Overview

overview

10

Static

static

3

e3f338ad05...18.exe

windows7-x64

10

e3f338ad05...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    16-09-2024 03:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e3f338ad05129fe9bb6c4823103fdfa3_JaffaCakes118.exe

  • Size

    456KB

  • MD5

    e3f338ad05129fe9bb6c4823103fdfa3

  • SHA1

    63122b3554ad4607ca2c80607960b2380dd6298f

  • SHA256

    0281d88dff1d6a12f147b2807a82c91d0aede10b150f3f4e4e7b1192d3ce2641

  • SHA512

    dbcaf669cc53db030e4439d82fd8276752f6fe44fb285da4e1061926f01521b48315e5c0f20ec294006fe3cfa99f01ca17dca58fd23c0484123a2fc3d20ad9bc

  • SSDEEP

    12288:Bnqa+fpGWv1A7o+eb9oN+4x6mTvJF+081I/srI:1qxGM1Ae9oN3z+jFrI

Score
10/10
modiloaderdiscoveryevasionexecutionpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
    evasion
  • ModiLoader Second Stage 50 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e3f338ad05129fe9bb6c4823103fdfa3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e3f338ad05129fe9bb6c4823103fdfa3_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Drops startup file
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1792
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cpy.vbs"
      2⤵
      • Drops startup file
      • System Location Discovery: System Language Discovery
      PID:2108
    • C:\Users\Admin\AppData\Local\Temp\e3f338ad05129fe9bb6c4823103fdfa3_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\e3f338ad05129fe9bb6c4823103fdfa3_JaffaCakes118.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2940
  • C:\Windows\system32\mshta.exe
    "C:\Windows\system32\mshta.exe" javascript:p9PYOAHiP8="i1nFcl61";G95p=new%20ActiveXObject("WScript.Shell");zjON8IV4J="P";o2Gah8=G95p.RegRead("HKLM\\software\\Wow6432Node\\hTQyvm\\GbIc6N");eibemg3eU="PXQ";eval(o2Gah8);yd1GdP4JH="UAsEe";
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:892
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:xtycdld
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe
        3⤵
        • Looks for VirtualBox Guest Additions in registry
        • Looks for VirtualBox drivers on disk
        • Looks for VMWare Tools registry key
        • Checks BIOS information in registry
        • Deletes itself
        • Drops startup file
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2012
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\SysWOW64\regsvr32.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2116

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\592d46\3c1180.bat
    Filesize

    61B

    MD5

    e675023f07cf8aff6a7e4d54c3fd3efc

    SHA1

    45b0c62d3e04315c205d04598dc77397d06882e6

    SHA256

    4d63145cba7c25183b1e52cec651579e0a1921813f3c307d314f290fa26098ab

    SHA512

    5f7a9463b3dd22df4ed69e2e21d903535e32265a4d98a4d46873ebdf7c6eb261b4e352a52de9baf7e05e0a037a18888b718c954574814f7bc9b1b9fb2ca348af

    Download Submit

  • C:\Users\Admin\AppData\Local\592d46\c77b5a.e0823ae
    Filesize

    29KB

    MD5

    b8dd9c4ef7196af5daf76e6900fe1843

    SHA1

    41c24a4a75ffd017d0f84d826ce2956ec98b890d

    SHA256

    fa386f798173b173b84d05d37b9e23bef1cd793b277b7bbaa78f1e3c036c1c99

    SHA512

    55ae96e277d8c0a0dca694b2808c2a93134ab1887580670371e5c422fd5c5b9b4244d5a0859535861936d653f2063d51b56f5e1c03de361854a5919b969c54e4

    Download Submit

  • C:\Users\Admin\AppData\Local\592d46\f60529.lnk
    Filesize

    877B

    MD5

    39e4a17a98e869cc2f1bd2bacbbb5053

    SHA1

    610aca9eb88d9a5ac8e5154985a08bddc3016740

    SHA256

    188b21996ce81764c07ffb710ec706e04749fa9fb240b34354b74367ada1a498

    SHA512

    8cb5e17115cca6b54a9e7b97fed3ceb9a2d94eeaef5bd3fb1b650318ba233bbbf2a5c8b8c9b256420943143b3d9049cd4162dc065cb3f2d05b0420a84b338c4d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab9742.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar9764.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cpy.vbs
    Filesize

    322B

    MD5

    99156b0549410541660f63f9b50f2072

    SHA1

    b1f3ba7ed2b99e3fe0790269ffe93164eae2f637

    SHA256

    fe3f03514cada743490e270e6a12016a13e4a00539f652d107431cd4366275c7

    SHA512

    a82bdef2a1aae561ef541af5e2d36ed55a6045d15f214d447bac7ac4c879e1519e6e98e7839649a4c2aa10045045589501c4ae7fd8b786ce874d634eb27ae2db

