Overview

overview

10

Static

static

3

63395baef9...18.exe

windows7-x64

10

63395baef9...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    22-07-2024 12:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    63395baef991d1aa3dd47c6854421bd5_JaffaCakes118.exe

  • Size

    80KB

  • MD5

    63395baef991d1aa3dd47c6854421bd5

  • SHA1

    e9145a4398587c1cefe0204be495b0fb82815d74

  • SHA256

    065fb4d44a2056cc198b2098f94e307c05d78bb88940afaf22108b7a41c194ac

  • SHA512

    bc0ac8367bf08aaaea45155fe2c6e9cb927202bbb3d63e1e0c467e2e05bee16bf49659ba44e9b355ba85e0768ff019c2b9cb3b6732a0ec4fa15c669cb6ea1a4e

  • SSDEEP

    1536:5wRwO4AXSz2ALVuJtOUi4SVSnLto+PfiFpgmMXQs5vCxDEG5inouy8J:SRw1BKTxi4K+PyC5CxwoutJ

Score
10/10
modiloadertrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 16 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63395baef991d1aa3dd47c6854421bd5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\63395baef991d1aa3dd47c6854421bd5_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Windows\SysWOW64\wins\setup\msmgrs.exe
      "C:\Windows\system32\wins\setup\msmgrs.exe"
      2⤵
      • Deletes itself
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe + command.com /c regsvr32 /u /s %WINDIR%/"Downloaded Program Files"/JaguarEditControl.dll
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2244
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32 /u /s C:\Windows/"Downloaded Program Files"/JaguarEditControl.dll
          4⤵
            PID:2224
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe + command.com /c regsvr32 /u /s %WINDIR%/"Downloaded Program Files"/tebedit.ocx
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2216
          • C:\Windows\SysWOW64\regsvr32.exe
            regsvr32 /u /s C:\Windows/"Downloaded Program Files"/tebedit.ocx
            4⤵
              PID:2436

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \Windows\SysWOW64\wins\setup\msmgrs.exe
        Filesize

        80KB

        MD5

        63395baef991d1aa3dd47c6854421bd5

        SHA1

        e9145a4398587c1cefe0204be495b0fb82815d74

        SHA256

        065fb4d44a2056cc198b2098f94e307c05d78bb88940afaf22108b7a41c194ac

        SHA512

        bc0ac8367bf08aaaea45155fe2c6e9cb927202bbb3d63e1e0c467e2e05bee16bf49659ba44e9b355ba85e0768ff019c2b9cb3b6732a0ec4fa15c669cb6ea1a4e

        Download Submit

      • memory/2320-20-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/2320-29-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/2320-19-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/2320-13-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/2320-15-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/2320-16-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/2320-17-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/2320-18-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/2320-28-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/2320-27-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/2320-22-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/2320-21-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/2320-23-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/2320-24-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/2320-25-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/2320-26-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/2352-8-0x0000000002F00000-0x0000000002F39000-memory.dmp

        Filesize

        228KB

        Download

      • memory/2352-12-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/2352-0-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download