Overview

overview

10

Static

static

3

e2caf478ce...18.exe

windows7-x64

10

e2caf478ce...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    15-09-2024 15:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2caf478ced4391cfca807761f4d1568_JaffaCakes118.exe

  • Size

    271KB

  • MD5

    e2caf478ced4391cfca807761f4d1568

  • SHA1

    ff413caca3e9a79b0a467b78d3228f645618917b

  • SHA256

    26237182703a05b250f03316388eb28e7078a6aff6407312fec57c7fc101e88a

  • SHA512

    2cae60cd05161152deba0b3f925dc967feb047de30979d6628c173b66b02f9090283bbe8e2d0e007fe72d5bc16cacde5bfe182c795ad70f0c56b1ae1b76a6ec9

  • SSDEEP

    6144:jQ0AbCds86kSG7sW6lqF0hIwCBo82sKEJRyywQYHTUoiAQgwV:7Ab7yIqF0vCB0sKcIQvnV

Score
10/10
modiloaderdiscoverytrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 4 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2caf478ced4391cfca807761f4d1568_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e2caf478ced4391cfca807761f4d1568_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Windows\SysWOW64\¡¡.exe
      C:\Windows\system32\¡¡.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2516
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\system32\SxDel.bat
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\SxDel.bat
    Filesize

    212B

    MD5

    c02a820225dc6aef10f5c365a3d7fa7d

    SHA1

    4135cb0dc9e971d709432446ed0607e140bb6b4a

    SHA256

    7d5eb543bdea5d9deaea058f48c5a6320d2aef1abff300a08427b7ca932e7070

    SHA512

    2c4c5b5441374271413d60fd5674bea167c758d913b94b8159648395fc2948aa8022f3b5810e191d233e2107fbeb85dab51019ebe9dae9e32864e8bb1d13837d

    Download Submit

  • F:\¡¡.exe
    Filesize

    271KB

    MD5

    e2caf478ced4391cfca807761f4d1568

    SHA1

    ff413caca3e9a79b0a467b78d3228f645618917b

    SHA256

    26237182703a05b250f03316388eb28e7078a6aff6407312fec57c7fc101e88a

    SHA512

    2cae60cd05161152deba0b3f925dc967feb047de30979d6628c173b66b02f9090283bbe8e2d0e007fe72d5bc16cacde5bfe182c795ad70f0c56b1ae1b76a6ec9

    Download Submit

  • memory/1244-0-0x0000000000400000-0x000000000050E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1244-1-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1244-2-0x0000000000400000-0x000000000050E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1244-13-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1244-20-0x0000000003170000-0x000000000327E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1244-33-0x0000000000400000-0x000000000050E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2516-22-0x0000000000400000-0x000000000050E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2516-31-0x0000000000400000-0x000000000050E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2516-23-0x0000000000400000-0x000000000050E000-memory.dmp

    Filesize

    1.1MB

    Download