Overview

overview

10

Static

static

3

JaffaCakes...38.exe

windows7-x64

10

JaffaCakes...38.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    105s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250313-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/03/2025, 19:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe

  • Size

    542KB

  • MD5

    9626cfb220a4d6d3be387187e9b66638

  • SHA1

    b88508a9a4f6f75e720c1f5a3af8e0200a40c7fc

  • SHA256

    22845910e8d8e988c6a40f5d583af3eaeb21419e92026623e930150c9c7c9a5c

  • SHA512

    03a7d86bfc8beea8b46102b6cf23de6c4fdabb4a08631669e5718896fcae76f490ffc97e58765177c8124e38d32ee522d0da8624f97a1b09cb3c69864a7ce14b

  • SSDEEP

    12288:Qvx24F0U/9wAosmYRJmRhewxqD3rUfXaDNaqZ/9T+sjEtrwh6dOPD:q9Ft6/x8JCmUCRfZVT+sYWgd

Score
10/10
modiloaderdiscoverytrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • ModiLoader Second Stage 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe"
    1⤵
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5376
    • C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server.exe
      "C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4264
      • C:\Windows\SysWOW64\calc.exe
        "C:\Windows\system32\calc.exe"
        3⤵
          PID:1252
        • C:\program files\internet explorer\IEXPLORE.EXE
          "C:\program files\internet explorer\IEXPLORE.EXE"
          3⤵
            PID:4612
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat""
          2⤵
          • System Location Discovery: System Language Discovery
          PID:4680

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\AutoRun.inf
        Filesize

        166B

        MD5

        42e6ddc67c0c51a3e39780a99988f551

        SHA1

        3422a8dde772d662217339179f81ccb3686780d4

        SHA256

        f9c0462fff3f51f85aa116b2d0f38fd2a8e7263284a3bb1cde9b87a92abfaf01

        SHA512

        e1a316110a286ce72a8948e67b1c38e29cec73720780886873f00f0082ddee21557d8c7eb8106531f4cf0d3bf5b7945b60fe11f792e3ba70879e6a7063acea5b

        Download Submit

      • C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat
        Filesize

        212B

        MD5

        589dedae304885508f0559f4c1628fb3

        SHA1

        c31a8f81c26dce244c1dc932c86921b98245fef4

        SHA256

        5f7d21cb11eca48634056841c2d95e4f318164cd0adf4e6fd07b3fd5fa8ba226

        SHA512

        703e264c520aafd660216d07338fce01636d226059931eee9f532ed9dfe3f04be1af8e29f3b0e9bdf39983054596644895279b30a8601f51a7875b41b98d636a

        Download Submit

      • F:\Server.exe
        Filesize

        542KB

        MD5

        9626cfb220a4d6d3be387187e9b66638

        SHA1

        b88508a9a4f6f75e720c1f5a3af8e0200a40c7fc

        SHA256

        22845910e8d8e988c6a40f5d583af3eaeb21419e92026623e930150c9c7c9a5c

        SHA512

        03a7d86bfc8beea8b46102b6cf23de6c4fdabb4a08631669e5718896fcae76f490ffc97e58765177c8124e38d32ee522d0da8624f97a1b09cb3c69864a7ce14b

        Download Submit

      • memory/4264-26-0x0000000000400000-0x000000000054C4EC-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/4264-29-0x0000000000400000-0x000000000054C4EC-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/4264-33-0x0000000000400000-0x000000000054C4EC-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/5376-0-0x0000000000400000-0x000000000054C4EC-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/5376-1-0x00000000004C4000-0x00000000004C5000-memory.dmp

        Filesize

        4KB

        Download

      • memory/5376-22-0x0000000000400000-0x000000000054C4EC-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/5376-34-0x0000000000400000-0x000000000054C4EC-memory.dmp

        Filesize

        1.3MB

        Download