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\mgr.vbs
    Filesize

    1KB

    MD5

    d4757524679d70ee9ce9cda52cf74a4d

    SHA1

    a87340c553b0b36254c3c62c64d1d80da04cda80

    SHA256

    656d9d4eb1da609c62ff17caeb566de6f57ac6d90944df858a2e9f2aa743ba2e

    SHA512

    f2ce74c47e0d5bc06de656c9addcfdac2b79640897eb41932ea10d3403ffc6a2b7530e35aaf8efb4a4beba8555f0a9676593fe92db4763b32713e3acfa1fae00

    Download Submit

  • C:\Users\Admin\AppData\Roaming\840cad\f4ca18.e0823ae
    Filesize

    35KB

    MD5

    785c0cabf95d0f729616c73981a438c5

    SHA1

    4ce59b6a8417f5ba0cafbb511da80f8ff4fa6c55

    SHA256

    23cb94d74cc93e15c5e745b00b2c2f135bcea2e68790cf0caf01d27977b5e30d

    SHA512

    eb20dda60c7b53b70c5af258cbc8ee007fb94e252448ad2826c76308f3150a90a4d089cbc365bb2073c1924a833c72c5af4d4ad871b382735f20831c04c574d2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\17e428.lnk
    Filesize

    987B

    MD5

    180704dcaabfe82f39f89f77fb2a9bcc

    SHA1

    0a313edd06b28fd28ef5c4ab88f505d7c10ab04b

    SHA256

    4a2a0342edd10975b5c0ee5078d772b35a4067ed2792668d7c89d18a3bd51863

    SHA512

    1a802a37cf98d22216730d89d15bd9cd5837c1a6ba563a2e32099cc1d6850700e76bc8e6fe0d4acad4a85b825d3ad259f267b52c3d9e62411abdcf2be731d9dc

    Download Submit

  • memory/1792-1-0x0000000000440000-0x0000000000483000-memory.dmp

    Filesize

    268KB

    Download

  • memory/1792-0-0x0000000000440000-0x0000000000483000-memory.dmp

    Filesize

    268KB

    Download

  • memory/1992-43-0x0000000006250000-0x0000000006324000-memory.dmp

    Filesize

    848KB

    Download

  • memory/1992-47-0x0000000006250000-0x0000000006324000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2012-50-0x00000000002E0000-0x000000000041E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2012-87-0x00000000002E0000-0x000000000041E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2012-51-0x00000000002E0000-0x000000000041E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2012-52-0x00000000002E0000-0x000000000041E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2012-53-0x00000000002E0000-0x000000000041E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2012-54-0x00000000002E0000-0x000000000041E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2012-48-0x00000000002E0000-0x000000000041E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2012-44-0x00000000002E0000-0x000000000041E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2012-46-0x00000000002E0000-0x000000000041E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2012-55-0x00000000002E0000-0x000000000041E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2012-57-0x00000000002E0000-0x000000000041E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2012-63-0x00000000002E0000-0x000000000041E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2012-66-0x00000000002E0000-0x000000000041E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2012-69-0x00000000002E0000-0x000000000041E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2012-86-0x00000000002E0000-0x000000000041E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2012-49-0x00000000002E0000-0x000000000041E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2012-76-0x00000000002E0000-0x000000000041E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2012-75-0x00000000002E0000-0x000000000041E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2012-70-0x00000000002E0000-0x000000000041E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2012-80-0x00000000002E0000-0x000000000041E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2012-79-0x00000000002E0000-0x000000000041E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2012-78-0x00000000002E0000-0x000000000041E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2012-68-0x00000000002E0000-0x000000000041E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2012-65-0x00000000002E0000-0x000000000041E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2012-64-0x00000000002E0000-0x000000000041E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2012-62-0x00000000002E0000-0x000000000041E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2012-61-0x00000000002E0000-0x000000000041E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2012-60-0x00000000002E0000-0x000000000041E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2012-59-0x00000000002E0000-0x000000000041E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2012-58-0x00000000002E0000-0x000000000041E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2012-56-0x00000000002E0000-0x000000000041E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2116-93-0x0000000000090000-0x00000000001CE000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2116-94-0x0000000000090000-0x00000000001CE000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2940-23-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2940-22-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2940-14-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2940-16-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2940-28-0x0000000001E00000-0x0000000001ED4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2940-20-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2940-32-0x0000000001E00000-0x0000000001ED4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2940-33-0x0000000001E00000-0x0000000001ED4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2940-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2940-29-0x0000000001E00000-0x0000000001ED4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2940-24-0x0000000001E00000-0x0000000001ED4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2940-25-0x0000000001E00000-0x0000000001ED4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2940-26-0x0000000001E00000-0x0000000001ED4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2940-8-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2940-10-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2940-12-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download