Overview

overview

10

Static

static

3

cecff36c1c...18.exe

windows7-x64

10

cecff36c1c...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    131s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/09/2024, 05:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cecff36c1ce1c5204617f27b9f6207fd_JaffaCakes118.exe

  • Size

    541KB

  • MD5

    cecff36c1ce1c5204617f27b9f6207fd

  • SHA1

    eedbbd2c11bec294daaf5314ce19e25c15b404f0

  • SHA256

    020e562d225d0ebc97171e5fefc7a86ee01c2a1a5f5090fa00e49c5e65ab8f1a

  • SHA512

    139daf99a16bb87b2f84feb9d70ab76b68fa5220beb067732ecfcc1034f37cf466817083ac8d9cf6abca77ae69e326122683ceb2b01674e49514a64670d3a3da

  • SSDEEP

    12288:WH3hTUjHVfmbTt7GI3YDIfY5owVMnyn2CkeXN0sR/etsdyKEp:WXGrVeSyYCHnyTkeXWsVe8k

Score
10/10
modiloaderdefense_evasiondiscoverypersistencetrojanupx

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 7 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cecff36c1ce1c5204617f27b9f6207fd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\cecff36c1ce1c5204617f27b9f6207fd_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1120
    • C:\Users\Admin\AppData\Local\Temp\Å©ÃñQQÃܱ£´óµÁ.exe
      "C:\Users\Admin\AppData\Local\Temp\Å©ÃñQQÃܱ£´óµÁ.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2272
    • C:\Users\Admin\AppData\Local\Temp\12.04.exe
      "C:\Users\Admin\AppData\Local\Temp\12.04.exe"
      2⤵
      • Server Software Component: Terminal Services DLL
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c del "C:\Users\Admin\AppData\Local\Temp\12.04.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2948
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k network
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:3024

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\12.04.exe
    Filesize

    176KB

    MD5

    75542d8676e3afb9efde7234763e7f6c

    SHA1

    c14a551a3109ea068e17631df1575e5a93290f31

    SHA256

    b3dfc5a951f84abb59e140c2d8aba60ef9bb3e3546083c1aa1d2aa6850580726

    SHA512

    5154e191521d7341dca76241617aa31ca1c2fc2cabe26aad425888047b783ca6b717dba51c20fdbf3d33f1422e7db1f31d7caa0db11e15fbac71d60ef6f75fee

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Å©ÃñQQÃܱ£´óµÁ.exe
    Filesize

    874KB

    MD5

    02b5e217cb894eb9109ed525b3e4a877

    SHA1

    6a77e5468a5d08afe81714f02fd23b8386c018c5

    SHA256

    7c67d0fba4cd364b77ff90bebf967c7ff4f135d47c2531351b99b2edf6a37da3

    SHA512

    9e512d0be8c0c90e36adf95d72e36f4afa94b40e946d1e7bc03febd87ef9c5a9e5573431c5f1cf64a031ea940ed1c582711783d1aa13c4331beee18276dcd043

    Download Submit

  • \Windows\SysWOW64\swqs.dll
    Filesize

    143KB

    MD5

    8a856ee6f30ac3bf78c55822deeb209e

    SHA1

    fdd361c569c9413412962d30e0f4d83ea9e4e711

    SHA256

    eaba8df4ea507410b550aceaab707eea7bb5d2ad7dc10dc14b73db54bd28aba2

    SHA512

    8e71a77cc0d9fef92dff2863c39d095284a216ea27ffdab5a917e5a8942be1127a57c0903334cb56c3462c7d7b3cff9af4234504f4893dc62e37d48a722a923a

    Download Submit

  • memory/1120-0-0x0000000000400000-0x0000000000599000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1120-20-0x0000000000400000-0x0000000000599000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2272-31-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2272-21-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2272-32-0x0000000000400000-0x00000000004E1000-memory.dmp

    Filesize

    900KB

    Download

  • memory/2840-28-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3024-29-0x00000000002E0000-0x0000000000345000-memory.dmp

    Filesize

    404KB

    Download

  • memory/3024-33-0x00000000002E0000-0x0000000000345000-memory.dmp

    Filesize

    404KB

    Download

  • memory/3024-37-0x00000000002E0000-0x0000000000345000-memory.dmp

    Filesize

    404KB

    Download

  • memory/3024-41-0x00000000002E0000-0x0000000000345000-memory.dmp

    Filesize

    404KB

    Download

  • memory/3024-45-0x00000000002E0000-0x0000000000345000-memory.dmp

    Filesize

    404KB

    Download

  • memory/3024-49-0x00000000002E0000-0x0000000000345000-memory.dmp

    Filesize

    404KB

    Download

  • memory/3024-53-0x00000000002E0000-0x0000000000345000-memory.dmp

    Filesize

    404KB

    Download

  • memory/3024-57-0x00000000002E0000-0x0000000000345000-memory.dmp

    Filesize

    404KB

    Download