Overview

overview

10

Static

static

3

fb0bb360d5...18.exe

windows7-x64

10

fb0bb360d5...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/09/2024, 22:50 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fb0bb360d584db7f5957950c92f9a891_JaffaCakes118.exe

  • Size

    228KB

  • MD5

    fb0bb360d584db7f5957950c92f9a891

  • SHA1

    8a4bb3d44723c985a9159af5e571bc07e8e8f7fe

  • SHA256

    70a668f140a46c053452815ea1376b7eaadec8a442f02e8173d0e3b6fa304072

  • SHA512

    62e450de71755b54af3460950eef429d2cd6a2db94a951e2e8113267c526b92a53ca5d530e65d08257a2f1bc4479362c229804aa9c138228e58a1cbf52128af1

  • SSDEEP

    6144:GKEJlynW7xSWeQGpwSjy0fPkOO7mhCP5XL:MJlyneSWfSwghfpEPPlL

Score
10/10
modiloaderdiscoveryevasionpersistencetrojanupx

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • ModiLoader Second Stage 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb0bb360d584db7f5957950c92f9a891_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fb0bb360d584db7f5957950c92f9a891_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5100
    • C:\Users\Admin\AppData\Local\Temp\fb0bb360d584db7f5957950c92f9a891_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\fb0bb360d584db7f5957950c92f9a891_JaffaCakes118.exe
      2⤵
      • Checks computer location settings
      • Checks whether UAC is enabled
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:8
      • C:\Windows\mstwain32.exe
        "C:\Windows\mstwain32.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\Windows\mstwain32.exe
          C:\Windows\mstwain32.exe
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • System policy modification
          PID:4368
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2588

Network

  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    73.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.42.69.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.42.69.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    0.205.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.205.248.87.in-addr.arpa
    IN PTR
    Response
    0.205.248.87.in-addr.arpa
    IN PTR
    https-87-248-205-0lgwllnwnet
  • flag-us
    DNS
    29.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.243.111.52.in-addr.arpa
    IN PTR
    Response
  • 5.46.52.98:15963
    mstwain32.exe
    260 B
     5
  • 5.46.52.98:15963
    mstwain32.exe
    260 B
     5
  • 5.46.52.98:15963
    mstwain32.exe
    260 B
     5
  • 5.46.52.98:15963
    mstwain32.exe
    260 B
     5
  • 5.46.52.98:15963
    mstwain32.exe
    260 B
     5
  • 5.46.52.98:15963
    mstwain32.exe
    260 B
     5
  • 5.46.52.98:15963
    mstwain32.exe
    260 B
     5
  • 5.46.52.98:15963
    mstwain32.exe
    260 B
     5
  • 5.46.52.98:15963
    mstwain32.exe
    260 B
     5
  • 5.46.52.98:15963
    mstwain32.exe
    260 B
     5
  • 5.46.52.98:15963
    mstwain32.exe
    260 B
     5
  • 5.46.52.98:15963
    mstwain32.exe
    260 B
     5
  • 5.46.52.98:15963
    mstwain32.exe
    260 B
     5
  • 5.46.52.98:15963
    mstwain32.exe
    208 B
     4
  • 5.46.52.98:15963
    mstwain32.exe
    156 B
     3
  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    73.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    73.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    241.42.69.40.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    241.42.69.40.in-addr.arpa

  • 8.8.8.8:53
    0.205.248.87.in-addr.arpa
    dns
    71 B
     116 B
     1
    1

    DNS Request

    0.205.248.87.in-addr.arpa

  • 8.8.8.8:53
    29.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    29.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\cmsetac.dll
    Filesize

    33KB

    MD5

    0c95d9345ee91003ed476c19ac48c579

    SHA1

    aceadd33e0eca1d032b8a94fe6db6cf42c0ebdc6

    SHA256

    46b5bb3a1ade260ef9f904eaadf31d4765a9c842bc1b9a7a952b62ce4bf303c6

    SHA512

    bdf695d64572f246b7ef9a19472787131318c9eef77a7b8e408975c9a3d041d16c22b11be864149cb5dec83df61bc567cd0d6f0857016a88c1bae5cab16e1089

    Download Submit

  • C:\Windows\mstwain32.exe
    Filesize

    228KB

    MD5

    fb0bb360d584db7f5957950c92f9a891

    SHA1

    8a4bb3d44723c985a9159af5e571bc07e8e8f7fe

    SHA256

    70a668f140a46c053452815ea1376b7eaadec8a442f02e8173d0e3b6fa304072

    SHA512

    62e450de71755b54af3460950eef429d2cd6a2db94a951e2e8113267c526b92a53ca5d530e65d08257a2f1bc4479362c229804aa9c138228e58a1cbf52128af1

    Download Submit

  • C:\Windows\ntdtcstp.dll
    Filesize

    7KB

    MD5

    67587e25a971a141628d7f07bd40ffa0

    SHA1

    76fcd014539a3bb247cc0b761225f68bd6055f6b

    SHA256

    e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

    SHA512

    6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

    Download Submit

  • memory/8-3-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/8-5-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/8-4-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/8-14-0x0000000000A20000-0x0000000000A21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/8-0-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2824-19-0x0000000010000000-0x0000000010023000-memory.dmp

    Filesize

    140KB

    Download

  • memory/4368-22-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4368-20-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4368-21-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4368-23-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4368-30-0x00000000005A0000-0x00000000005A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4368-34-0x00000000030E0000-0x00000000030EE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4368-36-0x0000000002F90000-0x0000000002F91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4368-37-0x00000000007F0000-0x00000000007F8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4368-38-0x00000000030E0000-0x00000000030EE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/5100-1-0x0000000010000000-0x0000000010023000-memory.dmp

    Filesize

    140KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.