Overview

overview

10

Static

static

10

JaffaCakes...ac.exe

windows7-x64

10

JaffaCakes...ac.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/01/2025, 23:28 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_9a03ba4a71342cec9fd9d57a0e9ea6ac.exe

  • Size

    856KB

  • MD5

    9a03ba4a71342cec9fd9d57a0e9ea6ac

  • SHA1

    741a1016eecd662c223385690d1fbcb20aad2a52

  • SHA256

    13fc53d9d30523fd4cadd9f2ba28b1bf661ae34f8e6da58c49325f28355dac21

  • SHA512

    c46b34f87bed12bde90fc527f634d2936f51d06426b565261409ca1211da8128bfbb27c0d8b3440dba6712082749f3d7e693a90559466d925fa2be43173b8cab

  • SSDEEP

    12288:cJjCWhgzbBi8PtV9m2YkA4UrCuMtfQBSo7n4fUT2a6A2QeTF0XhMdUyGtd:cJmmgPRPikA43xsr4Y2a6A2nChuUr

Score
10/10
modiloaderdiscoveryevasionpersistencetrojanupx

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modiloader family
    modiloader
  • ModiLoader Second Stage 9 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Adds Run key to start application 2 TTPs 51 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of SetThreadContext 4 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3520
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a03ba4a71342cec9fd9d57a0e9ea6ac.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a03ba4a71342cec9fd9d57a0e9ea6ac.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4676
      • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a03ba4a71342cec9fd9d57a0e9ea6ac.exe
        JaffaCakes118_9a03ba4a71342cec9fd9d57a0e9ea6ac.exe
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1312
        • C:\Users\Admin\HM23Yh.exe
          C:\Users\Admin\HM23Yh.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2480
          • C:\Users\Admin\yeoni.exe
            "C:\Users\Admin\yeoni.exe"
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:3040
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c tasklist&&del HM23Yh.exe
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2348
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              6⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2276
        • C:\Users\Admin\awhost.exe
          C:\Users\Admin\awhost.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2792
          • C:\Users\Admin\awhost.exe
            awhost.exe
            5⤵
            • Executes dropped EXE
            • Maps connected drives based on registry
            • Suspicious behavior: EnumeratesProcesses
            PID:3000
        • C:\Users\Admin\bwhost.exe
          C:\Users\Admin\bwhost.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4424
          • C:\Users\Admin\bwhost.exe
            bwhost.exe
            5⤵
            • Executes dropped EXE
            • Maps connected drives based on registry
            • Suspicious behavior: EnumeratesProcesses
            PID:2704
        • C:\Users\Admin\cwhost.exe
          C:\Users\Admin\cwhost.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:748
          • C:\Windows\explorer.exe
            000001D8*
            5⤵
              PID:2596
          • C:\Users\Admin\dwhost.exe
            C:\Users\Admin\dwhost.exe
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:896
            • C:\Users\Admin\AppData\Local\1cf5d2a5\X
              193.105.154.210:80
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:5028
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe"
              5⤵
                PID:4272
            • C:\Users\Admin\ewhost.exe
              C:\Users\Admin\ewhost.exe
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:3596
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c tasklist&&del JaffaCakes118_9a03ba4a71342cec9fd9d57a0e9ea6ac.exe
              4⤵
              • System Location Discovery: System Language Discovery
              PID:4308
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist
                5⤵
                • Enumerates processes with tasklist
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:2096

      Network

      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
        Response
        8.8.8.8.in-addr.arpa
        IN PTR
        dnsgoogle
      • flag-us
        DNS
        154.239.44.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        154.239.44.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        172.210.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.210.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        22.160.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        22.160.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        167.173.78.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        167.173.78.104.in-addr.arpa
        IN PTR
        Response
        167.173.78.104.in-addr.arpa
        IN PTR
        a104-78-173-167deploystaticakamaitechnologiescom
      • flag-us
        DNS
        232.168.11.51.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        232.168.11.51.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        200.163.202.172.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        200.163.202.172.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        198.187.3.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        198.187.3.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        134.130.81.91.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        134.130.81.91.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        21.49.80.91.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        21.49.80.91.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        48.229.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        48.229.111.52.in-addr.arpa
        IN PTR
        Response
      • 193.105.154.210:80
        dwhost.exe
        260 B
         5
      • 193.105.154.210:80
        dwhost.exe
        260 B
         5
      • 193.105.154.210:80
        dwhost.exe
        260 B
         5
      • 193.105.154.210:80
        X
        260 B
         5
      • 8.8.8.8:53
        8.8.8.8.in-addr.arpa
        dns
        66 B
         90 B
         1
        1

