Overview

overview

10

Static

static

3

8d684913f3...18.exe

windows7-x64

10

8d684913f3...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-06-2024 08:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8d684913f38ad727716c20d606a45168_JaffaCakes118.exe

  • Size

    336KB

  • MD5

    8d684913f38ad727716c20d606a45168

  • SHA1

    b96c210008b8450a36f35b63ed2793428e41f4a6

  • SHA256

    1241340d113fa69016b10572019d2d92cf576804f090b8434bce6ab5dba6699c

  • SHA512

    11a5ea672a3832813718ede44fbb824e8f394b7a4bedd774f1727403b18d350a36c13b9554449bd68b0f7931d559c021ba57a0196ff61a1e077224420897ddaf

  • SSDEEP

    6144:A2coqsSYTgK00Nn8zsW39AH9nPiuYgNxSCSB5VT:A2vqvYUv0NnOsW32x/YuoBjT

Score
10/10
modiloaderevasionpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
    evasion
  • ModiLoader Second Stage 61 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8d684913f38ad727716c20d606a45168_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8d684913f38ad727716c20d606a45168_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Users\Admin\AppData\Local\Temp\8d684913f38ad727716c20d606a45168_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\8d684913f38ad727716c20d606a45168_JaffaCakes118.exe"
      2⤵
        PID:2228
    • C:\Windows\system32\mshta.exe
      "C:\Windows\system32\mshta.exe" javascript:XE1N2mc="XKb0W";Er60=new%20ActiveXObject("WScript.Shell");sgDQTgZ5="Su4";DO6ab=Er60.RegRead("HKCU\\software\\8HA54MX\\ULGyWQ");YK6QTgs3="lm";eval(DO6ab);iX8UXpD="nBI";
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:3064
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:rntrb
        2⤵
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2540
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe
          3⤵
          • Looks for VirtualBox Guest Additions in registry
          • Looks for VirtualBox drivers on disk
          • Looks for VMWare Tools registry key
          • Checks BIOS information in registry
          • Deletes itself
          • Drops startup file
          • Adds Run key to start application
          • Maps connected drives based on registry
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2952
          • C:\Windows\SysWOW64\regsvr32.exe
            "C:\Windows\SysWOW64\regsvr32.exe"
            4⤵
              PID:1672

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Virtualization/Sandbox Evasion

      3
      T1497

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Software Discovery

      1
      T1518

      Query Registry

      4
      T1012

      Virtualization/Sandbox Evasion

      3
      T1497

      File and Directory Discovery

      1
      T1083

      System Information Discovery

      3
      T1082

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\d7174\043bc.c56af4
        Filesize

        5KB

        MD5

        1479a30ac7418b59a0cbe8edef8a75c8

        SHA1

        5fe7abeabb34227a9bcad6a27a7757070338ccde

        SHA256

        88bd952e95682f387cd017ee924dff77f1308acc33c8cb3d10b901e81446dc28

        SHA512

        7479ee3de0db6678229acc3c69b411c86784646aff637dbcdaf24e722317b0467acb91edc16ad29cb7a101db9140ce88feab6acd3a9e1c09bc86458a86322776

        Download Submit
      • C:\Users\Admin\AppData\Local\d7174\cc24b.lnk
        Filesize

        865B

        MD5

        1550f0755a5bfcc63dcf3fc4bcde7184

        SHA1

        75a0ccfddf639cf53a79c22d036b976a4919beaf

        SHA256

        d3ec6f4c7f4a06d771de870fc27aca59398fc953e761f4f9c46dde44d4d30b59

        SHA512

        a9e033489b7eb069070efa1d90c709831d9f635fab316e49960698b348ad4caf768cc1cf8d3dd6cf462a3cfe2c8aa36a46375ed5f761ec01e84dbfa55cc465e0

        Download Submit
      • C:\Users\Admin\AppData\Local\d7174\ee03f.bat
        Filesize

        58B

        MD5

        62b289d68029a539bc6acca66690657f

        SHA1

        40fda721df69a4d2174bbac91ed08a3358c4e155

        SHA256

        1e2637fa0f8059e703044b8dc939a206f49986e35cb533283b8a336c6487d213

        SHA512

        cf48bedf220700b84a3a4474b18fb922379685cfc217c0c63041fafd192529cb5f4dade4139f61acb2c7513f7c7daf33988b7c4a8472370bbca5634c49688549

        Download Submit
      • C:\Users\Admin\AppData\Roaming\3aef8\6d479.c56af4
        Filesize

        43KB

        MD5

        454280849468f78f922326ba84c04cb1

        SHA1

        17da5b5c814bf1b0b2ea62c121c8930a6dd4089b

        SHA256

        1d18dd41708fb4dfd482bccedffad7c0642e869855afb6bee20d841abb67cec3

        SHA512

        58b5d5d6fda4243ca40c6d015e86884bd843b6ed56f0515184a1f73ef9deb3eb73ed7e5c46375292a9525a4f0b593b861719d01176c2f0ab6c097290fea49220

