Overview

overview

10

Static

static

3

a68892873d...18.exe

windows7-x64

10

a68892873d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 16:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a68892873dcc694001962a99a70e1f9c_JaffaCakes118.exe

  • Size

    260KB

  • MD5

    a68892873dcc694001962a99a70e1f9c

  • SHA1

    70cc033a58061dd599a26597c6adf57aab8c6ee2

  • SHA256

    fadb7462c069b5da5e9bea226c7dbd31030a314d3920884f82e7796907e33586

  • SHA512

    1eabbce80ef1a99cdfd0ac1fb811bb51c8c0862c41268543ac86cd892fc170ce926040dc1c1e3626d52cf69267d73efa0b6cf9368b69e2a57192df61151fc21c

  • SSDEEP

    6144:1bs94nYY+uUMFemOFu3Ksm2Yn+EE9j+ivEyPYxJQeN:uSnYPweZnl+EER+iv6IeN

Score
10/10
modiloaderevasionpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
    evasion
  • ModiLoader Second Stage 59 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a68892873dcc694001962a99a70e1f9c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a68892873dcc694001962a99a70e1f9c_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:492
    • C:\Users\Admin\AppData\Local\Temp\a68892873dcc694001962a99a70e1f9c_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\a68892873dcc694001962a99a70e1f9c_JaffaCakes118.exe"
      2⤵
        PID:2468
    • C:\Windows\system32\mshta.exe
      "C:\Windows\system32\mshta.exe" javascript:Vq0pTu="5fR7UXgu";c4f=new%20ActiveXObject("WScript.Shell");f6eqh="YnYD3vV";hAVD4=c4f.RegRead("HKLM\\software\\Wow6432Node\\oZroWN\\C1Q4vR");Vahc06zY="TdZCjd";eval(hAVD4);Sd5EO="Nbb";
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:fqpxxf
        2⤵
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2660
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe
          3⤵
          • Looks for VirtualBox Guest Additions in registry
          • Looks for VirtualBox drivers on disk
          • Looks for VMWare Tools registry key
          • Checks BIOS information in registry
          • Deletes itself
          • Drops startup file
          • Adds Run key to start application
          • Maps connected drives based on registry
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2196
          • C:\Windows\SysWOW64\regsvr32.exe
            "C:\Windows\SysWOW64\regsvr32.exe"
            4⤵
              PID:1980

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Virtualization/Sandbox Evasion

      3
      T1497

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Software Discovery

      1
      T1518

      Query Registry

      4
      T1012

      Virtualization/Sandbox Evasion

      3
      T1497

      File and Directory Discovery

      1
      T1083

      System Information Discovery

      3
      T1082

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\7358d4\2d9c5e.1879f4f
        Filesize

        46KB

        MD5

        214204ebae414ad05db1be2c78b50117

        SHA1

        12e622303de994171ce60755d5a82e21677e17c7

        SHA256

        a2016673cae5c1e16850bd13fe0003e4ca4b8c1df3527beda268b5f5deaed279

        SHA512

        c50da5fb93b86e3350792a4b2716f2f03ab21b73c9aa473dde9f621ecaf518b241a9328cef506b7d7f3aa4e86501b720f1b9b6709632279477b9d759afe47f39

        Download Submit
      • C:\Users\Admin\AppData\Local\7358d4\6d45a7.bat
        Filesize

        61B

        MD5

        14adc766d85da95cd0990ed6bcc1524d

        SHA1

        e3c8f83a8fbfea658c9139d3e670d609745fb848

        SHA256

        0245cf83462c2d8f2453beb1094af0133caee498c1ab5147ee361cb8a449c1c4

        SHA512

        b4172624d668b6c1e7519cca9cbb53645ecc8b9aa1e4908801fd81983b092ed7ad26e3e29047ff5dc4e7744ee9f08dc61765133fa5957926cb4518127f4b60b8

        Download Submit
      • C:\Users\Admin\AppData\Local\7358d4\e5ae70.lnk
        Filesize

        877B

        MD5

        b3859c362eeae6d0e0903a9680a0173f

        SHA1

        615b7428f419f2b2dc4006c38e46159385efa0be

        SHA256

        8de08913c4efdfe4900751d5d89a201df00a87bd6b3d5ae91e0bec1b19a700e5

        SHA512

        fc12412348031f48aee7d41012d62db22f65b0f10b5f46622ce5bc70b667f5e9ce96de83545e1408364b34f5689a2bbb92f2e0cc45c6f2a0fc1bd8b9fef499b6

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\94d0f9.lnk
        Filesize

