Overview

overview

10

Static

static

10

0110f4501a...18.exe

windows7-x64

10

0110f4501a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-06-2024 23:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe

  • Size

    739KB

  • MD5

    0110f4501ad87e14e01626f24a28358c

  • SHA1

    fe170c9aa972201cfac09083998e69de52f2a208

  • SHA256

    c904070b30dfb20429637044e4dbfd0d1330094934552847fa79fb16122eda7f

  • SHA512

    e29b63c4379217cf40491d194fee85e962a0ab36e9ad604c32a1a05c2fbc41b0ef827dbf5d6a9578836e19ac20ecfc9efff40087db5b4565f2e876bab4739c8f

  • SSDEEP

    12288:bPLu4uxlc+OgHdJ4b+Mrc6vu50rtHPGg43r4dm/PKGPwtvRnnTxsMxD:bPi1usJ4CMrnu5Kug4bowGtZnTxskD

Score
10/10
modiloadertrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 5 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0110f4501ad87e14e01626f24a28358c_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4972
    • C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe
      "C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:852
      • C:\Windows\SysWOW64\calc.exe
        "C:\Windows\system32\calc.exe"
        3⤵
          PID:4376
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 12
            4⤵
            • Program crash
            PID:936
        • C:\program files\internet explorer\IEXPLORE.EXE
          "C:\program files\internet explorer\IEXPLORE.EXE"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4112
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4112 CREDAT:17410 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:4628
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\DeletSev.bat""
        2⤵
          PID:2104
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4376 -ip 4376
        1⤵
          PID:2720
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4208,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=3948 /prefetch:8
          1⤵
            PID:4944

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Replication Through Removable Media

          1
          T1091

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          Peripheral Device Discovery

          1
          T1120

          System Information Discovery

          1
          T1082

          Lateral Movement

          Replication Through Removable Media

          1
          T1091

          Collection

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\Common Files\Microsoft Shared\MSINFO\DeletSev.bat
            Filesize

            212B

            MD5

            d6f59ed1b70d3e10dbd4d65ae19a4fcb

            SHA1

            c3fae3d8d2b122bcb5adb0ae0b9e711283c9870c

            SHA256

            dd65d82e424df12587bfc274eb6863b1510a2b25707f7fd514aad83c6972fb40

            SHA512

            76f978809ae4738b65ed4786b3fa36ae08e6a1e323c5b1718ae9265e652bb24afa26af804cfd9611f4e88340c7fe72abce89a8ad715930532e1fc869a48392f3

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QZRYTBAT\suggestions[1].en-US
            Filesize

            17KB

            MD5

            5a34cb996293fde2cb7a4ac89587393a

            SHA1

            3c96c993500690d1a77873cd62bc639b3a10653f

            SHA256

            c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

            SHA512

            e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

            Download Submit
          • F:\rejoice101.exe
            Filesize

            739KB

            MD5

            0110f4501ad87e14e01626f24a28358c

            SHA1

            fe170c9aa972201cfac09083998e69de52f2a208

            SHA256

            c904070b30dfb20429637044e4dbfd0d1330094934552847fa79fb16122eda7f

            SHA512

            e29b63c4379217cf40491d194fee85e962a0ab36e9ad604c32a1a05c2fbc41b0ef827dbf5d6a9578836e19ac20ecfc9efff40087db5b4565f2e876bab4739c8f

            Download Submit
          • memory/852-16-0x0000000002130000-0x0000000002131000-memory.dmp
            Filesize

            4KB

            Download
          • memory/852-22-0x0000000000400000-0x00000000004C0000-memory.dmp
            Filesize

            768KB

            Download
          • memory/4112-19-0x0000000000D00000-0x0000000000DC0000-memory.dmp
            Filesize

            768KB

            Download
          • memory/4376-17-0x0000000000400000-0x00000000004C0000-memory.dmp
            Filesize

            768KB

            Download
          • memory/4972-0-0x0000000002110000-0x0000000002111000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4972-23-0x0000000000400000-0x00000000004C0000-memory.dmp
            Filesize

            768KB

            Download