Overview

overview

10

Static

static

3

bc15a3d99e...18.exe

windows7-x64

10

bc15a3d99e...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    18-06-2024 13:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc15a3d99e38ae394eb2a5e71ae45829_JaffaCakes118.exe

  • Size

    265KB

  • MD5

    bc15a3d99e38ae394eb2a5e71ae45829

  • SHA1

    1f056bc37b3ee76987931229401a898a1ab95453

  • SHA256

    83aa4fc19d2d632129b49ed54955cc263e7c9bc54f232e8717e79596248cda90

  • SHA512

    d7e890e88b624292c48c1d6b9eb5cbdb7bc265625f27e5fb9a44c2e88327baf10684c55759b934dfe6837617606734009c78ec983e5b5283015e6cb0f46f70aa

  • SSDEEP

    6144:lz4AXgn5zdXBWEtc3+gy0nps2hFRedE56Eit7Ike9zPX:B4Cgn5D1c3Y0hF8dHnt7Ij9zPX

Score
10/10
modiloaderevasionpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
    evasion
  • ModiLoader Second Stage 58 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc15a3d99e38ae394eb2a5e71ae45829_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bc15a3d99e38ae394eb2a5e71ae45829_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Users\Admin\AppData\Local\Temp\bc15a3d99e38ae394eb2a5e71ae45829_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\bc15a3d99e38ae394eb2a5e71ae45829_JaffaCakes118.exe"
      2⤵
        PID:1876
    • C:\Windows\system32\mshta.exe
      "C:\Windows\system32\mshta.exe" javascript:octoJzs83="LNT";f7E=new%20ActiveXObject("WScript.Shell");w3ReXg2kkX="TihmQir";JZg5I=f7E.RegRead("HKLM\\software\\Wow6432Node\\WpMlzBbWbQ\\xJ3QcN");B0hctU1uRv="cDq";eval(JZg5I);v8FauDQh1="CJN";
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:gxtyc
        2⤵
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2804
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe
          3⤵
          • Looks for VirtualBox Guest Additions in registry
          • Looks for VirtualBox drivers on disk
          • Looks for VMWare Tools registry key
          • Checks BIOS information in registry
          • Deletes itself
          • Drops startup file
          • Adds Run key to start application
          • Maps connected drives based on registry
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2704
          • C:\Windows\SysWOW64\regsvr32.exe
            "C:\Windows\SysWOW64\regsvr32.exe"
            4⤵
              PID:1860

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Virtualization/Sandbox Evasion

      3
      T1497

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Software Discovery

      1
      T1518

      Query Registry

      4
      T1012

      Virtualization/Sandbox Evasion

      3
      T1497

      File and Directory Discovery

      1
      T1083

      System Information Discovery

      3
      T1082

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\43e4\8d79.6f350
        Filesize

        28KB

        MD5

        ec074fc0ed016c440701b15a00a1be27

        SHA1

        a50adc17b29672649f159d168346be381bd00d21

        SHA256

        470399d8614f49ba259700daf2b05ed806bb70b7cea0019f86ce4e8bca1ab5d1

        SHA512

        486dc39e66e1e7b7bddcbf9534ece991a37999da02690ccb48b2ec80c9f741aad7209c4a27c7e0f3ed91da1da5d477761fb7883a3262d5dc3edab5c390ebe707

        Download Submit
      • C:\Users\Admin\AppData\Local\43e4\b67d.bat
        Filesize

        55B

        MD5

        27ce144177a8617384899301a2b4330f

        SHA1

        1dead7588f1982006065dc8a25deb05385fbe649

        SHA256

        fa24ed9d8ea201f657bfea7f56fc698a39216eecccdc29fc0a12dc3592badce4

        SHA512

        0724ac2a3c9321241afdaad3fed8923b5748a47fde6319daf4fd320420a0a20e5487c5c1e36bdea009c5e686371fd172832ba92e4e9086f307afb7d8c741608b

        Download Submit
      • C:\Users\Admin\AppData\Local\43e4\fa89.lnk
        Filesize

        857B

        MD5

        a644ea1f5e64ddd4b78d530f65682efc

        SHA1

        e718d645cb561bcf1efef4befe7f599bc81e464c

        SHA256

        fb99bb4e3b47034b80ae9e0d8a339cd34ca538880fd3515e9bcb957ba6b62d53

        SHA512

        d4925beadf2c39a5bad4140a27949d78b39d369f59f00ffdf99e62a2e7ea7becbbfa1794705724d97b2ad7ec17177ddcb725cbf5a53683f43bafd1bbd3ce29fc

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3011.lnk
        Filesize

        975B

        MD5

        8d5bb2b931a7e033cee142b8b13bb0e3

        SHA1

        207008a44b3025dfb99a1bb899dd34ea1738bcbf

        SHA256

        84dd529a018e650b9e92289f2aaeeaf04bf6b439f2cfd6b4ab29b991eff6a162

        SHA512

        5d67ec78cbb5add4e926afa1ab468ca5e3d47e75711319d5fe0813d32027870500eea90ce3c968875db0882318afb44f61a9eae2be9ea907c03bce4bcef27315