        987B

        MD5

        d868b60cd3bfb4f3bf5764538ae9b902

        SHA1

        16270640f0382c717135b5bb4967a80061819466

        SHA256

        8c227c4ae42f1d27e7824050ffee39981dec5d423f9fc996649a6769f18c077c

        SHA512

        cbad4392e9556074cb6c1584a1cd81a2aa7e7d4ca087923e3772486ec7439c062d787614606f62f4a5588ef03c830fb302a6a9c638965b3bd02af81cdf8aa37b

        Download Submit
      • C:\Users\Admin\AppData\Roaming\e53183\8858ab.1879f4f
        Filesize

        31KB

        MD5

        060941145511428fec974c0d0c521645

        SHA1

        eebf4b16cc931ab03a44457c734db6fc36eb18a0

        SHA256

        4f3494c844f35cbf915ae95870c2ce459961616c8c3d54ca7492de40cfd35c4d

        SHA512

        ae2e6f9ba0d3fb570f5d4c26753699e9e0d388099081e41de93b698329ac15b027418987add4ea5478cb177480d7861f48202e4ef0c3dc1867a02bb60fd96a01

        Download Submit
      • memory/1980-71-0x0000000000170000-0x00000000002B1000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1980-67-0x0000000000170000-0x00000000002B1000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1980-68-0x0000000000170000-0x00000000002B1000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1980-69-0x0000000000170000-0x00000000002B1000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1980-70-0x0000000000170000-0x00000000002B1000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1980-73-0x0000000000170000-0x00000000002B1000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1980-72-0x0000000000170000-0x00000000002B1000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1980-74-0x0000000000170000-0x00000000002B1000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1980-75-0x0000000000170000-0x00000000002B1000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1980-76-0x0000000000170000-0x00000000002B1000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1980-77-0x0000000000170000-0x00000000002B1000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1980-78-0x0000000000170000-0x00000000002B1000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1980-79-0x0000000000170000-0x00000000002B1000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1980-80-0x0000000000170000-0x00000000002B1000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1980-81-0x0000000000170000-0x00000000002B1000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1980-82-0x0000000000170000-0x00000000002B1000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2196-49-0x00000000001C0000-0x0000000000301000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2196-24-0x00000000001C0000-0x0000000000301000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2196-57-0x00000000001C0000-0x0000000000301000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2196-56-0x00000000001C0000-0x0000000000301000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2196-45-0x00000000001C0000-0x0000000000301000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2196-44-0x00000000001C0000-0x0000000000301000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2196-43-0x00000000001C0000-0x0000000000301000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2196-42-0x00000000001C0000-0x0000000000301000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2196-40-0x00000000001C0000-0x0000000000301000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2196-39-0x00000000001C0000-0x0000000000301000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2196-38-0x00000000001C0000-0x0000000000301000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2196-60-0x00000000001C0000-0x0000000000301000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2196-66-0x00000000001C0000-0x0000000000301000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2196-59-0x00000000001C0000-0x0000000000301000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2196-54-0x00000000001C0000-0x0000000000301000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2196-46-0x00000000001C0000-0x0000000000301000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2196-27-0x00000000001C0000-0x0000000000301000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2196-47-0x00000000001C0000-0x0000000000301000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2196-48-0x00000000001C0000-0x0000000000301000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2196-41-0x00000000001C0000-0x0000000000301000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2196-28-0x00000000001C0000-0x0000000000301000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2196-58-0x00000000001C0000-0x0000000000301000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2196-23-0x00000000001C0000-0x0000000000301000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2196-29-0x00000000001C0000-0x0000000000301000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2196-30-0x00000000001C0000-0x0000000000301000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2196-31-0x00000000001C0000-0x0000000000301000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2196-32-0x00000000001C0000-0x0000000000301000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2196-37-0x00000000001C0000-0x0000000000301000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2196-36-0x00000000001C0000-0x0000000000301000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2196-35-0x00000000001C0000-0x0000000000301000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2196-34-0x00000000001C0000-0x0000000000301000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2196-33-0x00000000001C0000-0x0000000000301000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2468-7-0x0000000001E10000-0x0000000001EE6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/2468-11-0x0000000001E10000-0x0000000001EE6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/2468-12-0x0000000001E10000-0x0000000001EE6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/2468-2-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download
      • memory/2468-8-0x0000000001E10000-0x0000000001EE6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/2468-9-0x0000000001E10000-0x0000000001EE6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/2468-6-0x0000000001E10000-0x0000000001EE6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/2468-5-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download
      • memory/2468-4-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download
      • memory/2660-21-0x0000000006140000-0x0000000006216000-memory.dmp
        Filesize

        856KB

        Download
      • memory/2660-26-0x0000000006140000-0x0000000006216000-memory.dmp
        Filesize

        856KB

        Download