Overview

overview

10

Static

static

3

f37083d35c...18.exe

windows7-x64

10

f37083d35c...18.exe

windows10-2004-x64

Resubmissions

25-09-2024 17:02

240925-vj61tswglq 10

24-09-2024 10:56

240924-m1nltavhma 10

24-09-2024 10:31

240924-mkb8va1ejk 10

Analysis

  • max time kernel
    1s
  • max time network
    10s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-09-2024 10:31

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe

  • Size

    623KB

  • MD5

    f37083d35c4d2e785a6fb84875cb8331

  • SHA1

    fc93143795ae3fb1b81947961d571b1e00fdb4b5

  • SHA256

    e1a9f7fad02dc673f6c02f5b1ec82266dc85426941c403750d3c46289feec30c

  • SHA512

    5d85335c80d532a22203076f5730ec8518b221f0a1ad89a14e7575a9d8d9b88d414afb72a5ea72a3bec728673d3db0b24cb597bb0da64ce4e03d6140bd602f51

  • SSDEEP

    6144:zcP+pnEzMXdO4Qq6Iyh1G6J9bJuYK6wGWZRgdg18LIg7mG58Lxzj2z8ZkiGn1umM:zlnE/zJ9HKIww5AyviGumKuCN

Score
10/10
modiloaderbootkitdefense_evasiondiscoverypersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2880
    • C:\Users\Admin\KBzrJe4WanwyAG0z4x.exe
      KBzrJe4WanwyAG0z4x.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1636
    • C:\Users\Admin\lob.exe
      lob.exe
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:460
    • C:\Users\Admin\loc.exe
      loc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3780
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Users\Admin\AppData\Local\rorske.dll",Startup
        3⤵
        • Loads dropped DLL
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:4380
    • C:\Users\Admin\loe.exe
      loe.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3336
      • C:\Users\Admin\loe.exe
        loe.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2668
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1608

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\rorske.dll
    Filesize

    105KB

    MD5

    46eec9904342db94f51c0dfa0e3a10d9

    SHA1

    846759eaf3aa75bc91317c9364f4f5f1384cd96f

    SHA256

    125e143157269947d2834d27f02488fc9dc796811c230f8c33f1985e19932153

    SHA512

    a736a8ce1a5bebaba126f768f5109fe4d09a6bac9be840658b72de6cdff3f532db3c5e496871ba1d5c5eebcc58b3b4415798b7cde1bbbcfb5b7230358354c2a4

    Download Submit

  • C:\Users\Admin\KBzrJe4WanwyAG0z4x.exe
    Filesize

    156KB

    MD5

    0985e2a405cf8989d20f5e126f752c95

    SHA1

    1df3f3f6b95b5f6c7ec29b5cdcc0e4e4d837dafd

    SHA256

    807c1ab2f96b44d9a6380e36f61356aa810cbd8bea85f4339ec5f8c0a3458cbd

    SHA512

    ace7323c9662eb57daab10830af30d67c2cc9ef7df78f245b5252f229ea9ac91e96ca2a0fbf17b222d856ddc38bde25385d6cb3e6f96e357e56dd7378e98e5e8

    Download Submit

  • C:\Users\Admin\kiemof.exe
    Filesize

    156KB

    MD5

    3c6e55d635236e47cd07d25e977d1fe0

    SHA1

    031053f18defb7dec2628915217e1ac3c1cc5a30

    SHA256

    06de61e82dc2ff277620172fa6513b7c1577df956994b6392a11675aa62b8437

    SHA512

    f263f18c1cffb1555c82d4c6841d81e5799d0a3d900cf2d550670c031eaf824733faeb13fa2900e75af664b0a34ad4f3bee7b0445f7ee02d44cb6e3e8939077e

    Download Submit

  • C:\Users\Admin\lob.exe
    Filesize

    178KB

    MD5

    e0a8e618405e52a6cf77476f18938364

    SHA1

    bd8f7d8c5d097cec9d71ebc909bbbbc29040c4c5

    SHA256

    fce212d1951fc71c0663fe94f79142463e99eafd6f93667ccc9ef71f21399fb1

    SHA512

    cccfd7ee58469678dc8cfc731c8b24bfa0cafc5e7f4fbff23bf175b8dec1c9c3c261c5da5ea455829bb612974af077f382e90b6afe4874f8fbd3fe8d223f028c

    Download Submit

  • C:\Users\Admin\loc.exe
    Filesize

    105KB

    MD5

    b1c6e87de3686ba109bc6079221470d7

    SHA1

    2b669e09a587612a7e21f433968cfddf70ef7de7

    SHA256

    03c579ef791d5a7855e135d2f5392ff533edb6dd5e1b59bfc8085ee2e8f76aa3

    SHA512

    5522f5829b988f05a9ec44c036e9ee291f3cd1ab493ea290cfb37f02613be53c86e886c6361448777efe46d62faa4b23458b3eecd6abaf33793c28c7d0676c5f

    Download Submit

  • C:\Users\Admin\loe.exe
    Filesize

    143KB

    MD5

    cfca1423ddb4863c1d288e70252f8b63

    SHA1

    e5bb623d2a15ca203379f390a15622648f2d9adb

    SHA256

    8c977a316988b3e945ff4a9badadd2f68cbcd176c7e1eba5d44d40e404f090a4

    SHA512

    e5e1eea62ad86cf71d1a346254e9f1af66e82e1589401b395e925561f996a9acabac5a36dcd79bfe80725846d9aaf7e69d3cc6c081a76adc7a3606aee298ce7f

    Download Submit

  • memory/460-15-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/460-23-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/460-37-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/460-36-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/460-21-0x0000000000403000-0x0000000000404000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2668-39-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2668-40-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2668-45-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2668-46-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2668-41-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2668-38-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/3336-44-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/3780-24-0x00000000021D0000-0x00000000021E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3780-22-0x0000000010000000-0x000000001001E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3780-35-0x0000000010000000-0x000000001001E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3780-25-0x00000000021D0000-0x00000000021E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4380-32-0x0000000010000000-0x000000001001E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4380-34-0x00000000027C0000-0x00000000027D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4380-33-0x00000000027C0000-0x00000000027D0000-memory.dmp

    Filesize

    64KB

    Download