Overview

overview

10

Static

static

3

92fc6765e2...18.exe

windows7-x64

10

92fc6765e2...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2024 06:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    92fc6765e2551a2ee8d04fc0f555cf5f_JaffaCakes118.exe

  • Size

    480KB

  • MD5

    92fc6765e2551a2ee8d04fc0f555cf5f

  • SHA1

    e01d78c68e15fb40d905c742f11c0d67b32a3eb8

  • SHA256

    5732cf4e7f6b949636c8d448c734b51711aa276ca8108a351908301e05bb432b

  • SHA512

    3a8cce21358aec7499e4df63e70a2c7d98efb742d6f30495b227ec3f6fea3cbce7287993ab58411c130a572342bf0b5b9ae13badfa26636661572b5e28988933

  • SSDEEP

    6144:vb1GWAE410h2yzkcnfktitO6atDfemiAn8nHH9PkU1LjZfn/z8sKwFYu4xtt0tht:TY6nzkcncGO6at/4npz3ZHIsKwZtm

Score
10/10
modiloaderdiscoverypersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • ModiLoader Second Stage 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\92fc6765e2551a2ee8d04fc0f555cf5f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\92fc6765e2551a2ee8d04fc0f555cf5f_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2972
    • \??\c:\stailuse.exe
      c:\stailuse.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2516
      • F:\msdownld.tmp\IXP000.TMP\4.exe
        F:\msdownld.tmp\IXP000.TMP\4.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:348
        • C:\Users\Admin\AppData\Local\Temp\3.exe
          "C:\Users\Admin\AppData\Local\Temp\3.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1976
          • C:\program files\internet explorer\IEXPLORE.EXE
            "C:\program files\internet explorer\IEXPLORE.EXE"
            5⤵
              PID:1924

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\stailuse.exe
      Filesize

      451KB

      MD5

      acdb53230f26df0c2a160820471edc74

      SHA1

      4f862f11ea5f00a355b9b728b6208c6dc06293d5

      SHA256

      a1f9651dda04cbbc41947826a6630bc8bdd1f13d9261399be1b6eec9ee17c865

      SHA512

      a01bf12c8798d04937d93975ed9d9fc65a2d767bd750062c64693d6f7ddc2ad8936d3d4cd4ef313f9b03bd073cbb7c53b60b3aab917b25eab41424f6782b7dc9

      Download Submit

    • F:\msdownld.tmp\IXP000.TMP\4.exe
      Filesize

      684KB

      MD5

      e0b53c768978c933c51d20af043203e7

      SHA1

      e2f8c5127c513d465f55dd27d12e59cf0affed92

      SHA256

      e0966ac4503a1114299627efe838cfed61f653fa196f01f5ca8e2af0a3073b3b

      SHA512

      6c7178648dd7d5d1316f607f23bc70886404837599d1080a8a589c7b5ac45e98fc426394df238a622f94614fc4eb84ebc2d284f0a2d03aa53381bba315042d55

      Download Submit

    • \Users\Admin\AppData\Local\Temp\3.exe
      Filesize

      675KB

      MD5

      085b64aa9a82ae8f6fcbcdcf985a4b8f

      SHA1

      a7d3f1094cbd8ae774aabe477ce5135b5e5c873c

      SHA256

      314139973bbd6991a7e3620706b6a139b37e7aefe2ee3f4c7dd8801ae650cbed

      SHA512

      534d1a29746f6ca2ad079dd49d58c8e2b9e551fee911814dedad65189132771b687bc653941047030a97c55130d0d6509d7f1c3b606061567c28c69fdc6bd60e

      Download Submit

    • memory/348-26-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/1976-30-0x0000000000400000-0x00000000004BA016-memory.dmp

      Filesize

      744KB

      Download