Overview

overview

10

Static

static

3

a374eb86f8...18.exe

windows7-x64

10

a374eb86f8...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    145s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    26/11/2024, 18:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a374eb86f816a5dcd41291a2e4307457_JaffaCakes118.exe

  • Size

    294KB

  • MD5

    a374eb86f816a5dcd41291a2e4307457

  • SHA1

    bf9c10c88f67ca22b98eaffb1803c82ec21d3ae5

  • SHA256

    b16d9faac880abde59ab95a2bfd7def78312cc406e26a0492d6f102b6d30d543

  • SHA512

    e7ef6b068c7ab7fd53a25fad716010d0b9e621a99874c729a67c92cd22ce40caa8c78ce9195b90f2e78a26b230b5e22402aeabcc746bd949738fa8cc1933b8e0

  • SSDEEP

    6144:R+lJ61o/AyIB/wblBPWxCL5bnETdLcXM0kueOu9:IlL/AyIYPWxU5bETdLr0v49

Score
10/10
modiloaderdiscoveryevasiontrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • ModiLoader Second Stage 16 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\a374eb86f816a5dcd41291a2e4307457_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a374eb86f816a5dcd41291a2e4307457_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Users\Admin\AppData\Local\Temp\Exporer32.exe
      "C:\Users\Admin\AppData\Local\Temp\Exporer32.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2880
      • C:\Windows\mstwain32.exe
        "C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\Exporer32.exe"
        3⤵
        • UAC bypass
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:996
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2648

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Exporer32.exe
    Filesize

    270KB

    MD5

    a34bd80619de5fb8dd525e14061d948d

    SHA1

    59ab7be0f94523dae1e549a7e15da7b174f14ab8

    SHA256

    a8956efa9ca6b4a1a6226324527e1559a426b08b89fb323b36fa7fe2268c327f

    SHA512

    aadf361722a96800229ee30bff6b97607a3ff7c1d1ea9d27fb6e7e7df07a14e95791a95b082a8ec7198d546d786219f55b4a8f8ea14e36523c27b1893783f946

    Download Submit

  • memory/996-32-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/996-39-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/996-53-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/996-26-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/996-27-0x0000000010000000-0x000000001000B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/996-28-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/996-30-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/996-51-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/996-49-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/996-34-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/996-37-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/996-41-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/996-43-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/996-45-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/996-47-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1996-12-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1996-0-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2880-22-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download