYPbQO");uTcA9v="23eaQ66";eval(lKq4e);QDq4fzA4="zPrDP";
      1⤵
      • Process spawned unexpected child process
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:xmvx
        2⤵
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe
          3⤵
          • Looks for VirtualBox Guest Additions in registry
          • Looks for VirtualBox drivers on disk
          • Looks for VMWare Tools registry key
          • Checks BIOS information in registry
          • Deletes itself
          • Drops startup file
          • Adds Run key to start application
          • Maps connected drives based on registry
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2804
          • C:\Windows\SysWOW64\regsvr32.exe
            "C:\Windows\SysWOW64\regsvr32.exe"
            4⤵
              PID:1980

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Virtualization/Sandbox Evasion

      3
      T1497

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Software Discovery

      1
      T1518

      Query Registry

      4
      T1012

      Virtualization/Sandbox Evasion

      3
      T1497

      File and Directory Discovery

      1
      T1083

      System Information Discovery

      3
      T1082

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\416844\1a6bc1.983f33d
        Filesize

        17KB

        MD5

        09b7835a087c6085f33368d9b0de39ee

        SHA1

        49773406606d577a09ad95de3c7692812e635c17

        SHA256

        abce685d364824d6410ee6a085d30d7d52381ce0ceec3e30ada4a7f70a2951ac

        SHA512

        7ce0404d1c023339d0920955bbf96d572377f9786174caafea7007a9e3905a7be4d081a7b114d6364fc9a2a8ad46f02d458cc432ded05bc541ff922c246cf102

        Download Submit
      • C:\Users\Admin\AppData\Local\416844\7efaba.bat
        Filesize

        61B

        MD5

        a9d3ea542d72c3d4eb6e79b37f9b265e

        SHA1

        9ef048c6a4cc72891fe4b6d8c3ae59e134711cb9

        SHA256

        d287a2bcc9c2485a60329a6bb94fb260bec57524e3098a5bd7c7cedf3e460314

        SHA512

        eba879b158972749be9a48b1ff0d7393f69960da48c1f8e92c3886d9cf16ae437ac5eea449f59de788cbf5b9033ebc78311f2b591f6d41631521a3f0ea24208b

        Download Submit
      • C:\Users\Admin\AppData\Local\416844\eecdc5.lnk
        Filesize

        881B

        MD5

        5cb593bf9dd7628452f26b917940f162

        SHA1

        11c4bb3f4dfebfd3d73a922095f2436e0f675226

        SHA256

        b66f0ef9dd764525329f805c4b3bc4c66dcc55fa3541ff1a4be193af1524e285

        SHA512

        d06fea8fd08b0e4f27134b7111e5d217b29b37d911a57bb733fc91153d6790eb8924cc9fc0ba50a32f5eda19535ff9d98f30f692354499ffb3bf51e77827a742

        Download Submit
      • C:\Users\Admin\AppData\Roaming\730a4b\791dbf.983f33d
        Filesize

        1KB

        MD5

        d2240d738f72a131891a468abd5f3b7d

        SHA1

        ae8202fa29d9d670a90a26b454f061d7c23296b1

        SHA256

        5cffabea5be626df94191eef00415110c7709aad91bb18ade9d4234664c773f3

        SHA512

        f446de31ddca43caecadf7ea1899e65bacbecbff6dd7511077dab0dc6e374d71924f8fc5efe1ddaf9fbb707c82c9d8019a8ba3de3bc0b2fc23ee9a2efb1d0a60

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\be0980.lnk
        Filesize

        991B

        MD5

        2d6360fd6ca45cfeddd99fe834425345

        SHA1

        c220443cfd470e37035058fea299928fd716a4df

        SHA256

        24b6ba818738f578bb7fa3e09110e0a7f324cedd843d69f606dd4c73d9fa3213

        SHA512

        511519d11459b7ecbd0e6bcfe1351766dc2846b9c7177b7e6090bfcbe913bb865dfe9608680a99aa99b1a4437730473d98b2a16da7597355b643ea66b971e6e8

        Download Submit
      • memory/1524-1-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download
      • memory/1524-6-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download
      • memory/1524-8-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download
      • memory/1524-16-0x0000000000440000-0x0000000000516000-memory.dmp
        Filesize

        856KB

        Download
      • memory/1524-18-0x0000000000440000-0x0000000000516000-memory.dmp
        Filesize

        856KB

        Download
      • memory/1524-17-0x0000000000440000-0x0000000000516000-memory.dmp
        Filesize

        856KB

        Download
      • memory/1524-14-0x0000000000440000-0x0000000000516000-memory.dmp
        Filesize

        856KB

        Download
      • memory/1524-15-0x0000000000440000-0x0000000000516000-memory.dmp
        Filesize

        856KB

        Download
      • memory/1524-19-0x0000000000440000-0x0000000000516000-memory.dmp
        Filesize

        856KB

        Download
      • memory/1524-20-0x0000000000440000-0x0000000000516000-memory.dmp
        Filesize

        856KB

        Download
      • memory/1524-4-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download
      • memory/1524-13-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download
      • memory/1524-12-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download
      • memory/1524-10-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download
      • memory/1524-2-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download
      • memory/1980-78-0x0000000000230000-0x0000000000371000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1980-79-0x0000000000230000-0x0000000000371000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1980-80-0x0000000000230000-0x0000000000371000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1980-75-0x0000000000230000-0x0000000000371000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1980-76-0x0000000000230000-0x0000000000371000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1980-77-0x0000000000230000-0x0000000000371000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2772-34-0x0000000006220000-0x00000000062F6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/2772-29-0x0000000006220000-0x00000000062F6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/2804-54-0x00000000000D0000-0x0000000000211000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2804-62-0x00000000000D0000-0x0000000000211000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2804-37-0x00000000000D0000-0x0000000000211000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2804-41-0x00000000000D0000-0x0000000000211000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2804-42-0x00000000000D0000-0x0000000000211000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2804-56-0x00000000000D0000-0x0000000000211000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2804-55-0x00000000000D0000-0x0000000000211000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2804-69-0x00000000000D0000-0x0000000000211000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2804-53-0x00000000000D0000-0x0000000000211000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2804-52-0x00000000000D0000-0x0000000000211000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2804-67-0x00000000000D0000-0x0000000000211000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2804-66-0x00000000000D0000-0x0000000000211000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2804-64-0x00000000000D0000-0x0000000000211000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2804-63-0x00000000000D0000-0x0000000000211000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2804-74-0x00000000000D0000-0x0000000000211000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2804-38-0x00000000000D0000-0x0000000000211000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2804-57-0x00000000000D0000-0x0000000000211000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2804-51-0x00000000000D0000-0x0000000000211000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2804-50-0x00000000000D0000-0x0000000000211000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2804-49-0x00000000000D0000-0x0000000000211000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2804-48-0x00000000000D0000-0x0000000000211000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2804-47-0x00000000000D0000-0x0000000000211000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2804-39-0x00000000000D0000-0x0000000000211000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2804-40-0x00000000000D0000-0x0000000000211000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2804-35-0x00000000000D0000-0x0000000000211000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2804-36-0x00000000000D0000-0x0000000000211000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2804-33-0x00000000000D0000-0x0000000000211000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2804-31-0x00000000000D0000-0x0000000000211000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2804-46-0x00000000000D0000-0x0000000000211000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2804-45-0x00000000000D0000-0x0000000000211000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2804-44-0x00000000000D0000-0x0000000000211000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2804-43-0x00000000000D0000-0x0000000000211000-memory.dmp
        Filesize

        1.3MB

        Download