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\16291.lnk
        Filesize

        981B

        MD5

        67de599baeaf8c09e401f1207eae1071

        SHA1

        fd2cbb7a5fd187510521b495ec3cbd5ea312355c

        SHA256

        3a9374281af9555dee3eebec504ccb6e8a84a1bb2de389b0d78e3989eb9bf090

        SHA512

        5f40be1c7173c011b0bcf488d42ea668d1a373cc8665ee1b59a8b63c66f1c3dcf60a280eae099a3e6a52e1b475518da29c251824ef38e3145641bf9b2bd4997e

        Download Submit
      • memory/1672-71-0x00000000002A0000-0x00000000003E7000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1672-78-0x00000000002A0000-0x00000000003E7000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1672-73-0x00000000002A0000-0x00000000003E7000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1672-74-0x00000000002A0000-0x00000000003E7000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1672-72-0x00000000002A0000-0x00000000003E7000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1672-67-0x00000000002A0000-0x00000000003E7000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1672-80-0x00000000002A0000-0x00000000003E7000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1672-70-0x00000000002A0000-0x00000000003E7000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1672-79-0x00000000002A0000-0x00000000003E7000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1672-77-0x00000000002A0000-0x00000000003E7000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1672-69-0x00000000002A0000-0x00000000003E7000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1672-68-0x00000000002A0000-0x00000000003E7000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1672-76-0x00000000002A0000-0x00000000003E7000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1672-75-0x00000000002A0000-0x00000000003E7000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1672-64-0x00000000002A0000-0x00000000003E7000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1672-65-0x00000000002A0000-0x00000000003E7000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1672-66-0x00000000002A0000-0x00000000003E7000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2228-11-0x0000000000440000-0x000000000051A000-memory.dmp
        Filesize

        872KB

        Download
      • memory/2228-2-0x0000000000400000-0x000000000043C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/2228-12-0x0000000000440000-0x000000000051A000-memory.dmp
        Filesize

        872KB

        Download
      • memory/2228-6-0x0000000000440000-0x000000000051A000-memory.dmp
        Filesize

        872KB

        Download
      • memory/2228-7-0x0000000000440000-0x000000000051A000-memory.dmp
        Filesize

        872KB

        Download
      • memory/2228-8-0x0000000000440000-0x000000000051A000-memory.dmp
        Filesize

        872KB

        Download
      • memory/2228-9-0x0000000000440000-0x000000000051A000-memory.dmp
        Filesize

        872KB

        Download
      • memory/2228-10-0x0000000000440000-0x000000000051A000-memory.dmp
        Filesize

        872KB

        Download
      • memory/2228-4-0x0000000000400000-0x000000000043C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/2228-5-0x0000000000400000-0x000000000043C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/2540-21-0x0000000002810000-0x0000000004810000-memory.dmp
        Filesize

        32.0MB

        Download
      • memory/2540-22-0x0000000005290000-0x000000000536A000-memory.dmp
        Filesize

        872KB

        Download
      • memory/2540-18-0x0000000005290000-0x000000000536A000-memory.dmp
        Filesize

        872KB

        Download
      • memory/2952-38-0x00000000002E0000-0x0000000000427000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2952-49-0x00000000002E0000-0x0000000000427000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2952-50-0x00000000002E0000-0x0000000000427000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2952-40-0x00000000002E0000-0x0000000000427000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2952-43-0x00000000002E0000-0x0000000000427000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2952-44-0x00000000002E0000-0x0000000000427000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2952-63-0x00000000002E0000-0x0000000000427000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2952-51-0x00000000002E0000-0x0000000000427000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2952-45-0x00000000002E0000-0x0000000000427000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2952-46-0x00000000002E0000-0x0000000000427000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2952-47-0x00000000002E0000-0x0000000000427000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2952-52-0x00000000002E0000-0x0000000000427000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2952-42-0x00000000002E0000-0x0000000000427000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2952-37-0x00000000002E0000-0x0000000000427000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2952-36-0x00000000002E0000-0x0000000000427000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2952-35-0x00000000002E0000-0x0000000000427000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2952-34-0x00000000002E0000-0x0000000000427000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2952-33-0x00000000002E0000-0x0000000000427000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2952-32-0x00000000002E0000-0x0000000000427000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2952-31-0x00000000002E0000-0x0000000000427000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2952-30-0x00000000002E0000-0x0000000000427000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2952-29-0x00000000002E0000-0x0000000000427000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2952-28-0x00000000002E0000-0x0000000000427000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2952-27-0x00000000002E0000-0x0000000000427000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2952-26-0x00000000002E0000-0x0000000000427000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2952-39-0x00000000002E0000-0x0000000000427000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2952-24-0x00000000002E0000-0x0000000000427000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2952-48-0x00000000002E0000-0x0000000000427000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2952-41-0x00000000002E0000-0x0000000000427000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2952-25-0x00000000002E0000-0x0000000000427000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2952-23-0x00000000002E0000-0x0000000000427000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2952-20-0x00000000002E0000-0x0000000000427000-memory.dmp
        Filesize

        1.3MB

        Download