Overview

overview

10

Static

static

3

ffe3194bdc...18.exe

windows7-x64

10

ffe3194bdc...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    30-09-2024 03:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ffe3194bdc9786ac76fa254d65189a90_JaffaCakes118.exe

  • Size

    653KB

  • MD5

    ffe3194bdc9786ac76fa254d65189a90

  • SHA1

    ecd4287e5337196d456fadff2c1c2571d5037574

  • SHA256

    3ff2f2423c010fcc91f629417f45dbfe61cbc40f4f993ec93af1e65ad691513c

  • SHA512

    34c839cc07f8b75b756f702446c91e91f847e6deb4f01baf7e75b3ebf2d28e0c58dd0e374be3f6ce4838b7cc4f2836f3a113c45de0435649db4026555258aa71

  • SSDEEP

    12288:DfpN+hvj4sDvARQZuwWVEn6ZKicqV3MexrokA7A8w2VCokuCdy2:DhNyvjdDlGynDa8e9okx8w2so/z2

Score
10/10
modiloaderdiscoverytrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 5 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ffe3194bdc9786ac76fa254d65189a90_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ffe3194bdc9786ac76fa254d65189a90_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe
      "C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Windows\SysWOW64\calc.exe
        "C:\Windows\system32\calc.exe"
        3⤵
          PID:808
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 292
          3⤵
          • Loads dropped DLL
          • Program crash
          PID:2588
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\DelSvel.bat""
        2⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2176

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Common Files\Microsoft Shared\MSInfo\DelSvel.bat
      Filesize

      212B

      MD5

      d76d61cddd91c88976760cff4d644a5c

      SHA1

      fdb5e86e65f91d5c71cb7df9700e5cd90373ad6b

      SHA256

      c37d19199e3b0c5996a7621898b8757c0ce943605cab3378f632df57bbc54943

      SHA512

      71521dcdc3c282e3692f268bf810f2cb4ca9800e1213d999571b70b2899396b953e06fa282b5c43c3be4dd026b5a262d635e21b0e93db147e5e192c97587c23e

      Download Submit

    • F:\rejoice101.exe
      Filesize

      653KB

      MD5

      ffe3194bdc9786ac76fa254d65189a90

      SHA1

      ecd4287e5337196d456fadff2c1c2571d5037574

      SHA256

      3ff2f2423c010fcc91f629417f45dbfe61cbc40f4f993ec93af1e65ad691513c

      SHA512

      34c839cc07f8b75b756f702446c91e91f847e6deb4f01baf7e75b3ebf2d28e0c58dd0e374be3f6ce4838b7cc4f2836f3a113c45de0435649db4026555258aa71

      Download Submit

    • memory/808-48-0x0000000000400000-0x0000000000665000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/808-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2184-13-0x00000000038C0000-0x00000000038C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2184-10-0x0000000000800000-0x0000000000801000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2184-3-0x00000000007C0000-0x00000000007C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2184-8-0x00000000007E0000-0x00000000007E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2184-20-0x0000000003900000-0x0000000003901000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2184-30-0x0000000000720000-0x0000000000721000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2184-29-0x00000000038D0000-0x00000000038D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2184-27-0x00000000001E0000-0x00000000001E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2184-6-0x0000000000710000-0x0000000000711000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2184-25-0x00000000001D0000-0x00000000001D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2184-15-0x00000000039B0000-0x00000000039B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2184-14-0x00000000038B0000-0x00000000038B4000-memory.dmp

      Filesize

      16KB

      Download

    • memory/2184-0-0x0000000000400000-0x0000000000665000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2184-12-0x00000000038B0000-0x00000000039B0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2184-11-0x00000000038B0000-0x00000000039B0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2184-4-0x0000000000730000-0x0000000000731000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2184-9-0x00000000007D0000-0x00000000007D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2184-7-0x0000000000700000-0x0000000000701000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2184-37-0x0000000004BE0000-0x0000000004E45000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2184-38-0x0000000004BE0000-0x0000000004E45000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2184-65-0x0000000000400000-0x0000000000665000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2184-40-0x0000000000400000-0x0000000000665000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2184-5-0x00000000007F0000-0x00000000007F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2184-2-0x0000000000760000-0x00000000007B4000-memory.dmp

      Filesize

      336KB

      Download

    • memory/2184-53-0x0000000000760000-0x00000000007B4000-memory.dmp

      Filesize

      336KB

      Download

    • memory/2184-54-0x00000000038B0000-0x00000000039B0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2184-55-0x00000000038B0000-0x00000000039B0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2184-64-0x0000000000760000-0x00000000007B4000-memory.dmp

      Filesize

      336KB

      Download

    • memory/2184-1-0x00000000001D0000-0x00000000001D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2892-56-0x0000000000400000-0x0000000000665000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2892-41-0x0000000000400000-0x0000000000665000-memory.dmp

      Filesize

      2.4MB

      Download