Overview

overview

10

Static

static

7

020f16b063...18.exe

windows7-x64

10

020f16b063...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 02:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    020f16b063839725abb42290a939694e_JaffaCakes118.exe

  • Size

    80KB

  • MD5

    020f16b063839725abb42290a939694e

  • SHA1

    0c985d986403caeba4923ea0f18b449ca468558e

  • SHA256

    6079ed711139394a38ffe43963f077ea892992786ca62536d7ab6be25fb20b92

  • SHA512

    8eb6501cc6889a409bed197739cebb8d21df9ef997913978a10487d793f4306bda295ef52f123181ea41ede4866875c4d3758b7aa3df2b23cd9994c70417b9e6

  • SSDEEP

    1536:2wRwOV9CjyB5YOJ23+jzI4t3w28HkJXqQiYonfnPK9Tx9nouy8:3Rw8vB5Yrujz93wrwXxi/PITbout

Score
10/10
modiloadertrojanupx

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 17 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\020f16b063839725abb42290a939694e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\020f16b063839725abb42290a939694e_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Windows\SysWOW64\wins\setup\msmgrs.exe
      "C:\Windows\system32\wins\setup\msmgrs.exe"
      2⤵
      • Deletes itself
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2832
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe + command.com /c regsvr32 /u /s %WINDIR%/"Downloaded Program Files"/JaguarEditControl.dll
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2780
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32 /u /s C:\Windows/"Downloaded Program Files"/JaguarEditControl.dll
          4⤵
            PID:2628
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe + command.com /c regsvr32 /u /s %WINDIR%/"Downloaded Program Files"/tebedit.ocx
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2784
          • C:\Windows\SysWOW64\regsvr32.exe
            regsvr32 /u /s C:\Windows/"Downloaded Program Files"/tebedit.ocx
            4⤵
              PID:2112
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe + command.com /c regsvr32 /u /s %WINDIR%/"Downloaded Program Files"/JaguarEdit4ISB.dll
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2800
            • C:\Windows\SysWOW64\regsvr32.exe
              regsvr32 /u /s C:\Windows/"Downloaded Program Files"/JaguarEdit4ISB.dll
              4⤵
                PID:2788

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Windows\SysWOW64\wins\setup\msmgrs.exe
          Filesize

          80KB

          MD5

          020f16b063839725abb42290a939694e

          SHA1

          0c985d986403caeba4923ea0f18b449ca468558e

          SHA256

          6079ed711139394a38ffe43963f077ea892992786ca62536d7ab6be25fb20b92

          SHA512

          8eb6501cc6889a409bed197739cebb8d21df9ef997913978a10487d793f4306bda295ef52f123181ea41ede4866875c4d3758b7aa3df2b23cd9994c70417b9e6

          Download Submit
        • memory/1720-0-0x0000000000400000-0x0000000000439000-memory.dmp
          Filesize

          228KB

          Download
        • memory/1720-10-0x0000000000400000-0x0000000000439000-memory.dmp
          Filesize

          228KB

          Download
        • memory/2832-18-0x0000000000400000-0x0000000000439000-memory.dmp
          Filesize

          228KB

          Download
        • memory/2832-20-0x0000000000400000-0x0000000000439000-memory.dmp
          Filesize

          228KB

          Download
        • memory/2832-15-0x0000000000400000-0x0000000000439000-memory.dmp
          Filesize

          228KB

          Download
        • memory/2832-16-0x0000000000400000-0x0000000000439000-memory.dmp
          Filesize

          228KB

          Download
        • memory/2832-17-0x0000000000400000-0x0000000000439000-memory.dmp
          Filesize

          228KB

          Download
        • memory/2832-12-0x0000000000400000-0x0000000000439000-memory.dmp
          Filesize

          228KB

          Download
        • memory/2832-19-0x0000000000400000-0x0000000000439000-memory.dmp
          Filesize

          228KB

          Download
        • memory/2832-14-0x0000000000400000-0x0000000000439000-memory.dmp
          Filesize

          228KB

          Download
        • memory/2832-21-0x0000000000400000-0x0000000000439000-memory.dmp
          Filesize

          228KB

          Download
        • memory/2832-22-0x0000000000400000-0x0000000000439000-memory.dmp
          Filesize

          228KB

          Download
        • memory/2832-23-0x0000000000400000-0x0000000000439000-memory.dmp
          Filesize

          228KB

          Download
        • memory/2832-24-0x0000000000400000-0x0000000000439000-memory.dmp
          Filesize

          228KB

          Download
        • memory/2832-25-0x0000000000400000-0x0000000000439000-memory.dmp
          Filesize

          228KB

          Download
        • memory/2832-26-0x0000000000400000-0x0000000000439000-memory.dmp
          Filesize

          228KB

          Download
        • memory/2832-27-0x0000000000400000-0x0000000000439000-memory.dmp
          Filesize

          228KB

          Download
        • memory/2832-28-0x0000000000400000-0x0000000000439000-memory.dmp
          Filesize

          228KB

          Download