Overview

overview

10

Static

static

3

f5585d24b3...18.exe

windows7-x64

10

f5585d24b3...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-09-2024 06:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5585d24b3f65699e7a0bd983bed5b86_JaffaCakes118.exe

  • Size

    894KB

  • MD5

    f5585d24b3f65699e7a0bd983bed5b86

  • SHA1

    9f24b8f8f8c947a16bd0c361c5af7a795d5d7755

  • SHA256

    90d08744b3d51481b01df4c23c33c4020ec67f6c72ff539e1d6aa2281abb3e17

  • SHA512

    7ee452928ed9a90794f25c0f4b0d034191aa12facebefb3d1d35553a13eb894a9649864bfd69c6851787605cfb9caf356535f36e64d3b4043ee38c57c0dfcbcc

  • SSDEEP

    24576:GvwQyBaWnBCqyaaNCM2OAjhuDqhwGZro07:GvlyBaWntyrNBlANuGhwaroU

Score
10/10
modiloaderdiscoveryevasionpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • ModiLoader Second Stage 22 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5585d24b3f65699e7a0bd983bed5b86_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f5585d24b3f65699e7a0bd983bed5b86_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4404
    • C:\Users\Admin\AppData\Local\Temp\f5585d24b3f65699e7a0bd983bed5b86_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\f5585d24b3f65699e7a0bd983bed5b86_JaffaCakes118.exe
      2⤵
      • Checks computer location settings
      • Checks whether UAC is enabled
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2880
      • C:\Windows\msmmgsr.exe
        "C:\Windows\msmmgsr.exe" \melt "C:\Users\Admin\AppData\Local\Temp\f5585d24b3f65699e7a0bd983bed5b86_JaffaCakes118.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5080
        • C:\Windows\msmmgsr.exe
          C:\Windows\msmmgsr.exe
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • System policy modification
          PID:1700
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2916

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\cmsetac.dll
    Filesize

    33KB

    MD5

    c7e437f00f51b77d4d6722ea6c0b116b

    SHA1

    9b588a16083df0fcf03a14ed8e9e59e1f23454bf

    SHA256

    078ce2c5e92dfe67a02d26538ca6cf81b4617fa2e0f370743bd0036983284c39

    SHA512

    390f8324c02f13da96849381c542be8f1c4499749f0d6caf8299cef4fad4b61081fe2c4cd514b23cc40211c5b3d8af980b9b0791874713c26f2c5c19388c574e

    Download Submit

  • C:\Windows\msmmgsr.exe
    Filesize

    894KB

    MD5

    f5585d24b3f65699e7a0bd983bed5b86

    SHA1

    9f24b8f8f8c947a16bd0c361c5af7a795d5d7755

    SHA256

    90d08744b3d51481b01df4c23c33c4020ec67f6c72ff539e1d6aa2281abb3e17

    SHA512

    7ee452928ed9a90794f25c0f4b0d034191aa12facebefb3d1d35553a13eb894a9649864bfd69c6851787605cfb9caf356535f36e64d3b4043ee38c57c0dfcbcc

    Download Submit

  • C:\Windows\ntdtcstp.dll
    Filesize

    7KB

    MD5

    67587e25a971a141628d7f07bd40ffa0

    SHA1

    76fcd014539a3bb247cc0b761225f68bd6055f6b

    SHA256

    e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

    SHA512

    6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

    Download Submit

  • \??\c:\users\admin\appdata\local\temp\8A3B1BA7
    Filesize

    14B

    MD5

    a08de37981429541a51c0a70f273844c

    SHA1

    57df9538dba5c42b2d68e6c4e77ef0874f8d1c02

    SHA256

    ad79ca181a23fb17417445a2e281f8f87162699a795385d6a324d7a2777980f8

    SHA512

    758a76dd6921a4dba926fdf4834f690c6fe2197ac3edbddb4086b513ff587eaed58ba6f99944b94916dc09176287e3fa54469282ae0b99b06bd17804cb786e65

    Download Submit

  • memory/1700-45-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1700-46-0x0000000000830000-0x0000000000838000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1700-84-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1700-81-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1700-78-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1700-29-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1700-75-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1700-32-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1700-72-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1700-69-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1700-42-0x00000000030E0000-0x00000000030EE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1700-44-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1700-66-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1700-63-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1700-47-0x00000000030E0000-0x00000000030EE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1700-48-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1700-51-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1700-54-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1700-57-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1700-60-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2880-8-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2880-4-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2880-5-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2880-6-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2880-21-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4404-0-0x0000000000400000-0x00000000007A9000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/4404-7-0x0000000000400000-0x00000000007A9000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/5080-31-0x0000000000400000-0x00000000007A9000-memory.dmp

    Filesize

    3.7MB

    Download