Overview

overview

10

Static

static

3

JaffaCakes...05.exe

windows7-x64

10

JaffaCakes...05.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    105s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/03/2025, 16:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe

  • Size

    690KB

  • MD5

    98f07c63601aa396bdfee30007424e05

  • SHA1

    146911c28b70fd104e3d204983f3217d6c23348f

  • SHA256

    91c9db4d11b398d135a798acd354fe8f5b03537c85a97bb6190c6fce67cafa78

  • SHA512

    26d8397416bed9f1685fa1ca9250db7682cedf21a59a37b948c1a0a09e29edc22df69c839a4bdb9d67417e8007b53f1859d927104dde09dbf0eb32a1313552cf

  • SSDEEP

    12288:UxclaI4To3eFuWjJucE+tDYsvESNuK72BF3Z4mxxPOa/UtfO2UrgQ:Ux43WJtZlYg557GQmXDcNOPcQ

Score
10/10
modiloaderdiscoverytrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • ModiLoader Second Stage 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98f07c63601aa396bdfee30007424e05.exe"
    1⤵
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1420
    • C:\Program Files\Common Files\Microsoft Shared\MSINFO\rav.exe
      "C:\Program Files\Common Files\Microsoft Shared\MSINFO\rav.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3276
      • C:\Windows\SysWOW64\calc.exe
        "C:\Windows\system32\calc.exe"
        3⤵
        • Suspicious use of UnmapMainImage
        PID:2444
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 12
          4⤵
          • Program crash
          PID:1512
      • C:\program files\internet explorer\IEXPLORE.EXE
        "C:\program files\internet explorer\IEXPLORE.EXE"
        3⤵
          PID:2036
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 688
          3⤵
          • Program crash
          PID:968
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat""
        2⤵
        • System Location Discovery: System Language Discovery
        PID:4088
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2444 -ip 2444
      1⤵
        PID:4736
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3276 -ip 3276
        1⤵
          PID:2484

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat
          Filesize

          212B

          MD5

          7459f4b99cbc4ef5c2c4c77c6a4f835b

          SHA1

          6b5d78f7ec8c73c2c7e2814cc1752b8b28558838

          SHA256

          876132d845fbb3d3134a88f01338f930411f4e5cd581b2d98046d1e9710de64c

          SHA512

          59b1e8a7ad7334aa84de5ff31aa1cf41c39d0f8c129d18a8d44e1e913333fd217dc3555b3d1aeb451d37c1d15cd792de7dede429f5b3c8a0206c5db36ba9384b

          Download Submit

        • F:\rav.exe
          Filesize

          690KB

          MD5

          98f07c63601aa396bdfee30007424e05

          SHA1

          146911c28b70fd104e3d204983f3217d6c23348f

          SHA256

          91c9db4d11b398d135a798acd354fe8f5b03537c85a97bb6190c6fce67cafa78

          SHA512

          26d8397416bed9f1685fa1ca9250db7682cedf21a59a37b948c1a0a09e29edc22df69c839a4bdb9d67417e8007b53f1859d927104dde09dbf0eb32a1313552cf

          Download Submit

        • memory/1420-12-0x00000000034D0000-0x00000000034D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1420-6-0x00000000024D0000-0x00000000024D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1420-25-0x00000000034E0000-0x00000000034E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1420-24-0x0000000002290000-0x0000000002291000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1420-23-0x0000000002280000-0x0000000002281000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1420-21-0x00000000035C0000-0x00000000035C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1420-20-0x00000000035C0000-0x00000000035C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1420-19-0x00000000035C0000-0x00000000035C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1420-18-0x00000000035C0000-0x00000000035C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1420-17-0x00000000035C0000-0x00000000035C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1420-16-0x00000000035C0000-0x00000000035C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1420-15-0x00000000035C0000-0x00000000035C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1420-14-0x00000000034C0000-0x00000000034C3000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1420-13-0x00000000034D0000-0x00000000034D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1420-22-0x0000000003510000-0x0000000003511000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1420-0-0x0000000000400000-0x0000000000523000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1420-4-0x0000000002550000-0x0000000002551000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1420-9-0x0000000002560000-0x0000000002561000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1420-8-0x0000000002530000-0x0000000002531000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1420-7-0x0000000002540000-0x0000000002541000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1420-11-0x00000000034D0000-0x00000000034D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1420-5-0x00000000024E0000-0x00000000024E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1420-10-0x00000000024F0000-0x00000000024F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1420-2-0x0000000002520000-0x0000000002521000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1420-3-0x0000000002500000-0x0000000002501000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1420-1-0x00000000022E0000-0x0000000002334000-memory.dmp

          Filesize

          336KB

          Download

        • memory/1420-46-0x0000000000400000-0x0000000000523000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1420-47-0x00000000022E0000-0x0000000002334000-memory.dmp

          Filesize

          336KB

          Download

        • memory/2444-41-0x0000000000400000-0x0000000000523000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3276-49-0x0000000000400000-0x0000000000523000-memory.dmp

          Filesize

          1.1MB

          Download