Overview

overview

10

Static

static

10

0110f4501a...18.exe

windows7-x64

10

0110f4501a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    19-06-2024 23:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe

  • Size

    739KB

  • MD5

    0110f4501ad87e14e01626f24a28358c

  • SHA1

    fe170c9aa972201cfac09083998e69de52f2a208

  • SHA256

    c904070b30dfb20429637044e4dbfd0d1330094934552847fa79fb16122eda7f

  • SHA512

    e29b63c4379217cf40491d194fee85e962a0ab36e9ad604c32a1a05c2fbc41b0ef827dbf5d6a9578836e19ac20ecfc9efff40087db5b4565f2e876bab4739c8f

  • SSDEEP

    12288:bPLu4uxlc+OgHdJ4b+Mrc6vu50rtHPGg43r4dm/PKGPwtvRnnTxsMxD:bPi1usJ4CMrnu5Kug4bowGtZnTxskD

Score
10/10
modiloadertrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 5 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1840
    • C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe
      "C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3012
      • C:\Windows\SysWOW64\calc.exe
        "C:\Windows\system32\calc.exe"
        3⤵
          PID:2704
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 280
          3⤵
          • Loads dropped DLL
          • Program crash
          PID:2768
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\DeletSev.bat""
        2⤵
        • Deletes itself
        PID:2940

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Replication Through Removable Media

    1
    T1091

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Replication Through Removable Media

    1
    T1091

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Common Files\Microsoft Shared\MSInfo\DeletSev.bat
      Filesize

      212B

      MD5

      d6f59ed1b70d3e10dbd4d65ae19a4fcb

      SHA1

      c3fae3d8d2b122bcb5adb0ae0b9e711283c9870c

      SHA256

      dd65d82e424df12587bfc274eb6863b1510a2b25707f7fd514aad83c6972fb40

      SHA512

      76f978809ae4738b65ed4786b3fa36ae08e6a1e323c5b1718ae9265e652bb24afa26af804cfd9611f4e88340c7fe72abce89a8ad715930532e1fc869a48392f3

      Download Submit
    • F:\rejoice101.exe
      Filesize

      739KB

      MD5

      0110f4501ad87e14e01626f24a28358c

      SHA1

      fe170c9aa972201cfac09083998e69de52f2a208

      SHA256

      c904070b30dfb20429637044e4dbfd0d1330094934552847fa79fb16122eda7f

      SHA512

      e29b63c4379217cf40491d194fee85e962a0ab36e9ad604c32a1a05c2fbc41b0ef827dbf5d6a9578836e19ac20ecfc9efff40087db5b4565f2e876bab4739c8f

      Download Submit
    • memory/1840-0-0x00000000002E0000-0x00000000002E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1840-31-0x0000000000400000-0x00000000004C0000-memory.dmp
      Filesize

      768KB

      Download
    • memory/1840-35-0x00000000002E0000-0x00000000002E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1840-43-0x0000000000400000-0x00000000004C0000-memory.dmp
      Filesize

      768KB

      Download
    • memory/2704-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2704-26-0x0000000000400000-0x00000000004C0000-memory.dmp
      Filesize

      768KB

      Download
    • memory/2704-24-0x0000000000400000-0x00000000004C0000-memory.dmp
      Filesize

      768KB

      Download
    • memory/3012-21-0x0000000000260000-0x0000000000261000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3012-32-0x0000000000400000-0x00000000004C0000-memory.dmp
      Filesize

      768KB

      Download