Overview

overview

10

Static

static

3

cb7d40ded5...18.exe

windows7-x64

1

cb7d40ded5...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2024 06:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cb7d40ded5b771e19e3c8cb1ea484805_JaffaCakes118.exe

  • Size

    218KB

  • MD5

    cb7d40ded5b771e19e3c8cb1ea484805

  • SHA1

    336554d1f03f8740ecd6be12b031911c5963ab3c

  • SHA256

    1ed33096379abcac370501dfc3e230be24c87f406a215802a5ce5390eb8d1177

  • SHA512

    ca25480609ba59b610c73e03423b0bf574ec02bf319cd16bfaa173090926d5cc49f3bd5482087c66677ce1a0ab300133e464fa01161b9a644ea88164ca8b820c

  • SSDEEP

    6144:0PkAnUpxcp929I4AyvtXCOEKrKzC45Eu81b7t2:0PUp4M9I6vtdEKrKzr5Ej1bJ2

Score
10/10
modiloaderdiscoverypersistencetrojanupx

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • ModiLoader Second Stage 2 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 16 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Modifies registry class 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb7d40ded5b771e19e3c8cb1ea484805_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\cb7d40ded5b771e19e3c8cb1ea484805_JaffaCakes118.exe"
    1⤵
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4932
    • C:\Windows\Win Types\RUNDLL32.exe
      "C:\Windows\Win Types\RUNDLL32.exe" "C:\Users\Admin\AppData\Local\Temp\cb7d40ded5b771e19e3c8cb1ea484805_JaffaCakes118.exe"
      2⤵
      • Checks BIOS information in registry
      • Deletes itself
      • Executes dropped EXE
      • Maps connected drives based on registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3380
      • C:\Program Files (x86)\internet explorer\iexplore.exe
        "C:\Program Files (x86)\internet explorer\iexplore.exe"
        3⤵
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5088
        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4524
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4524 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:4976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    8ccf65b127d0608732734b96b79d8a12

    SHA1

    f50e2ff848a61949c79f1bca80fa174dc04e448e

    SHA256

    761614367687e75bf56abe14b096a9dc92f4eea785bb07077e521d8047396453

    SHA512

    89de5a300af7dd2204f11a2a1f86787b2778bc33e9a601d889736063e37bdf8b81e7a32c4ec2aaae4e7a18ce5814c72fb0e2857bb76c08ec24a0917864584f34

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    b69fc239116938e0d157fcc5ed5d92d4

    SHA1

    959c6a24054c7a2a6e82a825baf29e46b5f32956

    SHA256

    be18be24e4aedba04343d9c697a61c7c25ca37247e0f99293074501a996214b0

    SHA512

    418452d2762abbe40a16314ef6dddc1377629cc01906c775bce62a907a303d0781f2f92e14e6114d48e0bd74159dcd6a30212520bc71f6a4e93e166ad534c530

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M6JHG9EK\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Windows\PCGWIN32.LI4
    Filesize

    528B

    MD5

    8a81cafd725b78b8962f47273ea7eb79

    SHA1

    2ed9d9a99bbc7908ed41e75551c34dbe2e34f715

    SHA256

    e8b50c9087908c536cb003e8d045c74d65e822a5a3f6cd87e6e8df57f7aafb2e

    SHA512

    ef094b05110f1388b1cf43a2dd19c9c319cdee9af50e354afbbdfdeba5940281302004f02fba7befbfb66cfd822a8389e9b4707fd0c5c59878fae1a4fe054bb2

    Download Submit

  • C:\Windows\PCGWIN32.LI4
    Filesize

    528B

    MD5

    b1e23e4a08bf65423b624c3caad731be

    SHA1

    7047498779b6416d97369a64ef5e66f56a06d196

    SHA256

    51c9a2a3034c9cfc4f0cc71bf4974e5e565fce48e27ae27d4a30a828ee605266

    SHA512

    fd860ed3757a4f75c725326a5eeede541d3e0b924860d5d7f5c1092d6531c0a2023e7e73e9c0b1b6cd00f1bd33b89ac690145b0199ae6713c080eede08bbd749

    Download Submit

  • C:\Windows\Win Types\1.mzp
    Filesize

    59KB

    MD5

    62cc2400e5e330e7d53f0ae47e588faa

    SHA1

    9e0bc228e271488f3584b2d1dbfe78c5decd0a80

    SHA256

    c286cde196cb862e110b14a955d798dbf6af81b4c4a7298d79d31b17db526065

    SHA512

    86b169dd2395f8dd47e5eba63c408caac3bc781b7b200bfc4ec61c95296d83cbba4a9da4bffae2c09fb00e2a2fad6ee474d941decc007b71f952b55a90f566fc

    Download Submit

  • C:\Windows\Win Types\1\0.dll
    Filesize

    59KB

    MD5

    2327ef47dc5ce548fc3e459be934aa64

    SHA1

    1cf4e9beebd4aef75f8535fe69db3eae52f598ea

    SHA256

    b225d4f33cd33ab29258961bbe32a6226fa2057decca089857911d507f9bcf20

    SHA512

    ea1ae88831e210b1d71d277e8a04e3b8e87065fa9e7c0ad7bad6a5f3285b889d98858167450a009bdf0be54e1b11c4b1af1cb71fa445fc189a6a9eef1546b26c

    Download Submit

  • C:\Windows\Win Types\RUNDLL32.exe
    Filesize

    218KB

    MD5

    cb7d40ded5b771e19e3c8cb1ea484805

    SHA1

    336554d1f03f8740ecd6be12b031911c5963ab3c

    SHA256

    1ed33096379abcac370501dfc3e230be24c87f406a215802a5ce5390eb8d1177

    SHA512

    ca25480609ba59b610c73e03423b0bf574ec02bf319cd16bfaa173090926d5cc49f3bd5482087c66677ce1a0ab300133e464fa01161b9a644ea88164ca8b820c

    Download Submit

  • memory/3380-23-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/3380-40-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/4932-34-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/4932-35-0x0000000000418000-0x000000000042D000-memory.dmp

    Filesize

    84KB

    Download

  • memory/4932-0-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/4932-2-0x0000000000418000-0x000000000042D000-memory.dmp

    Filesize

    84KB

    Download

  • memory/4932-1-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download