        DNS Request

        8.8.8.8.in-addr.arpa

      • 8.8.8.8:53
        154.239.44.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        154.239.44.20.in-addr.arpa

      • 8.8.8.8:53
        172.210.232.199.in-addr.arpa
        dns
        74 B
         128 B
         1
        1

        DNS Request

        172.210.232.199.in-addr.arpa

      • 8.8.8.8:53
        22.160.190.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        22.160.190.20.in-addr.arpa

      • 8.8.8.8:53
        167.173.78.104.in-addr.arpa
        dns
        73 B
         139 B
         1
        1

        DNS Request

        167.173.78.104.in-addr.arpa

      • 8.8.8.8:53
        232.168.11.51.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        232.168.11.51.in-addr.arpa

      • 8.8.8.8:53
        200.163.202.172.in-addr.arpa
        dns
        74 B
         160 B
         1
        1

        DNS Request

        200.163.202.172.in-addr.arpa

      • 8.8.8.8:53
        198.187.3.20.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        198.187.3.20.in-addr.arpa

      • 8.8.8.8:53
        134.130.81.91.in-addr.arpa
        dns
        72 B
         147 B
         1
        1

        DNS Request

        134.130.81.91.in-addr.arpa

      • 8.8.8.8:53
        21.49.80.91.in-addr.arpa
        dns
        70 B
         145 B
         1
        1

        DNS Request

        21.49.80.91.in-addr.arpa

      • 8.8.8.8:53
        48.229.111.52.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        48.229.111.52.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\1cf5d2a5\X
        Filesize

        41KB

        MD5

        686b479b0ee164cf1744a8be359ebb7d

        SHA1

        8615e8f967276a85110b198d575982a958581a07

        SHA256

        fcfbb4c648649f4825b66504b261f912227ba32cbaabcadf4689020a83fb201b

        SHA512

        7ed8022e2b09f232150b77fc3a25269365b624f19f0b50c46a4fdf744eeb23294c09c051452c4c9dbb34a274f1a0bfc54b3ff1987ec16ae2e54848e22a97ed64

        Download Submit

      • C:\Users\Admin\HM23Yh.exe
        Filesize

        224KB

        MD5

        b9204dce58a6e81de3b3306eb6cb03e5

        SHA1

        ceb777de961f82c42b9b71dca67b8e56a31908a3

        SHA256

        438f71f74c972c3ed35a21bbc93cbc8dd1fb3cf17fd789ae730e60e53816b472

        SHA512

        f555f397416efd33bf9591dd08ad27a4dfed1d26cbfb9d73dc4c3ae130da8ce254d4bfc1e70406f3c92565d28e045469b3ba3b172bd5d19c5876708bb1aa37ed

        Download Submit

      • C:\Users\Admin\awhost.exe
        Filesize

        270KB

        MD5

        5efdb148d618a6b6d2369fccd60f4212

        SHA1

        7e2045b55c33af87848088738215af2bf7ad0b9b

        SHA256

        db7e3eef1813f386579a2dd11587077c6888809ac9c9e33c7584eb301402203b

        SHA512

        e63d8d4caf1cc98bc9beb168302c89885b12175a5802e2e7f507d30bce04eb67ce1f81519f544da297bbb581f59c5baab8ed3fd9b3f7f911a884095603587a21

        Download Submit

      • C:\Users\Admin\bwhost.exe
        Filesize

        157KB

        MD5

        2dd258fd2e5a7fccd81b8af93c08780b

        SHA1

        a5373acdb7f4684b032954e9e754593ddcc827b2

        SHA256

        00d8a5382bc4f61a6836bc2b22c05b57485bdf2550188c456f1a854d8a885ca9

        SHA512

        20048701859ed645bc678a3a45a3ef45cee1d31edfba2ab6cc8edbb03bad6174b541694ac09f4dc58c58241a93d592deb049c33d22ef3cc9f0a6eaac925111df

