Overview

overview

10

Static

static

10

a8665cc4b3...18.exe

windows7-x64

10

a8665cc4b3...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    27/11/2024, 15:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a8665cc4b33e01628e6ecad66af25a66_JaffaCakes118.exe

  • Size

    66KB

  • MD5

    a8665cc4b33e01628e6ecad66af25a66

  • SHA1

    357f4afdd354b4d01182d78dfd902603eb32abd9

  • SHA256

    ce8d4330b4d2b4575169c71287e8f55547dc7c213279fd405744d199616e4a3a

  • SHA512

    046eed3432452203a46861e308120ff6343e7f1ab4f6eee25d4993137c772f00acc20839280128d8d3ace25c4092be068a513366bda6a03a7824c25399cb1f3b

  • SSDEEP

    1536:44WFlsrCnE03afjhpQoHRqZR8vUsoWb2:4fqjfHQoxqLsfoK

Score
10/10
modiloaderdiscoverytrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • ModiLoader Second Stage 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1228
      • C:\Users\Admin\AppData\Local\Temp\a8665cc4b33e01628e6ecad66af25a66_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\a8665cc4b33e01628e6ecad66af25a66_JaffaCakes118.exe"
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2348
        • C:\Users\Admin\AppData\Local\Temp\Server.exe
          "C:\Users\Admin\AppData\Local\Temp\Server.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3028

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\Server.exe
      Filesize

      56KB

      MD5

      8a0d556e3e23e993cd7d2d75b114d7c9

      SHA1

      597ae585b7f449a44514eb45a1848117cf59e40d

      SHA256

      bb96eb4662e9e0765941318f19a0589e60512712298b7f4c1cb18d8b61d70c2e

      SHA512

      c092dfee413b7464f945a753a58966e405c715330f5a9c0a348300afdd75fb2cd133fda24bd4f32844b4819ff40d993bf43804f8dd93c8bc1b4e5e8c332f586b

      Download Submit

    • memory/1228-15-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

      Filesize

      28KB

      Download

    • memory/1228-18-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2348-4-0x0000000002780000-0x0000000002789000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2348-9-0x0000000000400000-0x0000000000418000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3028-11-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/3028-12-0x0000000010000000-0x0000000010013000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3028-27-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/3028-28-0x0000000010000000-0x0000000010013000-memory.dmp

      Filesize

      76KB

      Download