Overview

overview

10

Static

static

3

ffcf4ba76c...18.exe

windows7-x64

10

ffcf4ba76c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-09-2024 02:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ffcf4ba76c6b1ad0072dd5085c9a935e_JaffaCakes118.exe

  • Size

    473KB

  • MD5

    ffcf4ba76c6b1ad0072dd5085c9a935e

  • SHA1

    3c43e4654473760a4dff670336699197fb5e9bbc

  • SHA256

    1668be8bc8a8eed61f766c3f5b6b0f504a41013a6511a18c7b974297917f6a82

  • SHA512

    99dcbd98a3401de3d406d11311b3d3f64de80f408ce40ffef1a57e508e2cc97b8f78b1a932d9a38ebdc618651e983bce315ce37d567ca97dd89e5fa973763b4e

  • SSDEEP

    6144:ezuHkfxCH5YG3CT0+tHCIqksFbtD2qy4xQ/SS4BWv/fmse0fn+22EJeY1oL9OILc:dHkk3L+RCI1sqqyQ+SVWese0JqOABfe

Score
10/10
modiloaderdiscoverytrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 12 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 28 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ffcf4ba76c6b1ad0072dd5085c9a935e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ffcf4ba76c6b1ad0072dd5085c9a935e_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Program Files\Common Files\Microsoft Shared\MSINFO\matsc.exe
      "C:\Program Files\Common Files\Microsoft Shared\MSINFO\matsc.exe"
      2⤵
      • Executes dropped EXE
      PID:2544
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\DaverDel.bat""
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2700
  • C:\Program Files\Common Files\Microsoft Shared\MSINFO\matsc.exe
    "C:\Program Files\Common Files\Microsoft Shared\MSINFO\matsc.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Common Files\Microsoft Shared\MSInfo\DaverDel.bat
    Filesize

    212B

    MD5

    9851bde8a081e41a9ae8cf22fde94302

    SHA1

    14c67ed02c0f0e8eb6e4b5a96d04f7c01cbf85fe

    SHA256

    6227a934895dc4191496b3f2202d00b89c3661b3cc505b4b195ef6123af80b5a

    SHA512

    a3250b165123b7da2853ada6ba1e3b857f1cc89031e5c36b2c061012c5db9fef13fbda1e15b6128d7e6ef4f1d2be295193580b88d0a927f80d04a6c41cda76b4

    Download Submit

  • \Program Files\Common Files\Microsoft Shared\MSInfo\matsc.exe
    Filesize

    473KB

    MD5

    ffcf4ba76c6b1ad0072dd5085c9a935e

    SHA1

    3c43e4654473760a4dff670336699197fb5e9bbc

    SHA256

    1668be8bc8a8eed61f766c3f5b6b0f504a41013a6511a18c7b974297917f6a82

    SHA512

    99dcbd98a3401de3d406d11311b3d3f64de80f408ce40ffef1a57e508e2cc97b8f78b1a932d9a38ebdc618651e983bce315ce37d567ca97dd89e5fa973763b4e

    Download Submit

  • memory/2100-0-0x0000000000400000-0x00000000004D2B00-memory.dmp

    Filesize

    842KB

    Download

  • memory/2100-12-0x0000000000310000-0x00000000003E3000-memory.dmp

    Filesize

    844KB

    Download

  • memory/2100-10-0x0000000000310000-0x00000000003E3000-memory.dmp

    Filesize

    844KB

    Download

  • memory/2100-26-0x0000000000400000-0x00000000004D2B00-memory.dmp

    Filesize

    842KB

    Download

  • memory/2544-27-0x0000000000400000-0x00000000004D2B00-memory.dmp

    Filesize

    842KB

    Download

  • memory/2544-13-0x0000000000400000-0x00000000004D2B00-memory.dmp

    Filesize

    842KB

    Download

  • memory/2688-15-0x0000000000400000-0x00000000004D2B00-memory.dmp

    Filesize

    842KB

    Download

  • memory/2688-16-0x00000000004E0000-0x000000000058A000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2688-28-0x00000000004E0000-0x000000000058A000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2688-36-0x00000000003B0000-0x00000000003B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2688-38-0x00000000004E0000-0x000000000058A000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2688-39-0x00000000004E0000-0x000000000058A000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2688-40-0x0000000000400000-0x00000000004D2B00-memory.dmp

    Filesize

    842KB

    Download

  • memory/2688-47-0x00000000004E0000-0x000000000058A000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2688-48-0x00000000004E0000-0x000000000058A000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2688-55-0x00000000004E0000-0x000000000058A000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2688-56-0x00000000004E0000-0x000000000058A000-memory.dmp

    Filesize

    680KB

    Download