        Download Submit

      • C:\Users\Admin\cwhost.exe
        Filesize

        150KB

        MD5

        d91ada984db5e7adbf2b80c2284c12f6

        SHA1

        31e9b27095ac041687b016006f41ea6e5222202d

        SHA256

        8cbabd93630154a79f8f0c52964f330b44b427631403c3eef4b6c6fc87649948

        SHA512

        8a0eea5b8ffc4c8d4bdf1e551e6c11e8d188f2209666e2f4b6a74bed99105264510a612a7a1e72f7142584386891ab4aa95946110b8fe623d5b2035494da0748

        Download Submit

      • C:\Users\Admin\dwhost.exe
        Filesize

        333KB

        MD5

        1aceb282a6d05fcc08f3f74f5483bf0a

        SHA1

        778e34df0c35fee3ab8b7f1af14b2b4ce948ea7b

        SHA256

        d62b7050a4ada5513bb9f24c79cf782a8675122ef7833bc8c91cb107fe71fc6d

        SHA512

        5f2c02faa69f1f3f32affc898773d92738a9944a59ad2a28cebe192b0ad1089363c8e3bbc1d202097b160c1b2dada71fc0f03a1a0744dbc2c72cc3273a4629f8

        Download Submit

      • C:\Users\Admin\ewhost.exe
        Filesize

        36KB

        MD5

        4bcd12fdaa17197a658a5113af9120ec

        SHA1

        3ac79b0b793e390cf1dea82c1754ec34aab1ea46

        SHA256

        e781bf0233fb732b4b6935255af5cf33b7f0a58bad54b70408c347d2e83dbf96

        SHA512

        dab61b32fc43b2f55a197ebdf1b8c5709ed97e99530fb31a33ec077c25812f075733ff5e97cc5eebe01d8b83cd29ba104caba02b7a8cdf7e13f43e18432ccbdd

        Download Submit

      • C:\Users\Admin\yeoni.exe
        Filesize

        224KB

        MD5

        877da92d4b689c3ef216d79d9855f547

        SHA1

        b4bea89e6716a01749a5f4379167dd433da3631f

        SHA256

        acc02a8d5d9c93e8555251f45c00b127e1e3f69918c52c1386baba1338cf1a97

        SHA512

        c51fb257586237dca19c9255aa174fa1d4ab8bfaa364133636c4e6b2f97efdf335e69b7fc212fbb7f048c6988aabcc6f92b6c3dfe9c316f2e746b5348234ece4

        Download Submit

      • memory/748-81-0x0000000000400000-0x0000000000444000-memory.dmp

        Filesize

        272KB

        Download

      • memory/748-79-0x0000000000400000-0x0000000000444000-memory.dmp

        Filesize

        272KB

        Download

      • memory/896-101-0x0000000000400000-0x0000000000462FF0-memory.dmp

        Filesize

        395KB

        Download

      • memory/896-95-0x0000000000400000-0x0000000000462FF0-memory.dmp

        Filesize

        395KB

        Download

      • memory/1312-116-0x0000000000400000-0x000000000052D000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1312-1-0x0000000000400000-0x000000000052D000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1312-4-0x0000000000400000-0x000000000052D000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1312-63-0x0000000000400000-0x000000000052D000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1312-0-0x0000000000400000-0x000000000052D000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1312-8-0x0000000000400000-0x000000000052D000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1312-6-0x0000000000400000-0x000000000052D000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2704-74-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/2704-68-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/2704-72-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/2704-69-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/2704-73-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/2792-62-0x0000000000400000-0x000000000041F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3000-55-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download

      • memory/3000-56-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download

      • memory/3000-57-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download

      • memory/3000-92-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download

      • memory/3000-60-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download

      • memory/3000-54-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download

      • memory/4424-76-0x0000000000400000-0x000000000041F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/4676-5-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.