Overview

overview

10

Static

static

3

f78185d7e3...18.exe

windows7-x64

10

f78185d7e3...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-12-2024 05:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f78185d7e35f70d1e9ae88545cfbb3b8_JaffaCakes118.exe

  • Size

    914KB

  • MD5

    f78185d7e35f70d1e9ae88545cfbb3b8

  • SHA1

    07308ea95155535301d9d8b33f0dd4ce3485704e

  • SHA256

    848aaaf10168fe96c7ce4a7b836c92f6eacaa059f479da357975e5d5252e1536

  • SHA512

    21a7bf00a56afff3f95e6af9ab8c6421035dbd13103db2678f3edefd3db169fb28de3a62c4fe460dfe0f940bfbe3e41021f58d3a75e8843201b86c94721d8502

  • SSDEEP

    24576:Xh6XqAaeKch19xKNoTjJubG8vQDPbxZEJNyssWwcQKL:eqAaeKch19xKNoTl+G8vQjbkUssWwQL

Score
10/10
modiloaderdiscoveryevasionpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modifies firewall policy service 3 TTPs 2 IoCs
    evasion
  • Modiloader family
    modiloader
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • ModiLoader Second Stage 5 IoCs
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 24 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 20 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\f78185d7e35f70d1e9ae88545cfbb3b8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f78185d7e35f70d1e9ae88545cfbb3b8_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CWBUITSK.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CWBUITSK.EXE
      2⤵
      • Executes dropped EXE
      PID:2576
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NvTaskbarInh.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NvTaskbarInh.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2348
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NvTaskbarInh.exe
        "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NvTaskbarInh.exe"
        3⤵
        • Modifies firewall policy service
        • UAC bypass
        • Windows security bypass
        • Executes dropped EXE
        • Loads dropped DLL
        • Windows security modification
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1152
        • C:\Windows\SysWOW64\statcvs.exe
          "C:\Windows\system32\statcvs.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2620
          • C:\Windows\SysWOW64\statcvs.exe
            "C:\Windows\SysWOW64\statcvs.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1924
            • C:\Windows\statcvs.exe
              "C:\Windows\statcvs.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              PID:1328
              • C:\Windows\statcvs.exe
                "C:\Windows\statcvs.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:2456
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe"
                  8⤵
                    PID:1968
          • C:\Windows\SysWOW64\foxit.exe
            "C:\Windows\system32\foxit.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2696
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32.exe "C:\Users\Admin\AppData\Local\cfpifsAP.dll",Startup
              5⤵
              • Loads dropped DLL
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              PID:628
              • C:\Windows\SysWOW64\rundll32.exe
                rundll32.exe "C:\Users\Admin\AppData\Local\cfpifsAP.dll",iep
                6⤵
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:1980

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    4
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Disable or Modify Tools

    3
    T1562.001

    Modify Registry

    6
    T1112

    Credential Access

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    1
    T1012

    System Information Discovery

    3
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\IXP000.TMP\CWBUITSK.EXE
      Filesize

      12KB

      MD5

      1ec9daf45844cd7b6740ecf3b60ff0d4

      SHA1

      f7e3583eb5cd9f014614ed5f30ae9b6eb5597ef9

      SHA256

      85258219117d091659af9e7b28f4aca677c18eb2a962c27a92d9550f79325045

      SHA512

      d3f5aea8572cc670f5cf7843369a1129851d6c2d832acf14b012a9d635a63883e29ae7b8204696d41332f112c6f178c8aee905fa561329c3a4adb0e96527f4bc

      Download Submit

    • \Users\Admin\AppData\Local\Temp\IXP000.TMP\NvTaskbarInh.exe
      Filesize

      962KB

      MD5

      5988f5eea2e0f6275a0f4232b4386bf9

      SHA1

      0d4352fa00586ca07c2a8238b0ab0b5a5e2aced2

      SHA256

      c9bd30a42eedcf7e96088925f13ea4c4741d0ce5d8cdc9c1a033bd81a49164b6

      SHA512

      6f29ac43baf202dfa802a7d4d9f12b55aa5f838fe342ac1638377e9bb12d915c4c29a974cc22776b63ec989d2d4915a32b0a6d15943d6c9bbb746828e8772fba

      Download Submit

    • \Users\Admin\AppData\Local\cfpifsAP.dll
      Filesize

      78KB

      MD5

      3cd79b8e7d198f5fcff729911a0c0b42

      SHA1

      053449f4b2c64dd4c7134b1d0b63c680b5c8b674

      SHA256

      6f99507bbcc36a1f4cad50821dc65d8cead470b8f94b514b0440cabb4fb8afcd

      SHA512

      6f800b7ae774957c251965af1ea2c26d67329dfee9ecd599025c9b3aaa2d6b6b8e204947f2e3f166a4b067f306e57e6deaf05e66c7a0532d969098e6ce707661

