Overview

overview

10

Static

static

7

d8c0c78c21...18.exe

windows7-x64

10

d8c0c78c21...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10/09/2024, 18:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d8c0c78c21ab37355aa5bc088bba7add_JaffaCakes118.exe

  • Size

    1.7MB

  • MD5

    d8c0c78c21ab37355aa5bc088bba7add

  • SHA1

    de819615d2d26f1932f31c7a3ee44046315e6c52

  • SHA256

    9b24e6517438b1b5ffd527cbffecb5ba3872d51e296b4b74dac90340ecdc70bf

  • SHA512

    5fe16c13c451183571ed0670d8c5788932abab0f09dd3ef07bb7ae0ecdb2a6e309d30f4eb0dec5cb189289bffe60c0e27f9a10bb4f47554b6dc8dedd578a2d11

  • SSDEEP

    49152:ytC1+1vYnrsvIx9RPPFrqaYcubfJNVB0SAdhNDQjTX:j+1vewMfFOf12FLtQjD

Score
10/10
modiloaderdiscoveryevasionpersistencethemidatrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • ModiLoader Second Stage 16 IoCs
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 2 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 3 IoCs
  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\d8c0c78c21ab37355aa5bc088bba7add_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d8c0c78c21ab37355aa5bc088bba7add_JaffaCakes118.exe"
    1⤵
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Users\Admin\AppData\Local\Temp\Ruifogodaniela.exe
      "C:\Users\Admin\AppData\Local\Temp\Ruifogodaniela.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2688
      • C:\Windows\mstwain32.exe
        "C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\Ruifogodaniela.exe"
        3⤵
        • UAC bypass
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1632
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Windows\SysWOW64\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2436
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Windows\SysWOW64\reg.exe
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2892
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\SysWOW64\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
        3⤵
        • Disables RegEdit via registry modification
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2900
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Windows\SysWOW64\reg.exe
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:3068
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2864
      • C:\Windows\SysWOW64\reg.exe
        reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2916
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
      2⤵
      • System Location Discovery: System Language Discovery
      PID:380
      • C:\Windows\SysWOW64\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:1588
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1496
      • C:\Windows\SysWOW64\reg.exe
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:696
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1976
      • C:\Windows\SysWOW64\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:484
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
      2⤵
      • System Location Discovery: System Language Discovery
      PID:292
      • C:\Windows\SysWOW64\reg.exe
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:1044
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
      2⤵
      • System Location Discovery: System Language Discovery
      PID:584
      • C:\Windows\SysWOW64\reg.exe
        reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:1680
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    PID:2648
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

4
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DSCF0107.JPG
    Filesize

    844KB

    MD5

    3cd553973b131e7c8a7d617f017f1f54

    SHA1

    d9fd37915ff578d15303767d876033762b2af904

    SHA256

    fb7cd473dab7c69ee0174bbc17a260bd74df2f440eb6a4f7f48311fc4f8d7e66

    SHA512

    2a852311b96f1e0c8fbaa96451554f801c2c93cb78200ea0fd4c1a5f8f7b1e395a0b40b064850e74a8823e777169ab8a06229b38a5e7d6e3a605ecdfde36d27d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Ruifogodaniela.exe
    Filesize

    270KB

    MD5

    d9f0b209d5a57d3cbe382608df75938c

    SHA1

    e2d08a68791781a2a25d84dc74b4383b8c37fa5b

    SHA256

    38ff7732a0d4d8caadfbcae482e5ad0ae8221d1a6109983baae664fe787add4e

    SHA512

    557fa36f003c39d1c1267440e5b7100f73106783dcea8dbd125456eb7b84adc54c1a239a3b2819a3c13e04beb88fbd3ef9bc0c1d693d7a320d5ec27622df600d

    Download Submit

  • memory/1632-55-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1632-42-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1632-76-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1632-73-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1632-70-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1632-67-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1632-39-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1632-34-0x0000000000620000-0x000000000062E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1632-36-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1632-37-0x00000000002F0000-0x00000000002F8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1632-64-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1632-61-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1632-58-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1632-45-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1632-48-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1632-52-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1632-38-0x0000000000620000-0x000000000062E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1928-0-0x0000000000400000-0x00000000004A8000-memory.dmp

    Filesize

    672KB

    Download

  • memory/1928-14-0x0000000005420000-0x0000000005422000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1928-1-0x0000000000401000-0x0000000000407000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1928-18-0x0000000000401000-0x0000000000407000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1928-17-0x0000000000400000-0x00000000004A8000-memory.dmp

    Filesize

    672KB

    Download

  • memory/2648-15-0x0000000000180000-0x0000000000182000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2688-29-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download