Overview

overview

10

Static

static

3

JaffaCakes...cd.exe

windows7-x64

10

JaffaCakes...cd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    13/01/2025, 21:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_2ff44f1d1d9496248e0b697ec4c84dcd.exe

  • Size

    584KB

  • MD5

    2ff44f1d1d9496248e0b697ec4c84dcd

  • SHA1

    a945b36327b71584aa493c4513a57e4c08a23485

  • SHA256

    aec492e72c472944b15204ec7aa8a34580d4844ccf8c3eb539ed4516362c4eeb

  • SHA512

    f2365d61205b14d78c1b721fcbe05f9d66e18529fb5e712026267a24b84ed56f5c552f007ab3780a109e42a4f73434661825581e8bfba0e71594eef19c57e149

  • SSDEEP

    12288:sq5LPiSDHPWE8TRg0xkl0xCVCv1fMBitD52acOoI46emcn:szSbPWE8TR1A5y2KSF

Score
10/10
modiloaderdiscoveryevasiontrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • ModiLoader Second Stage 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2ff44f1d1d9496248e0b697ec4c84dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2ff44f1d1d9496248e0b697ec4c84dcd.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2140
    • C:\Users\Admin\AppData\Local\Temp\Exporer32.exe
      "C:\Users\Admin\AppData\Local\Temp\Exporer32.exe"
      2⤵
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2732
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2984

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\Exporer32.exe
    Filesize

    560KB

    MD5

    169e0a3bfa3deeb704db9f6cdea792f3

    SHA1

    2d3ef217e75f57794eda1150e51506c8816d1a0e

    SHA256

    12cd10910205448aecaa7d90fde6c100a03757d6c0b7e7f9cc48170175e07e90

    SHA512

    eb18cb0ec74c3e2306673fb341f299795e29a6e24255aad84a2ea0ea729111ee21f19940c1d6f50f29ecb128b7683cb570918fdfe053d84cbbebfbb63bf5b68b

    Download Submit

  • memory/2140-0-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2140-12-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2732-13-0x00000000001F0000-0x00000000001F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2732-14-0x0000000002E60000-0x0000000002E61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2732-18-0x0000000000400000-0x0000000000494000-memory.dmp

    Filesize

    592KB

    Download