Overview

overview

10

Static

static

3

c8c538d73f...18.exe

windows7-x64

10

c8c538d73f...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2024 17:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c8c538d73fb9cf8e6d4da960e0188771_JaffaCakes118.exe

  • Size

    308KB

  • MD5

    c8c538d73fb9cf8e6d4da960e0188771

  • SHA1

    1cd891049a57ad049ed2431ff3f037fd5e895b13

  • SHA256

    3c75a3869dab9ac026d6539e11538b954af4a5b91beb26321ce915bc9580cd6e

  • SHA512

    e1efff867e1c2ef2aa940a0c7995a08ffc3b36acb72c46e0b6c385e6dced4c5911aa008aba10af0d511f0ea5a8c2c6c55462a2f6afd89f7b7dd4f74b95f10d62

  • SSDEEP

    6144:D1wWsAmf6Uj3Bav0xUzgSwnEaY3+2/Pv3yhjTMDy4fX4vxm/tnEUF/L:SVAbMccGcSwnjQ7HAjYy6vF/L

Score
10/10
modiloaderdiscoveryevasionexecutionpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
    evasion
  • ModiLoader Second Stage 53 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c8c538d73fb9cf8e6d4da960e0188771_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c8c538d73fb9cf8e6d4da960e0188771_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Users\Admin\AppData\Local\Temp\c8c538d73fb9cf8e6d4da960e0188771_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\c8c538d73fb9cf8e6d4da960e0188771_JaffaCakes118.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2500
  • C:\Windows\system32\mshta.exe
    "C:\Windows\system32\mshta.exe" javascript:oPk1Edw="3va";n04f=new%20ActiveXObject("WScript.Shell");PNU1A="hRF2qbe";loFO1=n04f.RegRead("HKLM\\software\\Wow6432Node\\31o9npI7KQ\\dgM83Rl");KmewdQx46="SP";eval(loFO1);ggMdy64="sWKFOQ";
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:2856
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:munp
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe
        3⤵
        • Looks for VirtualBox Guest Additions in registry
        • Looks for VirtualBox drivers on disk
        • Looks for VMWare Tools registry key
        • Checks BIOS information in registry
        • Deletes itself
        • Drops startup file
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1256
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\SysWOW64\regsvr32.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2384

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\3bb45b\0535f9.lnk
    Filesize

    877B

    MD5

    c51c31ac820f16de36aabcee43ec2535

    SHA1

    f5aa79c60f7709b94285d69a6a8db7810514c61e

    SHA256

    4e613f5b85351658a1cffa753c3886eed7d698dbb84b8718fc465efd52b033cf

    SHA512

    8be0343b89af17e3fc5379582b9c2f4a0a609d85a373e1adcd84f84e2903b6b5a55e9421aaf72b7f6d39d2c2e1b3e844dd8a30985d620a6a03baebb5416a4e56

    Download Submit

  • C:\Users\Admin\AppData\Local\3bb45b\617183.bat
    Filesize

    61B

    MD5

    1ce23027910a92f3268e308e3f4bec1d

    SHA1

    5863e43917be3a7d7b7a333b6f608b4a2641b726

    SHA256

    2babaaf64c0022e43fef910efc470945c959a42beb604f1e640b4e2dea4d8df6

    SHA512

    b0642467d79f3cb1aca55a16e3c2c4e7822c68626048a514ceea9ea04bfcbfdece107e1ca14b4e9fd5e002fd510d7f04bb7d587fd859312f58ee1a9a4d73afa5

    Download Submit

  • C:\Users\Admin\AppData\Local\3bb45b\7adc1c.3539267
    Filesize

    15KB

    MD5

    003a231399fcc62e4092a5de6ff9f8b2

    SHA1

    188a8ac94619b7f0726ba6ddaeaf0c5fa0179f60

    SHA256

    60edefb37f8b763e51061ddc46d90f9f3abafd496e234f5bf2b2f46575202fa4

    SHA512

    da49fd250466cf778a15f9d9a3edf6ca24a25053f2761f0b0418e58122316877b34f4b886aa1b0891d6fccbf78ab25bec22975dd249510a7231bc5dc017b9239

    Download Submit

  • C:\Users\Admin\AppData\Roaming\55e4a2\a6cabd.3539267
    Filesize

    34KB

    MD5

    cc155d11557960c68f12826a2195d10e

    SHA1

    512f0b8a02ca6661fd59bd5545d91277836db547

    SHA256

    751a3f85f728d439bcc0ef2e786b3bf5efce138fd5a249ca0fcbc305084ed413

    SHA512

    eca722257ecb12f6c117c7367fa8d6d0723de8d6c2d0c374a6b24ba0f22ca7278e136e28030a18cd5ea032e2bbb6782ae687b31371a868b5477c2eae1347b504

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ed4fc3.lnk
    Filesize

    987B

    MD5

    0342ae2ff2126920d5f2399b4ae54387

    SHA1

    4ede955a3db6a190cccb2fadc6f0324a4aa5ea43

    SHA256

    2de83f544fe6afcb0d9d22a4946bf117a0f3aff96a8a555164407be846913eb5

    SHA512

    616d9e3ecc0660b09b38bfffed86cc3bc471c4615eb76c00b95f8dc2e7a272fbb62462107196f925e347bc07abf447847bf0e9f16130fb27435ba8e5d611373b

    Download Submit

  • memory/1256-43-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-46-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-56-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-38-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-39-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-40-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-41-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-44-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-45-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-55-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-47-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-31-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-32-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-42-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-48-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-36-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-35-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-57-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-37-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-74-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-63-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-49-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-62-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-71-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-66-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-65-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-73-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-50-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-51-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-54-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-53-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1256-52-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2384-82-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2384-80-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2384-84-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2384-81-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2384-83-0x0000000000250000-0x0000000000391000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2500-20-0x00000000002D0000-0x00000000003A6000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2500-4-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2500-16-0x00000000002D0000-0x00000000003A6000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2500-6-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2500-12-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2500-0-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2500-2-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2500-17-0x00000000002D0000-0x00000000003A6000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2500-19-0x00000000002D0000-0x00000000003A6000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2500-13-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2500-14-0x00000000002D0000-0x00000000003A6000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2500-10-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2500-18-0x00000000002D0000-0x00000000003A6000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2500-15-0x00000000002D0000-0x00000000003A6000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2500-8-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2764-33-0x0000000002E10000-0x0000000004E10000-memory.dmp

    Filesize

    32.0MB

    Download

  • memory/2764-34-0x0000000006300000-0x00000000063D6000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2764-30-0x0000000006300000-0x00000000063D6000-memory.dmp

    Filesize

    856KB

    Download