      Download Submit

    • \Windows\SysWOW64\foxit.exe
      Filesize

      78KB

      MD5

      ff68d7e9435a7195144c09dc1d6c3fc0

      SHA1

      dca962999faa110e44c0fe4f0aceeebcb740eb44

      SHA256

      cd9ae5c0ef4a2447fec3944131e925babe6ed4ffaf9b69fdfc2153e7d4ced758

      SHA512

      8ccab41fdf23ed30548420fc0ac98427866467e1ba474b112c92a9185ebae90f42ee91388ab69157a3dab8975e19c47df158022609cc4d9df36be96ca8074941

      Download Submit

    • \Windows\SysWOW64\statcvs.exe
      Filesize

      411KB

      MD5

      eaf07a44a7dcab1d1614e82518d93b67

      SHA1

      c1742c8e1f6869568c45a4791ef61e0ab8f0c41d

      SHA256

      6a00dd21ad5c795c9ebce734c58005dbd2a08d55035acbc622e29249fb4cec5b

      SHA512

      60c642daae05bc4de105db5471ae05caacf4d5079e733d5b975c6573f5ca82f4e7b83398e9ef029ffd5a837562bbac499dcb30f6db7a64efa6339e53fa2f2604

      Download Submit

    • memory/628-104-0x0000000010000000-0x0000000010016000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1152-62-0x0000000000400000-0x0000000000493000-memory.dmp

      Filesize

      588KB

      Download

    • memory/1152-27-0x0000000000400000-0x0000000000493000-memory.dmp

      Filesize

      588KB

      Download

    • memory/1152-66-0x0000000000400000-0x0000000000493000-memory.dmp

      Filesize

      588KB

      Download

    • memory/1152-64-0x0000000000400000-0x0000000000493000-memory.dmp

      Filesize

      588KB

      Download

    • memory/1152-92-0x0000000000400000-0x0000000000493000-memory.dmp

      Filesize

      588KB

      Download

    • memory/1152-60-0x0000000000400000-0x0000000000493000-memory.dmp

      Filesize

      588KB

      Download

    • memory/1152-58-0x0000000000400000-0x0000000000493000-memory.dmp

      Filesize

      588KB

      Download

    • memory/1152-56-0x0000000000400000-0x0000000000493000-memory.dmp

      Filesize

      588KB

      Download

    • memory/1152-52-0x0000000000400000-0x0000000000493000-memory.dmp

      Filesize

      588KB

      Download

    • memory/1152-50-0x0000000000400000-0x0000000000493000-memory.dmp

      Filesize

      588KB

      Download

    • memory/1152-48-0x0000000000400000-0x0000000000493000-memory.dmp

      Filesize

      588KB

      Download

    • memory/1152-45-0x0000000000400000-0x0000000000493000-memory.dmp

      Filesize

      588KB

      Download

    • memory/1152-40-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1152-39-0x0000000000400000-0x0000000000493000-memory.dmp

      Filesize

      588KB

      Download

    • memory/1152-36-0x0000000000400000-0x0000000000493000-memory.dmp

      Filesize

      588KB

      Download

    • memory/1152-33-0x0000000000400000-0x0000000000493000-memory.dmp

      Filesize

      588KB

      Download

    • memory/1152-30-0x0000000000400000-0x0000000000493000-memory.dmp

      Filesize

      588KB

      Download

    • memory/1152-68-0x0000000000400000-0x0000000000493000-memory.dmp

      Filesize

      588KB

      Download

    • memory/1152-25-0x0000000000400000-0x0000000000493000-memory.dmp

      Filesize

      588KB

      Download

    • memory/1152-74-0x0000000000400000-0x0000000000493000-memory.dmp

      Filesize

      588KB

      Download

    • memory/1152-54-0x0000000000400000-0x0000000000493000-memory.dmp

      Filesize

      588KB

      Download

    • memory/1152-23-0x0000000000400000-0x0000000000493000-memory.dmp

      Filesize

      588KB

      Download

    • memory/1924-107-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1924-117-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1924-115-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1924-113-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1924-111-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1924-109-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1924-108-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2148-11-0x0000000000190000-0x000000000019A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2148-6-0x0000000000190000-0x000000000019A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2348-69-0x0000000000400000-0x00000000004F6000-memory.dmp

      Filesize

      984KB

      Download

    • memory/2620-121-0x0000000000400000-0x000000000046D000-memory.dmp

      Filesize

      436KB

      Download

    • memory/2696-96-0x0000000010000000-0x0000000010016000-memory.dmp

      Filesize

      88KB

      Download