Overview

overview

10

Static

static

3

f6b09f164d...18.exe

windows7-x64

10

f6b09f164d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-09-2024 19:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f6b09f164d9dff2942d2977e10f0f121_JaffaCakes118.exe

  • Size

    253KB

  • MD5

    f6b09f164d9dff2942d2977e10f0f121

  • SHA1

    c7c78e6a15faeb4fc81dce878d629b3ccc0ca811

  • SHA256

    f3a6e5010278054ba42e8c388598096c3d6528cd3550c60b2687c2e4bf0522c3

  • SHA512

    45bc7dd718f4b1bbe2df3e6616b156eb661a40dfa34335a46f1f7f1cb396e9cb51a4970baa9c46387f02518fd5464168b9cb930bf6d2c67e186b79b620455f27

  • SSDEEP

    6144:kRXdt7KzrIU2ykH2ipsPnafFlerkb3LrtoetumddZR6wkB:6z7KzrIjXnOitlt3Noer

Score
10/10
modiloaderdiscoverytrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 11 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6b09f164d9dff2942d2977e10f0f121_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f6b09f164d9dff2942d2977e10f0f121_JaffaCakes118.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks computer location settings
    • Maps connected drives based on registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1368
    • C:\Windows\server.exe
      "C:\Windows\server.exe" \melt "C:\Users\Admin\AppData\Local\Temp\f6b09f164d9dff2942d2977e10f0f121_JaffaCakes118.exe"
      2⤵
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Maps connected drives based on registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Modifies registry class
      PID:3668

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\PCGWIN32.LI4
    Filesize

    528B

    MD5

    afd279379a47f1a6e050e1ca20bc0e1c

    SHA1

    1ae189143798fc1b4c23f22813a0ccdcf07460e3

    SHA256

    dcd38e2d5e217c1e8d2fbd0bc5317e98bdb0fb4e1628b62f4f61e1469c4c261c

    SHA512

    7f9004ccca1601ac6916e97566c877428647774c5adc56c86d0cee45cb6e8ea6d64ad0b7fd49331c9dbccd0d6e8d3aa36d0104fa7a6d10f42a47bddd87a5cc6d

    Download Submit

  • C:\Windows\server.exe
    Filesize

    253KB

    MD5

    f6b09f164d9dff2942d2977e10f0f121

    SHA1

    c7c78e6a15faeb4fc81dce878d629b3ccc0ca811

    SHA256

    f3a6e5010278054ba42e8c388598096c3d6528cd3550c60b2687c2e4bf0522c3

    SHA512

    45bc7dd718f4b1bbe2df3e6616b156eb661a40dfa34335a46f1f7f1cb396e9cb51a4970baa9c46387f02518fd5464168b9cb930bf6d2c67e186b79b620455f27

    Download Submit

  • memory/1368-0-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download

  • memory/1368-1-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download

  • memory/1368-2-0x00007FFFA9570000-0x00007FFFA9765000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1368-58-0x00007FFFA9570000-0x00007FFFA9765000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1368-57-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download

  • memory/3668-59-0x00007FFFA9570000-0x00007FFFA9765000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3668-55-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download