Overview

overview

10

Static

static

3

0098a6f7ff...18.exe

windows7-x64

10

0098a6f7ff...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-09-2024 09:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0098a6f7ff6d4fec1dd68c5490a832c6_JaffaCakes118.exe

  • Size

    363KB

  • MD5

    0098a6f7ff6d4fec1dd68c5490a832c6

  • SHA1

    df77f212a2015b9bf7f731731bf97c2a3e9ff325

  • SHA256

    31ddf76a482627ed6a16f2032e997ddc79621dd58de747ca2a1f5f730b8a1668

  • SHA512

    ce80d0baf8270b0ef5e68c85e36881c82475a7756590b7e8191f3890480508b4d7374eee9a950b4b7dbd653fd56e959ea50bcaf0eb98b66a2ded97469df8fcb1

  • SSDEEP

    6144:0e2N0dOCGzogTKULqOxmdK4ylktToPHVuIQHQeq2zhF9vCzsXZokGE:0e2N0drW3THLHmI4gkG9u5HTZZL

Score
10/10
modiloaderdiscoveryevasionexecutionpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
    evasion
  • ModiLoader Second Stage 46 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0098a6f7ff6d4fec1dd68c5490a832c6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0098a6f7ff6d4fec1dd68c5490a832c6_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Users\Admin\AppData\Local\Temp\0098a6f7ff6d4fec1dd68c5490a832c6_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0098a6f7ff6d4fec1dd68c5490a832c6_JaffaCakes118.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2792
  • C:\Windows\system32\mshta.exe
    "C:\Windows\system32\mshta.exe" javascript:IT4taI="PXO";l5R=new%20ActiveXObject("WScript.Shell");z5F8wl="NT8lxS";V76xrA=l5R.RegRead("HKCU\\software\\69mIxez6\\bXXeUr");Qi8BbBKF="8W6l";eval(V76xrA);I76MtbK="vXZEHpj";
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:hmhqefk
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1220
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe
        3⤵
        • Looks for VirtualBox Guest Additions in registry
        • Looks for VirtualBox drivers on disk
        • Looks for VMWare Tools registry key
        • Checks BIOS information in registry
        • Deletes itself
        • Drops startup file
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2176
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\SysWOW64\regsvr32.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\d18b531\25f9d46.bat
    Filesize

    64B

    MD5

    5631af3676bc4d1af919fc749402b47d

    SHA1

    a18273b2398d4fa429814800fcefe1112063e1c8

    SHA256

    01eb69b1bf623b7c28230dd38538a5fe33a20becea260697224fd56d85707679

    SHA512

    0cd9fa32d30b8758bf915f1b94a81cc7f311c92e6f365bcd2b0e1a56c55bdebaa6e65fecf703d33f824aeedc6df0d87be4e7ff3001c0e054ed6ce14ef2840d3a

    Download Submit

  • C:\Users\Admin\AppData\Local\d18b531\a17f468.lnk
    Filesize

    889B

    MD5

    9f3e76410b9fdeb577f49c17bb03f415

    SHA1

    416804d79c550f600a919517966ab549276c6e82

    SHA256

    5d737f685c4cee83f7407f500d82700e0cf7a9b8e0bbfcd78844d1ffef569cc8

    SHA512

    5101245b7c31ab66f71bf4b66129cb1479d74157ca7c3b8e12237b1365713ee87e47d8fe7a6a4ab474e0fef41e37fbf43b100f9432846fb1a74d9c71a14f447a

    Download Submit

  • C:\Users\Admin\AppData\Local\d18b531\ccb4c4f.7cdd11ba
    Filesize

    4KB

    MD5

    b1484ed2115aef774d3502f468827c2e

    SHA1

    6b27704446a6946817d69b1ce03369e8e04c9eae

    SHA256

    69fc400ab39d3b22489fcc0cd4a86d781c7823f6cf566d759b4f2613f2847ebc

    SHA512

    9f2029143d667a21d4f3fe124d55ebead3d96c7fcd2ca7b5b01b9b3fd6d4bc16799ca34b58a7a757de4d2d3709766d3a825bd4c61d0ac74c7d8d1ab71f08ec25

