Overview

overview

10

Static

static

7

a402961980...18.exe

windows7-x64

10

a402961980...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    17-08-2024 20:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a4029619805daea284d71968c57d4238_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    a4029619805daea284d71968c57d4238

  • SHA1

    af466415b423460d174407f3551427ee94ea2681

  • SHA256

    0ac2117679932dadc5077bbd2b58f3a016ac3f94982c8881ed7c679d42d682be

  • SHA512

    d2551745ee929fff161697dfa0e4d45337fe0500d4dac1b90c1bfc276d3751e45934f719bb3295553e9d9ea404fa168a7b363ce70862b73355831465d8965395

  • SSDEEP

    12288:5/yzUvNrXWV83LyJaQCYzOqbnRScdzkBMCqEEqx:5azUvFGV8byJaTikcdzkBAEEqx

Score
10/10
modiloaderdiscoveryevasionpersistencethemidatrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 7 IoCs
  • Executes dropped EXE 2 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 5 IoCs
  • Themida packer 9 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1216
      • C:\Users\Admin\AppData\Local\Temp\a4029619805daea284d71968c57d4238_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\a4029619805daea284d71968c57d4238_JaffaCakes118.exe"
        2⤵
        • Identifies Wine through registry keys
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2452
        • C:\Users\Admin\AppData\Local\Temp\a4029619805daea284d71968c57d4238_JaffaCakes118.exe
          C:\Users\Admin\AppData\Local\Temp\a4029619805daea284d71968c57d4238_JaffaCakes118.exe
          3⤵
          • Loads dropped DLL
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2476
          • C:\Windows\WINDOWS\mosadl.exe
            C:\Windows\WINDOWS\mosadl.exe
            4⤵
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3000
            • C:\Windows\WINDOWS\mosadl.exe
              C:\Windows\WINDOWS\mosadl.exe
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Adds Run key to start application
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2700
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe"
                6⤵
                  PID:2040

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \Windows\WINDOWS\mosad.sys
        Filesize

        218KB

        MD5

        5d773451e0b04bd7659fdbf108ac34b5

        SHA1

        c080416fdb6eaea04493dac800e4f51fe1d95fd2

        SHA256

        c21529e8652e53e861c5a587582f3d9bc1dff12161ee926e3541d6b7b836edbe

        SHA512

        5a4837a5c6a88f79ef37c20fbcd230d6ae9dab2ce152197bee5286b65572a282813cc40d92a8f5164134a1baa33d32d23004cb1a1ef511ac3b9666470b877b89

        Download Submit

      • \Windows\WINDOWS\mosadl.exe
        Filesize

        512KB

        MD5

        a4029619805daea284d71968c57d4238

        SHA1

        af466415b423460d174407f3551427ee94ea2681

        SHA256

        0ac2117679932dadc5077bbd2b58f3a016ac3f94982c8881ed7c679d42d682be

        SHA512

        d2551745ee929fff161697dfa0e4d45337fe0500d4dac1b90c1bfc276d3751e45934f719bb3295553e9d9ea404fa168a7b363ce70862b73355831465d8965395

        Download Submit

      • memory/2452-2-0x0000000000520000-0x0000000000521000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2452-1-0x0000000020001000-0x0000000020003000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2452-10-0x0000000020000000-0x0000000020116000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2452-0-0x0000000020000000-0x0000000020116000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2452-17-0x0000000020000000-0x0000000020116000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2452-16-0x0000000020000000-0x0000000020116000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2476-18-0x0000000013140000-0x0000000013188000-memory.dmp

        Filesize

        288KB

        Download

      • memory/2476-32-0x0000000002030000-0x0000000002146000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2476-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2476-14-0x0000000013140000-0x0000000013188000-memory.dmp

        Filesize

        288KB

        Download

      • memory/2476-19-0x0000000013140000-0x0000000013188000-memory.dmp

        Filesize

        288KB

        Download

      • memory/2476-20-0x0000000020000000-0x0000000020116000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2476-11-0x0000000013140000-0x0000000013188000-memory.dmp

        Filesize

        288KB

        Download

      • memory/2700-61-0x0000000002A50000-0x0000000002AA6000-memory.dmp

        Filesize

        344KB

        Download

      • memory/2700-58-0x0000000002A50000-0x0000000002A60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2700-63-0x0000000002A50000-0x0000000002AA6000-memory.dmp

        Filesize

        344KB

        Download

      • memory/2700-64-0x0000000002A50000-0x0000000002A60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2700-66-0x0000000002A50000-0x0000000002AA6000-memory.dmp

        Filesize

        344KB

        Download

      • memory/3000-51-0x0000000020000000-0x0000000020116000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3000-52-0x0000000020000000-0x0000000020116000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3000-44-0x0000000020000000-0x0000000020116000-memory.dmp

        Filesize

        1.1MB

        Download