Overview

overview

10

Static

static

5

d9a524baea...18.exe

windows7-x64

10

d9a524baea...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-12-2024 12:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d9a524baea6be9a3e06d5a133ed319fd_JaffaCakes118.exe

  • Size

    474KB

  • MD5

    d9a524baea6be9a3e06d5a133ed319fd

  • SHA1

    145d00ef2d457cf7154d2c83bf6a0e59262d95ee

  • SHA256

    1eb0119af5d3e69ec00a43a3c3caffe122e6cdcd257aabd2e0a69bba2ba45a4e

  • SHA512

    6ac1d78de794df4461fd15ae5ab2af738dee94da7fab29a84b6ec2775e637d04f969664539a060708530c9453d8fbd379dba66a0baf717c1fc671d530afbc22b

  • SSDEEP

    12288:iHLUMuiv9RgfSjAzRtyueohiZFoslZFfuKWU0Su:AtARTeohO/D2vBSu

Score
10/10
modiloaderdiscoveryevasionpersistencetrojanupx

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • ModiLoader Second Stage 16 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9a524baea6be9a3e06d5a133ed319fd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d9a524baea6be9a3e06d5a133ed319fd_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3352
    • C:\Users\Admin\AppData\Local\Temp\serveturkojan.exe
      "C:\Users\Admin\AppData\Local\Temp\serveturkojan.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3260
      • C:\Windows\mstwain32.exe
        "C:\Windows\mstwain32.exe"
        3⤵
        • UAC bypass
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1988
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\amor-69.gif
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2308
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2308 CREDAT:17410 /prefetch:2
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4172
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1108

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    2d1847b341a938389fc5b14b0bcd9eb2

    SHA1

    4036e71c4002e7ee173d59dc84a9cb5aa1390d34

    SHA256

    275c7427c6238d335e521a313e6cff2357b16e645202f11e3433cd56539ccc32

    SHA512

    384e910821ee8b786f70b5358f120cb3aea47f0e50d1f5c6e4c7304435c7d88f2c5ac9027c73823916149a369ac1c7640c18b13db8e6ee740c963e1b8bd51428

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    7a0ef219b0df92bec854cd01bb3f8954

    SHA1

    072911c3e6104e45482404a846774946820fe105

    SHA256

    6ffde6a91abb37845b2b079568bf031564646e1d5a5ed825fd22317966bd16d1

    SHA512

    a6bbfa60ff96ed5ba83b4422c5dad0b72136983444c96fd004c548a2118e65f702e528543f996d209798e6abf3df346e25eb19ddb8b28280611d626e84999d78

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKYZDMA5\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\aut70DB.tmp
    Filesize

    40KB

    MD5

    4e7326cf5b7ca348f88e39902facd6ba

    SHA1

    1a61f2b901b3b6f29f23000e8592b5310825e355

    SHA256

    48ca6048d24f8c9fca09c09a49830f78ed0c448672447a8642419f9d8e4b2348

    SHA512

    685b83a21ef07c477a40dcf57ce15dbeadc870b89d19f64fa423983421806b9167a0f625141049644447bb8ce1d816654a1699fb0da9c9840965af456ff46593

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\serveturkojan.exe
    Filesize

    270KB

    MD5

    a327495b6fbf9b63329dcfdbf6577ffe

    SHA1

    8710089887b485231d34c7e34db658c599409f5c

    SHA256

    e4e885b886793906838a0908db5b78db035e75cb63d8543f42112d485a572612

    SHA512

    92b5ff1e082db5c089dcbc356d736a0329557a8ddeba10134603e1896e8eacc5c244945b461b21c97504351e997c735e69feb49e7bffb34ea4d0af0d1050c135

    Download Submit

  • C:\Windows\cmsetac.dll
    Filesize

    33KB

    MD5

    a71eed9f33ab3dfde1f018b0913372ac

    SHA1

    a91f3311c33da1cbf3a1e10b973f660cc2c8bb3a

    SHA256

    49d785795c17016cca224aa61815ff4e5eafcb24c393669284ff13598bd86080

    SHA512

    cf378e24586bf7029c2a20b2b9a800816d1efc0e12b0338e3284133edd51878e41c9f27b195f6e4b341e35e9b7b8ce76c78c982d557d7b42018428dc6df8a9de

    Download Submit

  • C:\Windows\ntdtcstp.dll
    Filesize

    7KB

    MD5

    67587e25a971a141628d7f07bd40ffa0

    SHA1

    76fcd014539a3bb247cc0b761225f68bd6055f6b

    SHA256

    e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

    SHA512

    6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

    Download Submit

  • memory/1988-49-0x00000000030E0000-0x00000000030EE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1988-103-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1988-55-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1988-56-0x0000000002130000-0x0000000002138000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1988-57-0x00000000030E0000-0x00000000030EE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1988-58-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1988-115-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1988-112-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1988-72-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1988-75-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1988-78-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1988-81-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1988-109-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1988-94-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1988-97-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1988-100-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1988-106-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3260-36-0x0000000000A60000-0x0000000000A61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3260-38-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3352-0-0x0000000000400000-0x00000000004AC000-memory.dmp

    Filesize

    688KB

    Download

  • memory/3352-26-0x0000000000400000-0x00000000004AC000-memory.dmp

    Filesize

    688KB

    Download