Overview

overview

10

Static

static

10

d8b2b31d90...18.exe

windows7-x64

10

d8b2b31d90...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/09/2024, 17:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d8b2b31d90878886e6232e3ac7467463_JaffaCakes118.exe

  • Size

    225KB

  • MD5

    d8b2b31d90878886e6232e3ac7467463

  • SHA1

    7e022e207919095a4c69ac3c9dad24d545d27324

  • SHA256

    fa069b96011c6bcad03b421e86a71acd6f9b53aa4295913844496595b8746f06

  • SHA512

    2509ccc42409eace6aa53f3106a2c4601f1cc2ced40c00884b4ea7ba059d87c03088e148934bc90d5d9127180a75c68e41a4c054575150bc46860e9bb3ba21d3

  • SSDEEP

    3072:z8w8p1HxX43fAMVz0kUnIbOkKjIIKCpnhbNwIQZ3/nuGK/aUjxLOASEKB/X98Lie:sH583YIblK0EphBwIM8iU9LTSpa9Q+

Score
10/10
modiloadercollectiondiscoverytrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 7 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d8b2b31d90878886e6232e3ac7467463_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d8b2b31d90878886e6232e3ac7467463_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3900
    • C:\Windows\fin32.exe
      "C:\Windows\fin32.exe" /stext hms.atr
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4192
      • C:\Windows\fin32.exe
        C:\Windows\fin32.exe /stext hms.atr
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook accounts
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:1440
    • C:\Windows\ykl32.exe
      "C:\Windows\ykl32.exe" /stext gls.fdn
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2876
      • C:\Windows\ykl32.exe
        C:\Windows\ykl32.exe /stext gls.fdn
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2536
    • C:\Windows\amr32.exe
      "C:\Windows\amr32.exe" /stext hrk.klo
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5080
      • C:\Windows\amr32.exe
        C:\Windows\amr32.exe /stext hrk.klo
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4252

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\amr32.exe
    Filesize

    60KB

    MD5

    09793a96834bba80e5307d50066fb636

    SHA1

    35b9797316296164dd2618cef0a7ee6edd23c6bd

    SHA256

    3a5e64ed092b820f481142075cbd80bd5ba96d8a278e2f16a6bf92d24e367326

    SHA512

    545549ac7118ca0d3f380195cc7d89a97462c29681e4aae3f6fcf983b2a7ee73eb407dbcfd9172002b4867a58106a0a64782ed9e10209547c919d846ccfec84e

    Download Submit

  • C:\Windows\fin32.exe
    Filesize

    79KB

    MD5

    efe70bd51a7fed491682e85c90e30b30

    SHA1

    66115bb1a4d66d837c297a38d9044e224afaa299

    SHA256

    4e01f5dbf42ecb032eb504d2794a885737277ef1923e16efcf4b53d2341b1e9d

    SHA512

    bd2de445d5c05c2e27b78637f6984de00783699719b0828b61a87d7c23e5bc80f6973cddd8044f5670361dbf3a7a58a1955692da62159ae5887cd4d6256d19e9

    Download Submit

  • C:\Windows\hrk.klo
    Filesize

    311B

    MD5

    e7a5878324d5166ce00849ae3071eb16

    SHA1

    8ea1009925c690589669cf5ba68cbe95e2583a15

    SHA256

    49c40850caac0165871e096b2a6978f081133f8966b072f8bfbeaa46ff40be87

    SHA512

    03fb2809308976aa64fba340395b100c52c4de8504933685f977fc76594bb19707f8986f6f199d7412e462c14691637e063200ee014ff4d822af73d944a534ba

    Download Submit

  • C:\Windows\ykl32.exe
    Filesize

    40KB

    MD5

    96271ba60755e81edb0e6f8de6d0053d

    SHA1

    5edaf9d88f3baf906d289cb79d71ad2d59baa3ce

    SHA256

    9780234cec2bfc02250aeaf9067085659ff5bd406219b315884eec92c3a5ab55

    SHA512

    7ba966e9d2b5cb7846f35d1f4c40b323d4c89afd756e657bee0a20c05305818a5e79a64feee7b4c1e14dfee14821548b0837f5ef8fb85ba8c7649e442e5948f1

    Download Submit

  • memory/1440-8-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1440-14-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1440-13-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1440-12-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2536-26-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2536-27-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2536-23-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2876-28-0x0000000010000000-0x0000000010011000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3900-47-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4192-11-0x0000000010000000-0x000000001001B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4252-37-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4252-40-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4252-42-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4252-44-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5080-41-0x0000000010000000-0x0000000010017000-memory.dmp

    Filesize

    92KB

    Download