Overview

overview

10

Static

static

3

9e20a516f7...18.exe

windows7-x64

10

9e20a516f7...18.exe

windows10-2004-x64

10

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

contact.html

windows7-x64

3

contact.html

windows10-2004-x64

3

privacy_policy.html

windows7-x64

3

privacy_policy.html

windows10-2004-x64

3

uninstall.exe

windows7-x64

7

uninstall.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/11/2024, 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9e20a516f7cc4eaecffcc0808b50fb64_JaffaCakes118.exe

  • Size

    314KB

  • MD5

    9e20a516f7cc4eaecffcc0808b50fb64

  • SHA1

    1681838951cffa50dbb5c61bb686ecc424b24a94

  • SHA256

    03d596c4e2ec8536abb673e0629fc31d4c5df8863f378a1372546cd8cae7caf8

  • SHA512

    c0a5d56faa997cca2536031e0a1ce56ac0b9bb926b8e65f7e2209097453845058249e515f9a9d89fc873173af22bb916382cb3516317efea4d253cfd7a5a2776

  • SSDEEP

    6144:TB+pgUmaidOrFsPlz67WoiAoMYC/yc2MbsLQcSQj2qzZyc76K:TgOaoyuPlzo3i7/QyfI+QRc7X

Score
10/10
modiloaderdiscoveryevasionexecutionpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
    evasion
  • ModiLoader Second Stage 57 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9e20a516f7cc4eaecffcc0808b50fb64_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9e20a516f7cc4eaecffcc0808b50fb64_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of UnmapMainImage
    PID:2728
  • C:\Windows\system32\mshta.exe
    "C:\Windows\system32\mshta.exe" javascript:QxH4J="7bi";s34h=new%20ActiveXObject("WScript.Shell");mj71Smo="Zqc0";Fth16V=s34h.RegRead("HKCU\\software\\wgld5pj\\OlySTM");DN9ReMBG="K";eval(Fth16V);lnv83C="KIlkXH8x";
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:2704
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:pqnsetmk
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:484
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe
        3⤵
        • Looks for VirtualBox Guest Additions in registry
        • Looks for VirtualBox drivers on disk
        • Looks for VMWare Tools registry key
        • Checks BIOS information in registry
        • Deletes itself
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2496
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\SysWOW64\regsvr32.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\contact.php
    Filesize

    319B

    MD5

    48b7875eddf3913382a3c299e84a27f1

    SHA1

    6a05bcea4829a70ce0e1c105d0568ac5031d3e89

    SHA256

    88332868551ed40475c1d8b88613910b60773ccb5760083b2037c55a21c002f5

    SHA512

    d5b3a2f141d07242f9b6fdb71d77b821df76edb9677a2992ddfd16f242afc9df12ce5ae0dbd4c029d1c9dd7dc92b4069467c0ee4816c61e1693c46a8857d4a04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\privacy_policy.php
    Filesize

    3KB

    MD5

    dab2f129c75c2369479d341a4f754e52

    SHA1

    b88958b6379579bd380661ed83625114a41c1a5b

    SHA256

    136ac48f0f2c86d9ba706455349703f76b9097271e8c61c94efa00a882ffc985

    SHA512

    63058fd68daf8f02b4e0d7dea32ce8fb9fd456188878ebbe626bc354a394a8ca16f7aec2617d585e6e799801058775c29c6c08891fa77b05de857d409762e87e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsy5DFA.tmp\System.dll
    Filesize

