Overview

overview

10

Static

static

3

ef47dc8ed4...18.exe

windows7-x64

10

ef47dc8ed4...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-09-2024 07:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ef47dc8ed4588f80c676fa26a0e437d6_JaffaCakes118.exe

  • Size

    494KB

  • MD5

    ef47dc8ed4588f80c676fa26a0e437d6

  • SHA1

    945c118677be48838afb958de5e06e5953ec4a7e

  • SHA256

    47650245af5e31038b0c7ac5038b17a3bff8acb2b37929258ead84f55354b139

  • SHA512

    cf8045c7e7e2cfb311ac563a97da20aee854d39feb4ed3f68c0a51a38dfd24b7381b1a178739fdfe2be91bdc6398ffa9e8c4058c1a7369cd48196f51f96088ec

  • SSDEEP

    6144:Y6T60qmwaw40TzxiUjER7tYfHE1RSMbzfDj2Rgyz/KrzUvbljpnyA4ybq1D4+TGL:3T6XWIVc1tYfk1YU/9+bnyYbGfTg

Score
10/10
modiloaderdiscoveryevasiontrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • ModiLoader Second Stage 16 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ef47dc8ed4588f80c676fa26a0e437d6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ef47dc8ed4588f80c676fa26a0e437d6_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1796
    • C:\Users\Admin\AppData\Local\akin.exe
      "C:\Users\Admin\AppData\Local\akin.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1600
      • C:\Windows\hccutils32.exe
        "C:\Windows\hccutils32.exe"
        3⤵
        • UAC bypass
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:4040
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3032

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\akin.exe
    Filesize

    1.3MB

    MD5

    1d4cd535bfb6f63430eca030b7d7a8c4

    SHA1

    4b51b492503843419e7e07c345187ff66c1d0245

    SHA256

    f3779cd0dda7696454a401faf4a7dcaae13405aa47c2801ba4d7718d80014199

    SHA512

    11ae8e96eb834558619b77cc0d979db8a061d19310838f705c98eb1614db20ee453f818989cbe7d1d26e472bf93ce751323c5fd97df8dd9a34ec76589cf30473

    Download Submit

  • C:\Windows\bguiv32.dll
    Filesize

    33KB

    MD5

    81efa1c7bc6d23e189a4d38fe69b7b79

    SHA1

    1abb83890e5035053e072afaa1d55e491be54e78

    SHA256

    b294a5cc711316cabc42235db1df41f8bf644af3549ee2f622c2a47d82860080

    SHA512

    59f192544fadbb55ce9bd905cd347a0d6854faaac7b10c9868a109aa3f3cc7b8b4d736477543d3fb279dd0bfd415118c145978b26d7328709ce211bf07f99bb6

    Download Submit

  • C:\Windows\drvstore.dll
    Filesize

    7KB

    MD5

    0d7300abcdc9faa0fc7d7b07e80e9f8a

    SHA1

    0ba27c0f80f3ea4e707ea5e8a324c24053a7053b

    SHA256

    c54a79a55e54a5ba5f65091f38c0ef1dbebc66ae704b07f94f3756a73d678e4b

    SHA512

    b848c6a49179381182fe29f5d2c360b04baf083d3704dd1edd1c01c3cacd96cee6706659bf59ef9e657ef7dccd2f2a520232e996d9c2e09fd204d8d645041046

    Download Submit

  • memory/1600-34-0x0000000000820000-0x0000000000821000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1600-68-0x0000000000400000-0x0000000000550000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1796-33-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/4040-87-0x0000000000400000-0x0000000000550000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4040-105-0x0000000000400000-0x0000000000550000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4040-84-0x0000000002130000-0x0000000002138000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4040-83-0x0000000000400000-0x0000000000550000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4040-80-0x00000000037F0000-0x00000000037FE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4040-90-0x0000000000400000-0x0000000000550000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4040-94-0x0000000000400000-0x0000000000550000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4040-97-0x0000000000400000-0x0000000000550000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4040-102-0x0000000000400000-0x0000000000550000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4040-85-0x00000000037F0000-0x00000000037FE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4040-109-0x0000000000400000-0x0000000000550000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4040-112-0x0000000000400000-0x0000000000550000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4040-116-0x0000000000400000-0x0000000000550000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4040-119-0x0000000000400000-0x0000000000550000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4040-122-0x0000000000400000-0x0000000000550000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4040-126-0x0000000000400000-0x0000000000550000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4040-129-0x0000000000400000-0x0000000000550000-memory.dmp

    Filesize

    1.3MB

    Download