        Download Submit
      • C:\Users\Admin\AppData\Roaming\ef44\0b63.6f350
        Filesize

        15KB

        MD5

        2e3f1aa813ba0f98e04d940697ee2382

        SHA1

        c5a6114358b70318632db1c6863df1e00ae1478f

        SHA256

        8949749c9ee47e8f6be75d89da329ed4a741d8540ef9aa6cccda5a5008fa1fcc

        SHA512

        174474285ad7eafb49711eedd1c2e91c36b67932ed5eb60671beab207dd6a73d210c401a8a3e77a9f6c92641f88d08daa303c0e7b42e8340e8efb1d0efa24536

        Download Submit
      • memory/1860-74-0x0000000000260000-0x000000000039E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1860-78-0x0000000000260000-0x000000000039E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1860-68-0x0000000000260000-0x000000000039E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1860-75-0x0000000000260000-0x000000000039E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1860-82-0x0000000000260000-0x000000000039E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1860-81-0x0000000000260000-0x000000000039E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1860-79-0x0000000000260000-0x000000000039E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1860-77-0x0000000000260000-0x000000000039E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1860-76-0x0000000000260000-0x000000000039E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1860-71-0x0000000000260000-0x000000000039E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1860-67-0x0000000000260000-0x000000000039E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1860-80-0x0000000000260000-0x000000000039E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1860-69-0x0000000000260000-0x000000000039E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1860-70-0x0000000000260000-0x000000000039E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1860-72-0x0000000000260000-0x000000000039E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1860-73-0x0000000000260000-0x000000000039E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1876-2-0x0000000000400000-0x0000000000439000-memory.dmp
        Filesize

        228KB

        Download
      • memory/1876-4-0x0000000000400000-0x0000000000439000-memory.dmp
        Filesize

        228KB

        Download
      • memory/1876-5-0x0000000000400000-0x0000000000439000-memory.dmp
        Filesize

        228KB

        Download
      • memory/1876-11-0x0000000000220000-0x00000000002F4000-memory.dmp
        Filesize

        848KB

        Download
      • memory/1876-6-0x0000000000220000-0x00000000002F4000-memory.dmp
        Filesize

        848KB

        Download
      • memory/1876-8-0x0000000000220000-0x00000000002F4000-memory.dmp
        Filesize

        848KB

        Download
      • memory/1876-7-0x0000000000220000-0x00000000002F4000-memory.dmp
        Filesize

        848KB

        Download
      • memory/1876-12-0x0000000000220000-0x00000000002F4000-memory.dmp
        Filesize

        848KB

        Download
      • memory/1876-10-0x0000000000220000-0x00000000002F4000-memory.dmp
        Filesize

        848KB

        Download
      • memory/2704-43-0x00000000002A0000-0x00000000003DE000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2704-33-0x00000000002A0000-0x00000000003DE000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2704-46-0x00000000002A0000-0x00000000003DE000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2704-48-0x00000000002A0000-0x00000000003DE000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2704-50-0x00000000002A0000-0x00000000003DE000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2704-54-0x00000000002A0000-0x00000000003DE000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2704-55-0x00000000002A0000-0x00000000003DE000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2704-53-0x00000000002A0000-0x00000000003DE000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2704-52-0x00000000002A0000-0x00000000003DE000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2704-51-0x00000000002A0000-0x00000000003DE000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2704-49-0x00000000002A0000-0x00000000003DE000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2704-66-0x00000000002A0000-0x00000000003DE000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2704-28-0x00000000002A0000-0x00000000003DE000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2704-29-0x00000000002A0000-0x00000000003DE000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2704-30-0x00000000002A0000-0x00000000003DE000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2704-31-0x00000000002A0000-0x00000000003DE000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2704-32-0x00000000002A0000-0x00000000003DE000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2704-47-0x00000000002A0000-0x00000000003DE000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2704-34-0x00000000002A0000-0x00000000003DE000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2704-35-0x00000000002A0000-0x00000000003DE000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2704-36-0x00000000002A0000-0x00000000003DE000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2704-37-0x00000000002A0000-0x00000000003DE000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2704-38-0x00000000002A0000-0x00000000003DE000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2704-39-0x00000000002A0000-0x00000000003DE000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2704-40-0x00000000002A0000-0x00000000003DE000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2704-41-0x00000000002A0000-0x00000000003DE000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2704-44-0x00000000002A0000-0x00000000003DE000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2704-42-0x00000000002A0000-0x00000000003DE000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2704-27-0x00000000002A0000-0x00000000003DE000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2704-25-0x00000000002A0000-0x00000000003DE000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2704-23-0x00000000002A0000-0x00000000003DE000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2804-26-0x00000000061C0000-0x0000000006294000-memory.dmp
        Filesize

        848KB

        Download
      • memory/2804-21-0x00000000061C0000-0x0000000006294000-memory.dmp
        Filesize

        848KB

        Download