Overview

overview

10

Static

static

3

d3712f81b1...18.exe

windows7-x64

10

d3712f81b1...18.exe

windows10-2004-x64

10

$PLUGINSDI...dl.dll

windows7-x64

3

$PLUGINSDI...dl.dll

windows10-2004-x64

3

$TEMP/vays...52.exe

windows7-x64

10

$TEMP/vays...52.exe

windows10-2004-x64

10

$TEMP/windll.dll

windows7-x64

10

$TEMP/windll.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    38s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    07-12-2024 20:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d3712f81b1dd98d78d99b0d639e64232_JaffaCakes118.exe

  • Size

    1.9MB

  • MD5

    d3712f81b1dd98d78d99b0d639e64232

  • SHA1

    49cc37c7d3971806c46b8ddc1427745244b4eb46

  • SHA256

    ee3e04171308b5c8fae57344a095285e83c10b942745f27f4696a01cd2b16678

  • SHA512

    fce9990bb534ecf58a748e707c40bc5a8f3e5cfa6769c6e1fc290a503ae573094013a7b6a38e88b3581453f5f6173d93ade21ad9c81631b379d5d65608531bc6

  • SSDEEP

    49152:mGNHSoJZULvF8aUPbix/OA+wQ9UMZcUuuhJgHDppPWQVpbAaH9:ZSoJqTFMemwpMiU/EzuQjbB

Score
10/10
modiloaderbootkitdiscoverypersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • ModiLoader Second Stage 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 9 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d3712f81b1dd98d78d99b0d639e64232_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d3712f81b1dd98d78d99b0d639e64232_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1820
    • C:\Users\Admin\AppData\Local\Temp\vaysoft-image-to-exe-converter-4.52.exe
      "C:\Users\Admin\AppData\Local\Temp\vaysoft-image-to-exe-converter-4.52.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2264
      • C:\Users\Admin\AppData\Local\Temp\is-PEDAD.tmp\vaysoft-image-to-exe-converter-4.52.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-PEDAD.tmp\vaysoft-image-to-exe-converter-4.52.tmp" /SL5="$5014E,1697600,53248,C:\Users\Admin\AppData\Local\Temp\vaysoft-image-to-exe-converter-4.52.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2584
        • C:\Program Files (x86)\VaySoft\VaySoft Image to EXE Converter\imagetoexe.exe
          "C:\Program Files (x86)\VaySoft\VaySoft Image to EXE Converter\imagetoexe.exe"
          4⤵
          • Executes dropped EXE
          • Writes to the Master Boot Record (MBR)
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Program Files (x86)\VaySoft\VaySoft Image to EXE Converter\imagetoexe.exe
    Filesize

    2.3MB

    MD5

    2a3e3d4612ee5253df73afe5483cd53d

    SHA1

    f52b0a65d2fce52d543705c62a063220a91c496c

    SHA256

    2c23689bddb2eb08efd94e7e319adafa58d5d9ec00b71e4a5519e7797ed41854

    SHA512

    b49b733183032769ae58c972b280a286457f6297b79a83078af586561110c1035af965f42418ee6287647afb9bf7e24ff58758b30f5b02f6bcd1d7e4621ca041

    Download Submit

  • \Program Files (x86)\VaySoft\VaySoft Image to EXE Converter\unins000.exe
    Filesize

    679KB

    MD5

    980de92df387ddd01c71254edec672e4

    SHA1

    be513ab47d0896ede95506ed85352667445bf050

    SHA256

    8f2f0c3ffc0bb50652052e580f49a7bf647ae879caa4e308d30a74b81a1fe341

    SHA512

    2cd75c7679787cf7a1f7e012c8c961f0a22e6a91361c2b3d489fbcfaa9dfe4bec23035935ffadb8161a2f9839424a26c31486087c60c68bdba7ef8f544cd73c6

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-659LK.tmp\_isetup\_shfoldr.dll
    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-PEDAD.tmp\vaysoft-image-to-exe-converter-4.52.tmp
    Filesize

    669KB

    MD5

    52950ac9e2b481453082f096120e355a

    SHA1

    159c09db1abcee9114b4f792ffba255c78a6e6c3

    SHA256

    25fbc88c7c967266f041ae4d47c2eae0b96086f9e440cca10729103aee7ef6cd

    SHA512

    5b61c28bbcaedadb3b6cd3bb8a392d18016c354c4c16e01395930666addc95994333dfc45bea1a1844f6f1585e79c729136d3714ac118b5848becde0bdb182ba

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nszE4E4.tmp\NSISdl.dll
    Filesize

    72KB

    MD5

    b13935bfa7a3e43c112bd9fa02f08f28

    SHA1

    dec4f136057097c412f53c2ae41b80a8ad0c6810

    SHA256

    796f7efb91904fa4105528e18f6f87e3fdab9a070dabef83e02f9ae375b2b060

    SHA512

    1b92cde7bf74fc181b4d2602a269ef1f581b75eb67e3e46b256ddaddc153b95ee17d422a56ca04d68eafe61ab468b708f7f3691f3b47c554a67af00d49b2709a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\vaysoft-image-to-exe-converter-4.52.exe
    Filesize

    1.8MB

    MD5

    6ce9644cb6b649e61afaa8d79de40bf0

    SHA1

    a8b1ea2c5dd283fd7f889a58fb0dc087e4e2736a

    SHA256

    935225e6b0f68e3891f9d0f16f433a7673c5ecdc6a02fc8857bb1a6460492254

    SHA512

    e1db0d224de89a5a06bfc6ffc81320f5b20b2bff32ad4a61c0d70f607a6baafeadb6c33690c0246a2c84c129cfa0f4f8e3d72f5234414ef48dc615a722bd33c2

    Download Submit

  • memory/1820-30-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2264-13-0x0000000000401000-0x000000000040B000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2264-10-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2264-76-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2264-31-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2584-34-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/2584-32-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/2584-59-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/2584-70-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/2584-29-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/2856-81-0x0000000000400000-0x0000000000648000-memory.dmp

    Filesize

    2.3MB

    Download