Overview

overview

10

Static

static

3

e9988c7103...18.exe

windows7-x64

10

e9988c7103...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-12-2024 03:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e9988c71033c0c888f5239f7759b54b5_JaffaCakes118.exe

  • Size

    875KB

  • MD5

    e9988c71033c0c888f5239f7759b54b5

  • SHA1

    9eaf4ca159f25e8b8cf26f669aea877c6765678b

  • SHA256

    40de2e88eb2d82e8b2b5ab8735dd2f71e71dadc03e2e4bd818246062724abe8f

  • SHA512

    c8119f71b2aae342387247731db63123ca0c080fb3202f179c60f5c2e8044f31c5ed4a2aef11668847c18bab9033038620e7380dbb523532dddfec512d327dbd

  • SSDEEP

    24576:w2O/GlJXysWPUt5fiAx7XFT3YVNOgwXkfjvILisFSvRA6WcUXq2:0LAxhSN7wqvILdFSO6Wc0q2

Score
10/10
modiloaderdiscoverytrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • ModiLoader First Stage 6 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e9988c71033c0c888f5239f7759b54b5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e9988c71033c0c888f5239f7759b54b5_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4860
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Program Files (x86)\Screen 2 WebFlash 1\webflash.exe
        "C:\Program Files (x86)\Screen 2 WebFlash 1\webflash.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1404
      • C:\Program Files (x86)\Screen 2 WebFlash 1\webflash.exe
        "C:\Program Files (x86)\Screen 2 WebFlash 1\webflash.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:3644
      • C:\Program Files (x86)\Screen 2 WebFlash 1\webflash.exe
        "C:\Program Files (x86)\Screen 2 WebFlash 1\webflash.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:448

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\GrafikRW.dll
    Filesize

    610KB

    MD5

    20fbdd9f89014a8e01cfd3a17beaa0c0

    SHA1

    3122a2848b893673c385a7c87a14f804ca6bc7d3

    SHA256

    4f2a0c109d51a289744276b7d943d8ce678fcec7f1bfc3ffbe55683b6ece7d02

    SHA512

    54890f9abd55e60a2e0bf5552a00c57723d409696c0ad2ace63509d1c0c46aa7e4059139ff754fa945d10999806b61644dd0c32728d0c79a5704f7addd4001f9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.log
    Filesize

    394B

    MD5

    983af125b036026f42600ac766bf6007

    SHA1

    6a563a45580624f81bc226aed49d3e75f335e2fa

    SHA256

    6f1e472a33edd813018e2d5c7bff20469cfb8a965b2488259537173740086112

    SHA512

    57e4df0f2b36418cb93ff2e4f779f109bb8a95a20977551238e28ca61fc264291690a416881a5efe1ba0974c2905ef7ca2d07bec127e2f0868603ff6915a56c5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\cadkasdeinst01e.exe
    Filesize

    80KB

    MD5

    5bc0f9317b2d9309a60519bf5dd74093

    SHA1

    727e274046e223733695f371b199371c46b50707

    SHA256

    02dd77caabecca810ca31dc06fe8f4e1580c76528b2fce9e54aa12092196d43b

    SHA512

    1649cc8737332e589e828620851fa6fdb8110061190ce10035fc6af7e4d2a7273d65a6fc7eb534b2debc031cbc22b01c9ee6f6753d0f9e062ff77b9b854cb723

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\file_id.diz
    Filesize

    1KB

    MD5

    a3ce6addf7808468211a26062929310d

    SHA1

    58d3f3e01ffe18d7b8d72acd2cd1a6d5aa038bb2

    SHA256

    432ba8f83fbbf4f98813a9f9431ee62d8b6c7b5b6eb4f1473981415756956b69

    SHA512

    bc0029a0c27d96e7d3ebb976ce4fae708c32782b40f2f8eb9539bd939dd65aa555d8207054c82678653760f98a35ed98f45c689029071edf46ab4ccd734581dd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\flash.chm
    Filesize

    12KB

    MD5

    f1e7538dc8a2f141a0e8d9d6cfcd16c2

    SHA1

    258090866bef06205344993f22b436892b60deb9

    SHA256

    a97d0a53bf2bbb7dfac98feaf73688443fd01be107b915df8afcddd58fdfbe61

    SHA512

    3433d605f5f198ffcaa05ebef065a48e7e0010fbe81722c7eb60a26925758c99695264404bb903604f3d84dd37ef617c4bf73406e7a686d37463bd6fa2e38a6f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\manual.txt
    Filesize

    3KB

    MD5

    184e112d7af630de517d2dbfae6f4d56

    SHA1

    560af293f56f487fe51f7705652ac31d07f1d95d

    SHA256

    bb6f4397eadef4d1083b0268a458c3240335bfa12e90d201e5809471a22d7125

    SHA512

    0bee5ec25285e5b7badf38f80d5d902e7bd947fb2c2e8a5fbd0113e83019794dcdb1ef7d9808b509c27e53f6fe9443cd2b8349a6bad161d8cbb012a30c7d75c0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\order.txt
    Filesize

    318B

    MD5

    5e53a96f02a6f8eb5895c6bc54714a3e

    SHA1

    f4925c9d95c7d905eaecfff27f74c7c88a8247bc

    SHA256

    9b05d25a897485b581fb88e37c9ef67cb2a4a783a8836712acc193d10c73f06f

    SHA512

    bf88ce085e4956bb8e21128e9912a7e6682159070d818669ee18b6de27e92dafa84b927a969d6e5c2ad24a72bcdee66695594734d39b667872f27a55f6668683

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
    Filesize

    92KB

    MD5

    a5e4d12b2766075ebaea8de2ad4865b9

    SHA1

    5de886f171824e35b78160e7a24864e538d5d0ae

    SHA256

    3a8dbe69d4e83c762d287e4c9b9ec1a2319bc362f95f99937d3d03d8dc0b35e6

    SHA512

    c9d3d9ffce6fe46e81567450662307e49886d4210e2fb75d537a5ac09a43bf0c8d25a79e47204d793930ebfaf216dc4f383f588b614eec06596038112a0fbd3f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\webflash.exe
    Filesize

    1.3MB

    MD5

    89fc78e93cfd3b127e1708daa826c425

    SHA1

    8eb64f06bc6618e2192ed736f216a2e1f7da0334

    SHA256

    892327145e2429c61bb179f87f62be4f71cd220bc3db921f33c5add3696e658e

    SHA512

    1966a20b773c4c92ed672428670be982aaf9168491e2b1e9622f682624e3288155297c8dad81d66eb5b3edffc6da8053234fc1a19a86db89edfb6a4d4099df31

    Download Submit

  • memory/448-186-0x0000000000400000-0x0000000000553000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1404-144-0x0000000000400000-0x0000000000553000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1404-87-0x0000000000400000-0x0000000000553000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2828-101-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2828-184-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2828-120-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2828-125-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2828-143-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2828-86-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2828-145-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2828-206-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2828-162-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2828-165-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2828-106-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2828-188-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2828-53-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/3644-185-0x0000000000400000-0x0000000000553000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3644-146-0x0000000000400000-0x0000000000553000-memory.dmp

    Filesize

    1.3MB

    Download