Overview

overview

10

Static

static

3

edfdd0b6be...18.exe

windows7-x64

10

edfdd0b6be...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-09-2024 16:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    edfdd0b6be91c72507506d6b3d0104b3_JaffaCakes118.exe

  • Size

    450KB

  • MD5

    edfdd0b6be91c72507506d6b3d0104b3

  • SHA1

    c6497ef72ac1d2c5b78c17d2d0920d33326a16ab

  • SHA256

    30dcf8d3f51c821d588176675d6e164f7661735b4bfa3d973c1f78900351348a

  • SHA512

    646a3f6e789bea7c423f1829d17d96cff2aadd662bcda803e41ba1d74cf02f19ba4598aea851b7b8e509a46e28031bc8780606c04e436c77fd0a95839dff7f0c

  • SSDEEP

    12288:FNySZOep1KOR0xbuuhdxqLG/EBfOApn56ojB:FNRZN17R0NuubxqUaDnRV

Score
10/10
modiloaderadwareaspackv2discoverystealertrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 1 IoCs
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\edfdd0b6be91c72507506d6b3d0104b3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\edfdd0b6be91c72507506d6b3d0104b3_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1480
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\\bncst.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4468
      • C:\Users\Admin\AppData\Local\Temp\bncst.exe
        C:\Users\Admin\AppData\Local\Temp\\bncst.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4712
        • C:\program files\internet explorer\IEXPLORE.EXE
          "C:\program files\internet explorer\IEXPLORE.EXE"
          4⤵
            PID:796
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c "C:\Users\Admin\AppData\Local\Temp\\ad1243.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4432
        • C:\Users\Admin\AppData\Local\Temp\ad1243.exe
          C:\Users\Admin\AppData\Local\Temp\\ad1243.exe
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4104
          • C:\Windows\SysWOW64\regsvr32.exe
            "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Common Files\PushWare\cpush.dll"
            4⤵
            • Loads dropped DLL
            • Installs/modifies Browser Helper Object
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            PID:4984

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Common Files\PushWare\cpush.dll
      Filesize

      192KB

      MD5

      6366eda0ec56c9ccb83137a89e7eb2e3

      SHA1

      9cb1f117c9178ecb03651e4a943e50b975a5ed67

      SHA256

      8a9fd36a1e55b060a6a4fd3eaddaa9cf956ad72b533b8e9b232f56a770ee79ac

      SHA512

      4ed708b378618bb1ea65128519343fd29f9288c6632fef1257a51c11c426241548d8f02713b5a2048ce135a2cf1d2e345fe2ff3756b2dd7481f46831c103e5bc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ad1243.exe
      Filesize

      135KB

      MD5

      57bd433115b749cce9a66002def2a0cc

      SHA1

      84e29c90787eaa22385821f215a57fda47f7bbbb

      SHA256

      3803122a5f8a8c896ed1211dce575bab88f3a9faac41f1bec826229478d84702

      SHA512

      496836829366cec673115eab3e81f49867da983027c9a004b946b75016b1b4d292c89b810d4d372d66ac3d07aa3ac7a6d7ecda21b3bae52b8eafc9b82e5e84d1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\bncst.exe
      Filesize

      286KB

      MD5

      1f88734e10bcf55f99e66c130f26bb37

      SHA1

      720de38a09ca2829216556258d3385fdc7a044b8

      SHA256

      45b41b033c472f2d6fdc70ef4a405f72da4c7935a55eb2fbef4d7b5a8d4f6211

      SHA512

      ca54129602c10994935051c99089b0e6931a60d652e20d6c28d0bf5d9a1d2557fab5aef35631c492800f48ffb79a276b8aceaae4a3a97d32069af191ed09347b

      Download Submit

    • memory/1480-2-0x0000000000400000-0x0000000000477000-memory.dmp

      Filesize

      476KB

      Download

    • memory/4712-9-0x00000000007C0000-0x00000000007C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4712-11-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download