Overview

overview

10

Static

static

3

02738410c4...18.exe

windows7-x64

10

02738410c4...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    51s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-06-2024 03:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe

  • Size

    171KB

  • MD5

    02738410c473a8b778eb4581c64ead77

  • SHA1

    7f98caffd32f44b496509073439402dc3118db63

  • SHA256

    ba47864634c9c8fc246aa68f1d4474f6e0da31530ed61de9599f0730ed778d5a

  • SHA512

    c95c8ffd75806cbed7f04e8ccfa11d88c1a87402a2dcf501b6beb6aba0fb5e72edc524d81db4a1e5ce41b2d388842b43221a8baf51b2d9b4ecaeb85daed5ca0c

  • SSDEEP

    3072:AKl+dV9Nn9b6OwF4428+Fsk0pqY6niulKL4eA4bjp6/UHkgJa:lsV9pt6OwFvPMskNniukjIUHRJa

Score
10/10
modiloadertrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 1 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 6 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe"
    1⤵
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Checks processor information in registry
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Users\Admin\AppData\Local\Temp\02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\02738410c473a8b778eb4581c64ead77_JaffaCakes118.exe
      2⤵
        PID:1104

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\PCGWIN32.LI5
      Filesize

      2KB

      MD5

      acf5b207bf53601aad9c1b5e6cb95e06

      SHA1

      d196453bb4094fbd8649326aea7a53b996a671fb

      SHA256

      05101625250ed504cc635d08c848791871d0df6d601a1682abcbef0bb40d5246

      SHA512

      f2961385e82c658954906908fe4f9b3a34c71dbac818b7e49fbf90c7a3b84f1301cd877f597914691db2caaeda7e02324a98b1f52eac2548e7d76bb0e066fa0b

      Download Submit

    • memory/1104-14-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1104-20-0x0000000010000000-0x000000001002D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/1104-17-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2520-3-0x0000000010000000-0x000000001002D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2520-2-0x0000000010009000-0x000000001002D000-memory.dmp

      Filesize

      144KB

      Download

    • memory/2520-1-0x0000000010000000-0x000000001002D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2520-19-0x0000000010009000-0x000000001002D000-memory.dmp

      Filesize

      144KB

      Download

    • memory/2520-18-0x0000000010000000-0x000000001002D000-memory.dmp

      Filesize

      180KB

      Download