Overview

overview

10

Static

static

3

8a09be6428...18.exe

windows7-x64

10

8a09be6428...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-11-2024 06:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8a09be642870f11183acc94a1aff3802_JaffaCakes118.exe

  • Size

    2.8MB

  • MD5

    8a09be642870f11183acc94a1aff3802

  • SHA1

    0f27cedbbd0b812e9423ce94f1cf60f98e3091c4

  • SHA256

    14c850d8c8a61c4cd4fee483648c0ef47c875f322623b2e4264fb04d5d29776f

  • SHA512

    aa8e01420ae7ec16cda276c24dd496d4ade837f276196e094ee16417b4ab50798472befb05cad49819f9ceae3370da7ae6a218b2744727ce63e9563d2733523e

  • SSDEEP

    49152:b1dlZon5RIAbMURTnd4fmIjDXSrd/T7eCMXdhTV3jbI+lqvZOEjjTVIhem+ni:b1dl2nHgURTnyffXmNT6XTh4v5jZQEni

Score
10/10
modiloaderdiscoveryevasionpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • ModiLoader Second Stage 25 IoCs
  • Executes dropped EXE 3 IoCs
  • Identifies Wine through registry keys 2 TTPs 3 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1192
      • C:\Users\Admin\AppData\Local\Temp\8a09be642870f11183acc94a1aff3802_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\8a09be642870f11183acc94a1aff3802_JaffaCakes118.exe"
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1260
        • C:\Extracted\servidor.exe
          "C:\Extracted\servidor.exe"
          3⤵
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2148
          • C:\Windows\mstwain32.exe
            "C:\Windows\mstwain32.exe"
            4⤵
            • UAC bypass
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • System policy modification
            PID:2580
        • C:\Extracted\kill-Firewall.exe
          "C:\Extracted\kill-Firewall.exe"
          3⤵
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1620
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2732

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    3
    T1112

    Virtualization/Sandbox Evasion

    1
    T1497

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Virtualization/Sandbox Evasion

    1
    T1497

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Extracted\kill-Firewall.exe
      Filesize

      1.7MB

      MD5

      c3b6ce9b6321ed326ba36a91699d82e4

      SHA1

      c3d8474dc78e72f58af153821401ec91f2b06a60

      SHA256

      520311924c3014cc2f44f036a233a708a1c64b198016f12be96444d6885e4c1c

      SHA512

      da4bde6bca69b7048d2617af67f93d9452166bc87357f065f2e0ff1fceed71f0d92103b3368aabffc85dbe48d28718c87e5f6db64f28a30b700211fb584d0d88

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\sfx.ini
      Filesize

      220B

      MD5

      3c34666e8afa2d781c7a417c47e7c39c

      SHA1

      df4198221e9f9a3f2f26b38ec90a343aff6118ae

      SHA256

      d880592dbed9008820dd7d4121a2c23a7eefbc8800f838fcf1fdaac2fb349393

      SHA512

      7a53c5bc31b7a0b545f4b205883a0fd0ddff57bd9df40788985e6e444fc771f891712ee8e5520afcb98c0d02e83184b51a4270e0d6c1c18c7f54a79bfb40f80e

      Download Submit

    • C:\Windows\cmsetac.dll
      Filesize

      33KB

      MD5

      0693e4b56a258d72bf15ac0179121ebb

      SHA1

      9ba96fd2bb8c590c445aa258826045379698a037

      SHA256

      85035056feabac51292b8b1e1ed0db722d45d469a8cecf6613e7a19e89df6f4d

      SHA512

      d1986e53f39cdc101681aea3c962e3c8d58c00cb91f924ddaeab2aa8e5f8e7b014d2f04d615581344b6b6bfaa795130a54901699c837a855761ec5928375249e

      Download Submit

    • \Extracted\servidor.exe
      Filesize

      1.7MB

      MD5

      fb1141090c3e20c9f176431f2ae6df18

      SHA1

      d6192762240a73fd1163db7d7eab40203b98ec25

      SHA256

      a35e42f9330a4487c24d197d205b4c3c2f7e022cb063eac1db9423ff1919fdb9

      SHA512

      f595fa04ac402fa2d753f8343c1451336da3f1d15d5b6bc29d1943aa5bb5fd80abecd3cfa24dce1a3194643c82a23c09eaa69621161f66ff57bf760478fdf3ba

      Download Submit

    • memory/1192-72-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1192-78-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1260-94-0x0000000003550000-0x00000000036FE000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1260-65-0x0000000003550000-0x00000000036FE000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1260-66-0x00000000003C0000-0x00000000003CE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1260-27-0x0000000003550000-0x0000000003735000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/1260-21-0x0000000003550000-0x0000000003735000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/1260-64-0x00000000003C0000-0x00000000003CE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1260-67-0x0000000003550000-0x00000000036FE000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1620-92-0x0000000000400000-0x00000000005AE000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1620-90-0x0000000010000000-0x0000000010011000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1620-69-0x0000000000400000-0x00000000005AE000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2148-41-0x0000000000400000-0x00000000005E5000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2148-29-0x0000000000400000-0x00000000005E5000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2148-47-0x00000000050E0000-0x00000000052C5000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2148-48-0x0000000000400000-0x00000000005E5000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2148-28-0x0000000000401000-0x000000000041C000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2148-42-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2148-34-0x0000000000400000-0x00000000005E5000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2148-33-0x0000000000400000-0x00000000005E5000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2148-32-0x0000000000400000-0x00000000005E5000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2148-31-0x0000000000400000-0x00000000005E5000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2148-30-0x0000000000400000-0x00000000005E5000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2580-97-0x0000000004690000-0x000000000469E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2580-107-0x0000000000400000-0x00000000005E5000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2580-49-0x0000000000400000-0x00000000005E5000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2580-95-0x0000000000400000-0x00000000005E5000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2580-55-0x0000000004690000-0x000000000469E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2580-96-0x0000000004410000-0x0000000004418000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2580-98-0x0000000000400000-0x00000000005E5000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2580-101-0x0000000000400000-0x00000000005E5000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2580-104-0x0000000000400000-0x00000000005E5000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2580-93-0x0000000000400000-0x00000000005E5000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2580-111-0x0000000000400000-0x00000000005E5000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2580-114-0x0000000000400000-0x00000000005E5000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2580-117-0x0000000000400000-0x00000000005E5000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2580-120-0x0000000000400000-0x00000000005E5000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2580-123-0x0000000000400000-0x00000000005E5000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2580-126-0x0000000000400000-0x00000000005E5000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2580-129-0x0000000000400000-0x00000000005E5000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2580-132-0x0000000000400000-0x00000000005E5000-memory.dmp

      Filesize

      1.9MB

      Download