Overview

overview

10

Static

static

10

JaffaCakes...11.exe

windows7-x64

10

JaffaCakes...11.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-01-2025 17:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_42295816978b4c1162f604b8cc98e211.exe

  • Size

    841KB

  • MD5

    42295816978b4c1162f604b8cc98e211

  • SHA1

    c63183321b3ef906b62569d901b6fc61530b42c2

  • SHA256

    77305518a1b2d8a76f3adaf7959dc850b5ed90ded43792ad26fb23d725505abd

  • SHA512

    6c28c638883f72e672c1796d243a77b80ff1be1d392b58fb236f8351ed002101f7066064d00ec6c127781e835eadad133cd4b11a0032df227ce5d7ee9aabb91f

  • SSDEEP

    24576:Y1ckXnJDH7oH1haz/5qgxuLh62tLqazx5QwLzyUSSykQ59aIkPTr:Y1v3Jz8H1hU/5qgQ62Bqad5g0yksxkrr

Score
10/10
modiloaderdefense_evasiondiscoverypersistencetrojanupx

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    defense_evasion
  • Modiloader family
    modiloader
  • ModiLoader Second Stage 9 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of SetThreadContext 4 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42295816978b4c1162f604b8cc98e211.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42295816978b4c1162f604b8cc98e211.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1084
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42295816978b4c1162f604b8cc98e211.exe
      JaffaCakes118_42295816978b4c1162f604b8cc98e211.exe
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2968
      • C:\Users\Admin\miGRu6Gcu2.exe
        C:\Users\Admin\miGRu6Gcu2.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4980
        • C:\Users\Admin\ktruuy.exe
          "C:\Users\Admin\ktruuy.exe"
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2080
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del miGRu6Gcu2.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3876
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:4116
      • C:\Users\Admin\alhost.exe
        C:\Users\Admin\alhost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:428
        • C:\Users\Admin\alhost.exe
          alhost.exe
          4⤵
          • Executes dropped EXE
          • Maps connected drives based on registry
          • Suspicious behavior: EnumeratesProcesses
          PID:4920
      • C:\Users\Admin\blhost.exe
        C:\Users\Admin\blhost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2752
        • C:\Users\Admin\blhost.exe
          blhost.exe
          4⤵
          • Executes dropped EXE
          • Maps connected drives based on registry
          • Suspicious behavior: EnumeratesProcesses
          PID:3860
      • C:\Users\Admin\clhost.exe
        C:\Users\Admin\clhost.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1500
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 396
          4⤵
          • Program crash
          PID:1564
      • C:\Users\Admin\dlhost.exe
        C:\Users\Admin\dlhost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3780
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe"
          4⤵
            PID:1456
        • C:\Users\Admin\elhost.exe
          C:\Users\Admin\elhost.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4852
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del JaffaCakes118_42295816978b4c1162f604b8cc98e211.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4400
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:4052
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1500 -ip 1500
      1⤵
        PID:3096

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\alhost.exe
        Filesize

        236KB

        MD5

        ccee7bbbd52e9e3d551451e54f85489a

        SHA1

        7f72be25a00d4e667f17fa106bf024fac3eb9886

        SHA256

        24d5bac9c9a2d7e77dc8f79ad7fe3333283028dbec964effd9020dd6473e3290

        SHA512

        3e2fd0abfc61741698570a600aa4f845503410bc9bef9906dced2df27e5f38c7bb06eefb653a0e199eec88044725e2c0f0238253c73979fcceecb992e3b73af4

        Download Submit

      • C:\Users\Admin\blhost.exe
        Filesize

        126KB

        MD5

        f9482a349a998f5c9cb842705e67fea7

        SHA1

        196794ddf71cab834c7029dbf1c27009b06754b2

        SHA256

        9e5b1531710c57fad4e07c5888db6823e6634384a5ebe9d7f40b54cb9a163b44

        SHA512

        71ced1fbd460b833d1f422a80d5a27a893e18f7a6286cb61b1283a2c843f8fc77a68b30cba33fe988063f5db3893cb7fd8f677e023960b1999386c18389c9536

        Download Submit

      • C:\Users\Admin\clhost.exe
        Filesize

        283KB

        MD5

        78b038f42b4e2490672f9a35a42674b5

        SHA1

        ca8972f311b9dab6aa917b65cfb9726447fb44f8

        SHA256

        99125e2bff877025e5687aa5928061cc7da65a944afcd81a66f556bf5d48730d

        SHA512

        13826dd7b9b1de6b08189c814487fcf6dd369059be8f70d5ba7ef6e9339a56be6f04a424e11238cc49a932e7d2988630c102109a861cb4adb5382f9e883ae515