    11KB

    MD5

    a4dd044bcd94e9b3370ccf095b31f896

    SHA1

    17c78201323ab2095bc53184aa8267c9187d5173

    SHA256

    2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

    SHA512

    87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

    Download Submit

  • memory/484-42-0x0000000006180000-0x000000000625A000-memory.dmp

    Filesize

    872KB

    Download

  • memory/484-46-0x0000000006180000-0x000000000625A000-memory.dmp

    Filesize

    872KB

    Download

  • memory/1932-99-0x0000000000190000-0x00000000002D7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1932-97-0x0000000000190000-0x00000000002D7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1932-98-0x0000000000190000-0x00000000002D7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1932-96-0x0000000000190000-0x00000000002D7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1932-100-0x0000000000190000-0x00000000002D7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1932-101-0x0000000000190000-0x00000000002D7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1932-102-0x0000000000190000-0x00000000002D7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1932-103-0x0000000000190000-0x00000000002D7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1932-93-0x0000000000190000-0x00000000002D7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1932-95-0x0000000000190000-0x00000000002D7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1932-94-0x0000000000190000-0x00000000002D7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2496-43-0x00000000001D0000-0x0000000000317000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2496-66-0x00000000001D0000-0x0000000000317000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2496-50-0x00000000001D0000-0x0000000000317000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2496-53-0x00000000001D0000-0x0000000000317000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2496-52-0x00000000001D0000-0x0000000000317000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2496-51-0x00000000001D0000-0x0000000000317000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2496-54-0x00000000001D0000-0x0000000000317000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2496-49-0x00000000001D0000-0x0000000000317000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2496-48-0x00000000001D0000-0x0000000000317000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2496-47-0x00000000001D0000-0x0000000000317000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2496-67-0x00000000001D0000-0x0000000000317000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2496-55-0x00000000001D0000-0x0000000000317000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2496-76-0x00000000001D0000-0x0000000000317000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2496-80-0x00000000001D0000-0x0000000000317000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2496-79-0x00000000001D0000-0x0000000000317000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2496-78-0x00000000001D0000-0x0000000000317000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2496-77-0x00000000001D0000-0x0000000000317000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2496-75-0x00000000001D0000-0x0000000000317000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2496-74-0x00000000001D0000-0x0000000000317000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2496-56-0x00000000001D0000-0x0000000000317000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2496-57-0x00000000001D0000-0x0000000000317000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2496-69-0x00000000001D0000-0x0000000000317000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2496-68-0x00000000001D0000-0x0000000000317000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2496-44-0x00000000001D0000-0x0000000000317000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2496-65-0x00000000001D0000-0x0000000000317000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2496-64-0x00000000001D0000-0x0000000000317000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2496-63-0x00000000001D0000-0x0000000000317000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2496-62-0x00000000001D0000-0x0000000000317000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2496-61-0x00000000001D0000-0x0000000000317000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2496-58-0x00000000001D0000-0x0000000000317000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2496-59-0x00000000001D0000-0x0000000000317000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2496-60-0x00000000001D0000-0x0000000000317000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2728-22-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2728-92-0x00000000035C0000-0x000000000369A000-memory.dmp

    Filesize

    872KB

    Download

  • memory/2728-34-0x00000000035C0000-0x000000000369A000-memory.dmp

    Filesize

    872KB

    Download

  • memory/2728-30-0x00000000035C0000-0x000000000369A000-memory.dmp

    Filesize

    872KB

    Download

  • memory/2728-29-0x00000000035C0000-0x000000000369A000-memory.dmp

    Filesize

    872KB

    Download

  • memory/2728-28-0x00000000035C0000-0x000000000369A000-memory.dmp

    Filesize

    872KB

    Download

  • memory/2728-31-0x00000000035C0000-0x000000000369A000-memory.dmp

    Filesize

    872KB

    Download

  • memory/2728-32-0x00000000035C0000-0x000000000369A000-memory.dmp

    Filesize

    872KB

    Download

  • memory/2728-33-0x00000000035C0000-0x000000000369A000-memory.dmp

    Filesize

    872KB

    Download

  • memory/2728-35-0x00000000035C0000-0x000000000369A000-memory.dmp

    Filesize

    872KB

    Download

  • memory/2728-38-0x0000000001D50000-0x0000000001D8B000-memory.dmp

    Filesize

    236KB

    Download

  • memory/2728-91-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2728-20-0x0000000001D50000-0x0000000001D8B000-memory.dmp

    Filesize

    236KB

    Download

  • memory/2728-39-0x00000000035C0000-0x000000000369A000-memory.dmp

    Filesize

    872KB

    Download