Overview

overview

10

Static

static

10

JaffaCakes...08.exe

windows7-x64

10

JaffaCakes...08.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/01/2025, 06:03 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_02834ca1ee7a3899bef818f98236ad08.exe

  • Size

    294KB

  • MD5

    02834ca1ee7a3899bef818f98236ad08

  • SHA1

    93e8504fe754afba08e0d6124456f4e5cab6d12e

  • SHA256

    aeaa0a82b77e6f9be47dfae6b87b4e6c7113fcdc9c433bb5e9ebec9613318d8d

  • SHA512

    706f297ef89824c3e4012b117cb6e81bcba3daeb16beca6639b34e4a226c20ecdcb4482ed5a25f2dc1bd500c75f9adf8af65423f57c86b6d119bdf34581b3964

  • SSDEEP

    6144:l4hJQM/KsXoMDGWmV9Jw9DY7yQue0VkIcYRHoO3iQjv4YGKSKud5Bx6MmdL0:lQJQIldSNqlYCequOICQ65+QM3

Score
10/10
modiloaderdiscoverytrojanupx

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • ModiLoader Second Stage 4 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02834ca1ee7a3899bef818f98236ad08.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02834ca1ee7a3899bef818f98236ad08.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2984
    • C:\Program Files\Server101.exe
      "C:\Program Files\Server101.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2080
      • C:\Windows\SysWOW64\calc.exe
        "C:\Windows\system32\calc.exe"
        3⤵
          PID:580
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 280
          3⤵
          • Loads dropped DLL
          • Program crash
          PID:2744
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Program Files\DelSvel.bat""
        2⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2912

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\DelSvel.bat
      Filesize

      212B

      MD5

      86cf03b8df3f0b4bef728b1eab3e78fe

      SHA1

      7206a4024d5f481a0240bb41723ed1d483a70a72

      SHA256

      240e76e3af1ea35be25e6e87be309106d024abb26772aad6d76c0a1c2d9e5105

      SHA512

      a04c2d30caa6b5e0d5e7b2a1489531a333dd4b0510332fd1b06188c779cd417250de3249492875b34ef3408fb31e7002c48a28595601deff8f0595e28cfed312

      Download Submit

    • F:\Server101.exe
      Filesize

      294KB

      MD5

      02834ca1ee7a3899bef818f98236ad08

      SHA1

      93e8504fe754afba08e0d6124456f4e5cab6d12e

      SHA256

      aeaa0a82b77e6f9be47dfae6b87b4e6c7113fcdc9c433bb5e9ebec9613318d8d

      SHA512

      706f297ef89824c3e4012b117cb6e81bcba3daeb16beca6639b34e4a226c20ecdcb4482ed5a25f2dc1bd500c75f9adf8af65423f57c86b6d119bdf34581b3964

      Download Submit

    • memory/580-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/580-28-0x0000000000400000-0x00000000004C3000-memory.dmp

      Filesize

      780KB

      Download

    • memory/2080-46-0x0000000000400000-0x00000000004C3000-memory.dmp

      Filesize

      780KB

      Download

    • memory/2080-45-0x0000000000280000-0x0000000000281000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2080-20-0x0000000000280000-0x0000000000281000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2080-43-0x0000000000400000-0x00000000004C3000-memory.dmp

      Filesize

      780KB

      Download

    • memory/2984-18-0x0000000002E70000-0x0000000002F33000-memory.dmp

      Filesize

      780KB

      Download

    • memory/2984-41-0x0000000000400000-0x00000000004C3000-memory.dmp

      Filesize

      780KB

      Download

    • memory/2984-33-0x0000000000400000-0x00000000004C3000-memory.dmp

      Filesize

      780KB

      Download

    • memory/2984-0-0x0000000000400000-0x00000000004C3000-memory.dmp

      Filesize

      780KB

      Download

    • memory/2984-1-0x00000000003F0000-0x00000000003F1000-memory.dmp

      Filesize

      4KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.