        Download Submit

      • C:\Users\Admin\dlhost.exe
        Filesize

        244KB

        MD5

        682907092bb50419e5b28cf99466e124

        SHA1

        622962a69e71cf4192f860be74249be205e9ce13

        SHA256

        9e08b47ad6498e8f7173eb8a9e2ce2c4aaa36d0c69cfb3365ba76938d037f98e

        SHA512

        cced9e3ec516c2e07182ecf012749b9b123bd70d6204d5f82afa4c0a8a8f110da8690c816e7c8d97f9a283e8e4961fbe0afa60badd4b57d21a8decfa1b527799

        Download Submit

      • C:\Users\Admin\elhost.exe
        Filesize

        32KB

        MD5

        00a9df0a178efb6f4f44aa392186c492

        SHA1

        d3c3039ca41481525815bca5301d9d00f5725667

        SHA256

        c505d1c76b1e886de65c6b7b171a9d56870a320532c7561f7f8b162920602b18

        SHA512

        ae0cbce9119ec561a8084610a42f30f60ed29d6bde908dedb7394dbcd8cd24456c85a543b72aa797705130ccce851a348a5171baf1c8a2499ad599b345283a3f

        Download Submit

      • C:\Users\Admin\ktruuy.exe
        Filesize

        192KB

        MD5

        996b307d96d72c863ff3660966cdebc7

        SHA1

        0628d6860a5025eef2994ea8cbb81f5da4ab02c0

        SHA256

        450b878ec6c8e5ea913e0a171011083158dabd9b6c001b449bd9829bd58b2b2c

        SHA512

        fc93532b7f53aa17eaeff5b8dd7037dd3fb0285b8f95c20a89019e2998e1f22e98cd487d0ff2f2977b8585a99c49686e9d6df0621f3402d3e9232a5ce7347383

        Download Submit

      • C:\Users\Admin\miGRu6Gcu2.exe
        Filesize

        192KB

        MD5

        869d4fbc9194f74e9815f487d245fcff

        SHA1

        66ac3d8d447558f6389e3a8e203c1b60634af873

        SHA256

        b7bc5a05d5190e33bcf35bc06107881990caf3fd99643c50eb855ca8505d7113

        SHA512

        57700b710c9c42ed07f1959c7a17d592a5bfafadb340eaec33d769a788cb5b84de7d84b4ff5b865df9fedd966d7dc8b5a2534811e1de52f488a31a5548d4d6ce

        Download Submit

      • memory/428-50-0x0000000000400000-0x0000000000418000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1084-6-0x0000000000400000-0x0000000000419000-memory.dmp

        Filesize

        100KB

        Download

      • memory/2752-58-0x0000000000400000-0x0000000000418000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2968-7-0x0000000000400000-0x000000000051D000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2968-1-0x0000000000400000-0x000000000051D000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2968-92-0x0000000000400000-0x000000000051D000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2968-5-0x0000000000400000-0x000000000051D000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2968-0-0x0000000000400000-0x000000000051D000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2968-69-0x0000000000400000-0x000000000051D000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2968-9-0x0000000000400000-0x000000000051D000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2968-4-0x0000000000400000-0x000000000051D000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3780-75-0x0000000000400000-0x000000000045E000-memory.dmp

        Filesize

        376KB

        Download

      • memory/3860-61-0x0000000000400000-0x0000000000427000-memory.dmp

        Filesize

        156KB

        Download

      • memory/3860-60-0x0000000000400000-0x0000000000427000-memory.dmp

        Filesize

        156KB

        Download

      • memory/3860-55-0x0000000000400000-0x0000000000427000-memory.dmp

        Filesize

        156KB

        Download

      • memory/3860-54-0x0000000000400000-0x0000000000427000-memory.dmp

        Filesize

        156KB

        Download

      • memory/3860-72-0x0000000000400000-0x0000000000427000-memory.dmp

        Filesize

        156KB

        Download

      • memory/4920-44-0x0000000000400000-0x0000000000437000-memory.dmp

        Filesize

        220KB

        Download

      • memory/4920-45-0x0000000000400000-0x0000000000437000-memory.dmp

        Filesize

        220KB

        Download

      • memory/4920-71-0x0000000000400000-0x0000000000437000-memory.dmp

        Filesize

        220KB

        Download

      • memory/4920-46-0x0000000000400000-0x0000000000437000-memory.dmp

        Filesize

        220KB

        Download

      • memory/4920-48-0x0000000000400000-0x0000000000437000-memory.dmp

        Filesize

        220KB

        Download

      • memory/4920-43-0x0000000000400000-0x0000000000437000-memory.dmp

        Filesize

        220KB

        Download