Overview

overview

10

Static

static

3

e6a91c0da3...18.exe

windows7-x64

10

e6a91c0da3...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    17-09-2024 10:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e6a91c0da38a628825c3597189fd2601_JaffaCakes118.exe

  • Size

    331KB

  • MD5

    e6a91c0da38a628825c3597189fd2601

  • SHA1

    ffd54838cf3376de66d03f4481c6ff94026f53e5

  • SHA256

    3a4332dce086f323ac31f1248b687637ef9ff3d3e4416b3bce3dcb6cd4cd0e35

  • SHA512

    d24ee74204bca8078babe7e96589370116c32de402e9292721ff88fa8fa244e0b79ef2acdd4f20f80470afe676ff82b021c31323c438304f013f795758aa34b1

  • SSDEEP

    6144:rTlX2afUVMJnGGYONpiG/rpdOpMvh6EEpv6UIFcqiWEiHUpZ:nlX2afBFOyXbaqigUT

Score
10/10
modiloaderdiscoveryevasionexecutionpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
    evasion
  • ModiLoader Second Stage 55 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6a91c0da38a628825c3597189fd2601_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e6a91c0da38a628825c3597189fd2601_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:3068
  • C:\Windows\system32\mshta.exe
    "C:\Windows\system32\mshta.exe" javascript:kgEIO64zB="nkcN8i";W8B=new%20ActiveXObject("WScript.Shell");XE92kjYqc="lS";rmlv5=W8B.RegRead("HKCU\\software\\r83FKVbQc\\VYk3wy1");iNb0Vh="MycbAziD";eval(rmlv5);LTnMn6="bH3VqFnJ";
    1⤵
    • Process spawned unexpected child process
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:rwrunzdo
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe
        3⤵
        • Looks for VirtualBox Guest Additions in registry
        • Looks for VirtualBox drivers on disk
        • Looks for VMWare Tools registry key
        • Checks BIOS information in registry
        • Deletes itself
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2068
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\SysWOW64\regsvr32.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:324

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c27cac9fe961b2f53e534b119c4a062c

    SHA1

    67738474d8c738bf18976e2e0371a4522904aad3

    SHA256

    eac034a788fa0821a46256b55426c11acb64aeb9b060b66c37ad475d3ded4182

    SHA512

    6db4a07ec875558c5895ed2f552b47c3b776bb36fe577e8ee8d4c5de8df96dc005ef9a9da594fb52b6b7d775ad8c0243520ae89d9fc9d81f307860c26277dfe3

    Download Submit

  • C:\Users\Admin\AppData\Local\95b90e16\b60cb902.bat
    Filesize

    74B

    MD5

    55acd2153902ff4f2b0824b8a9560929

    SHA1

    75d72670430fe8eca9785457ff936d1d7cb22102

    SHA256

    e0c34daed461ccf2804976259d10d9bc0e7418aa648e6e6e9f333dc5828fdb31

    SHA512

    9322dc6c6ee55b0d3f0b424568a691582b363f7e60c122bff11d6a641376c5aeab7c6b11c3f200095a4d1149f07aceb7c5d35b3b785a38fe540521376259a14e

    Download Submit

  • C:\Users\Admin\AppData\Local\95b90e16\c4d7d99c.2bc0e3f4f
    Filesize

    10KB

    MD5

    36f498a2514b60a1d2d14553a1ff44f1

    SHA1

    f5970ee275cacb7a4e94b8e28a727b7133b2d087

    SHA256

    ca06aed5d4fd3d649468a4060c1f37e32364cb1e982397a46f1f8f7b49ad2292

    SHA512

    cfdd43b6b0a9269c3dcbaf3123575889ccb3707825091919b1a4f5c34150b076764b841eb1184ab2896e2a0bf64fc193e31105b7389c2a35c4f733475bff22dd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab8D44.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar8DF2.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • memory/324-66-0x00000000001A0000-0x00000000002EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/324-64-0x00000000001A0000-0x00000000002EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/324-65-0x00000000001A0000-0x00000000002EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/324-60-0x00000000001A0000-0x00000000002EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/324-67-0x00000000001A0000-0x00000000002EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/324-68-0x00000000001A0000-0x00000000002EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/324-69-0x00000000001A0000-0x00000000002EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/324-70-0x00000000001A0000-0x00000000002EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/324-71-0x00000000001A0000-0x00000000002EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/324-72-0x00000000001A0000-0x00000000002EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/324-73-0x00000000001A0000-0x00000000002EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/324-55-0x00000000001A0000-0x00000000002EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2068-20-0x00000000002A0000-0x00000000003EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2068-24-0x00000000002A0000-0x00000000003EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2068-52-0x00000000002A0000-0x00000000003EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2068-51-0x00000000002A0000-0x00000000003EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2068-50-0x00000000002A0000-0x00000000003EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2068-49-0x00000000002A0000-0x00000000003EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2068-48-0x00000000002A0000-0x00000000003EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2068-47-0x00000000002A0000-0x00000000003EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2068-40-0x00000000002A0000-0x00000000003EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2068-39-0x00000000002A0000-0x00000000003EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2068-38-0x00000000002A0000-0x00000000003EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2068-37-0x00000000002A0000-0x00000000003EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2068-36-0x00000000002A0000-0x00000000003EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2068-35-0x00000000002A0000-0x00000000003EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2068-33-0x00000000002A0000-0x00000000003EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2068-31-0x00000000002A0000-0x00000000003EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2068-30-0x00000000002A0000-0x00000000003EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2068-29-0x00000000002A0000-0x00000000003EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2068-28-0x00000000002A0000-0x00000000003EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2068-27-0x00000000002A0000-0x00000000003EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2068-26-0x00000000002A0000-0x00000000003EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2068-25-0x00000000002A0000-0x00000000003EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2068-46-0x00000000002A0000-0x00000000003EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2068-41-0x00000000002A0000-0x00000000003EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2068-23-0x00000000002A0000-0x00000000003EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2068-21-0x00000000002A0000-0x00000000003EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2068-22-0x00000000002A0000-0x00000000003EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2068-34-0x00000000002A0000-0x00000000003EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2068-15-0x00000000002A0000-0x00000000003EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2068-32-0x00000000002A0000-0x00000000003EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2068-18-0x00000000002A0000-0x00000000003EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2068-19-0x00000000002A0000-0x00000000003EA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2548-14-0x00000000061B0000-0x000000000628C000-memory.dmp

    Filesize

    880KB

    Download

  • memory/2548-17-0x00000000061B0000-0x000000000628C000-memory.dmp

    Filesize

    880KB

    Download

  • memory/2548-13-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3068-8-0x00000000004D0000-0x00000000005AC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/3068-56-0x00000000004D0000-0x00000000005AC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/3068-9-0x00000000004D0000-0x00000000005AC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/3068-0-0x0000000000400000-0x000000000045A5E8-memory.dmp

    Filesize

    361KB

    Download

  • memory/3068-7-0x00000000004D0000-0x00000000005AC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/3068-3-0x0000000000400000-0x000000000045A5E8-memory.dmp

    Filesize

    361KB

    Download

  • memory/3068-4-0x00000000004D0000-0x00000000005AC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/3068-5-0x00000000004D0000-0x00000000005AC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/3068-2-0x00000000004D0000-0x00000000005AC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/3068-1-0x0000000000452000-0x0000000000454000-memory.dmp

    Filesize

    8KB

    Download