Overview

overview

10

Static

static

10

aed102da6d...18.exe

windows7-x64

10

aed102da6d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2024, 04:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aed102da6d198bdcc72dc12c73c5e77a_JaffaCakes118.exe

  • Size

    21KB

  • MD5

    aed102da6d198bdcc72dc12c73c5e77a

  • SHA1

    8c778e12d2becb88f803e7e8799e967f5e32fe54

  • SHA256

    deb20810e8e3bd5d5b5a8ac06bf805ba48498b78d12c1119cfdb16ee185d1901

  • SHA512

    19ec2ab084e541d2a0feebffc6252d8324dd9ebf2aab08554a3e973a7d94d7b9023b931fbd902f0acaf8c1f0ee6e3e1360d772f3acaf8d64c7000c5c4d316abb

  • SSDEEP

    384:+JEunqcFxpLszA1JUrPSNLg13uD8V9tABaSS7lU:7unqAxpLszA1+SRgY8V71SSe

Score
10/10
modiloaderdiscoverypersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • ModiLoader Second Stage 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aed102da6d198bdcc72dc12c73c5e77a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\aed102da6d198bdcc72dc12c73c5e77a_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2908
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\system32\Wincfg.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5064
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" TYPE NUL "
        3⤵
          PID:4884

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Wincfg.bat
      Filesize

      166B

      MD5

      fe3ddc5bf12999076d5578e0fc98c149

      SHA1

      cc8e77d656a12a723a11b8c6eabb9cf832b6b91f

      SHA256

      3be2abf7ec6c9f2af6a1fa150101d43c298fb2d5aaa6e7ec35afe62a4b2a5d6b

      SHA512

      3972da0a56eda9905f9850e17f7dcfaf16b55041077acc6c05313eb1c25a709158e724f69cb636fdb7516c5603f14a8b36b5b7ef90a965990fdf39f0dcf3d981

      Download Submit

    • C:\Windows\SysWOW64\file.txt
      Filesize

      301B

      MD5

      725d64eb22e2892143b6eb823af38eab

      SHA1

      b86ccdcffecbe029848fe6fd96029784aabd3e69

      SHA256

      77ef4c118d66c572cfd91792644fd7ed8b4aa73705167cedad65fadd7147603e

      SHA512

      ca7d70b9c8b68c483146c1449ff1d674d48dc991cdef9599c75a0f0dc93b5b5145bdcb992ee6051ff3d4a7a9d09843a1b84bcdf52bd348df84791c47caeca2ae

      Download Submit

    • memory/2908-8-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

      Download