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0d5b0e3.lnk
    Filesize

    997B

    MD5

    793331deb73c57e8a915a78c7f42afc6

    SHA1

    372ad9e1704e093592b3bb4ec2b299ba903749e9

    SHA256

    e24995f6b4c6f3c211c4e2ee338ccf9e05a9891f4fc18e025e74a05cbb8ae1d8

    SHA512

    37a33fbae49a41edbd8af7c8f10cc69fca675627749cd297ae3dce73d6751c57b74a00761bf890a21a0b5ec47e133bf61376575309de2bdb7a6d78706c98e051

    Download Submit

  • C:\Users\Admin\AppData\Roaming\c17869e\932c552.7cdd11ba
    Filesize

    25KB

    MD5

    db12b1b15d1ab609fc400d58e8332141

    SHA1

    a2298a3889b8f6ac941fd1ea940acac5fb8d6aa4

    SHA256

    e4c91e3726514d347efd1334e624a661ba1e6d9245f3bd88e8c9ef2d0d8cbc0f

    SHA512

    54b3750fc8a67532a7fa943d3cbf67bdd7041412b12371e61729bcf6ef9bddd44a5ff4cecedfe6d19f005823bb66bd8677ba5ed92106e419f932f3067295443d

    Download Submit

  • memory/1220-38-0x00000000060D0000-0x00000000061AA000-memory.dmp

    Filesize

    872KB

    Download

  • memory/1220-42-0x00000000060D0000-0x00000000061AA000-memory.dmp

    Filesize

    872KB

    Download

  • memory/1220-41-0x0000000002C90000-0x0000000004C90000-memory.dmp

    Filesize

    32.0MB

    Download

  • memory/2176-50-0x00000000002A0000-0x00000000003E7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2176-60-0x00000000002A0000-0x00000000003E7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2176-43-0x00000000002A0000-0x00000000003E7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2176-44-0x00000000002A0000-0x00000000003E7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2176-45-0x00000000002A0000-0x00000000003E7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2176-46-0x00000000002A0000-0x00000000003E7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2176-47-0x00000000002A0000-0x00000000003E7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2176-48-0x00000000002A0000-0x00000000003E7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2176-49-0x00000000002A0000-0x00000000003E7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2176-51-0x00000000002A0000-0x00000000003E7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2176-52-0x00000000002A0000-0x00000000003E7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2176-53-0x00000000002A0000-0x00000000003E7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2176-39-0x00000000002A0000-0x00000000003E7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2176-40-0x00000000002A0000-0x00000000003E7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2176-70-0x00000000002A0000-0x00000000003E7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2176-69-0x00000000002A0000-0x00000000003E7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2176-68-0x00000000002A0000-0x00000000003E7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2176-67-0x00000000002A0000-0x00000000003E7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2176-66-0x00000000002A0000-0x00000000003E7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2176-65-0x00000000002A0000-0x00000000003E7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2176-64-0x00000000002A0000-0x00000000003E7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2176-63-0x00000000002A0000-0x00000000003E7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2176-62-0x00000000002A0000-0x00000000003E7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2176-54-0x00000000002A0000-0x00000000003E7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2176-55-0x00000000002A0000-0x00000000003E7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2176-59-0x00000000002A0000-0x00000000003E7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2176-58-0x00000000002A0000-0x00000000003E7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2176-57-0x00000000002A0000-0x00000000003E7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2176-56-0x00000000002A0000-0x00000000003E7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2764-0-0x000000000040A000-0x000000000040B000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2764-1-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2792-13-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2792-27-0x0000000001DA0000-0x0000000001E7A000-memory.dmp

    Filesize

    872KB

    Download

  • memory/2792-30-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2792-25-0x0000000001DA0000-0x0000000001E7A000-memory.dmp

    Filesize

    872KB

    Download

  • memory/2792-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2792-19-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2792-16-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2792-9-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2792-26-0x0000000001DA0000-0x0000000001E7A000-memory.dmp

    Filesize

    872KB

    Download

  • memory/2792-32-0x0000000001DA0000-0x0000000001E7A000-memory.dmp

    Filesize

    872KB

    Download

  • memory/2792-28-0x0000000001DA0000-0x0000000001E7A000-memory.dmp

    Filesize

    872KB

    Download

  • memory/2792-31-0x0000000001DA0000-0x0000000001E7A000-memory.dmp

    Filesize

    872KB

    Download

  • memory/2792-29-0x0000000001DA0000-0x0000000001E7A000-memory.dmp

    Filesize

    872KB

    Download

  • memory/2792-24-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2792-4-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2792-2-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2792-7-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download