Overview

overview

10

Static

static

3

d3712f81b1...18.exe

windows7-x64

10

d3712f81b1...18.exe

windows10-2004-x64

10

$PLUGINSDI...dl.dll

windows7-x64

3

$PLUGINSDI...dl.dll

windows10-2004-x64

3

$TEMP/vays...52.exe

windows7-x64

10

$TEMP/vays...52.exe

windows10-2004-x64

10

$TEMP/windll.dll

windows7-x64

10

$TEMP/windll.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2024 20:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d3712f81b1dd98d78d99b0d639e64232_JaffaCakes118.exe

  • Size

    1.9MB

  • MD5

    d3712f81b1dd98d78d99b0d639e64232

  • SHA1

    49cc37c7d3971806c46b8ddc1427745244b4eb46

  • SHA256

    ee3e04171308b5c8fae57344a095285e83c10b942745f27f4696a01cd2b16678

  • SHA512

    fce9990bb534ecf58a748e707c40bc5a8f3e5cfa6769c6e1fc290a503ae573094013a7b6a38e88b3581453f5f6173d93ade21ad9c81631b379d5d65608531bc6

  • SSDEEP

    49152:mGNHSoJZULvF8aUPbix/OA+wQ9UMZcUuuhJgHDppPWQVpbAaH9:ZSoJqTFMemwpMiU/EzuQjbB

Score
10/10
modiloaderbootkitdiscoverypersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • ModiLoader Second Stage 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d3712f81b1dd98d78d99b0d639e64232_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d3712f81b1dd98d78d99b0d639e64232_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4488
    • C:\Users\Admin\AppData\Local\Temp\vaysoft-image-to-exe-converter-4.52.exe
      "C:\Users\Admin\AppData\Local\Temp\vaysoft-image-to-exe-converter-4.52.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3476
      • C:\Users\Admin\AppData\Local\Temp\is-JN8H7.tmp\vaysoft-image-to-exe-converter-4.52.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-JN8H7.tmp\vaysoft-image-to-exe-converter-4.52.tmp" /SL5="$E004C,1697600,53248,C:\Users\Admin\AppData\Local\Temp\vaysoft-image-to-exe-converter-4.52.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4696
        • C:\Program Files (x86)\VaySoft\VaySoft Image to EXE Converter\imagetoexe.exe
          "C:\Program Files (x86)\VaySoft\VaySoft Image to EXE Converter\imagetoexe.exe"
          4⤵
          • Executes dropped EXE
          • Writes to the Master Boot Record (MBR)
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\VaySoft\VaySoft Image to EXE Converter\imagetoexe.exe
    Filesize

    2.3MB

    MD5

    2a3e3d4612ee5253df73afe5483cd53d

    SHA1

    f52b0a65d2fce52d543705c62a063220a91c496c

    SHA256

    2c23689bddb2eb08efd94e7e319adafa58d5d9ec00b71e4a5519e7797ed41854

    SHA512

    b49b733183032769ae58c972b280a286457f6297b79a83078af586561110c1035af965f42418ee6287647afb9bf7e24ff58758b30f5b02f6bcd1d7e4621ca041

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-JN8H7.tmp\vaysoft-image-to-exe-converter-4.52.tmp
    Filesize

    669KB

    MD5

    52950ac9e2b481453082f096120e355a

    SHA1

    159c09db1abcee9114b4f792ffba255c78a6e6c3

    SHA256

    25fbc88c7c967266f041ae4d47c2eae0b96086f9e440cca10729103aee7ef6cd

    SHA512

    5b61c28bbcaedadb3b6cd3bb8a392d18016c354c4c16e01395930666addc95994333dfc45bea1a1844f6f1585e79c729136d3714ac118b5848becde0bdb182ba

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsm8B97.tmp\NSISdl.dll
    Filesize

    72KB

    MD5

    b13935bfa7a3e43c112bd9fa02f08f28

    SHA1

    dec4f136057097c412f53c2ae41b80a8ad0c6810

    SHA256

    796f7efb91904fa4105528e18f6f87e3fdab9a070dabef83e02f9ae375b2b060

    SHA512

    1b92cde7bf74fc181b4d2602a269ef1f581b75eb67e3e46b256ddaddc153b95ee17d422a56ca04d68eafe61ab468b708f7f3691f3b47c554a67af00d49b2709a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vaysoft-image-to-exe-converter-4.52.exe
    Filesize

    1.8MB

    MD5

    6ce9644cb6b649e61afaa8d79de40bf0

    SHA1

    a8b1ea2c5dd283fd7f889a58fb0dc087e4e2736a

    SHA256

    935225e6b0f68e3891f9d0f16f433a7673c5ecdc6a02fc8857bb1a6460492254

    SHA512

    e1db0d224de89a5a06bfc6ffc81320f5b20b2bff32ad4a61c0d70f607a6baafeadb6c33690c0246a2c84c129cfa0f4f8e3d72f5234414ef48dc615a722bd33c2

    Download Submit

  • memory/3476-11-0x0000000000401000-0x000000000040B000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3476-9-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3476-25-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3476-61-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3704-72-0x0000000000400000-0x0000000000648000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/3704-60-0x0000000000400000-0x0000000000648000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/4488-18-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4696-26-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/4696-59-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/4696-51-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/4696-28-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/4696-23-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

    Download