Overview

overview

10

Static

static

7

183eb38e6f...18.exe

windows7-x64

10

183eb38e6f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2024 01:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exe

  • Size

    356KB

  • MD5

    183eb38e6f8325b9c0841e29e5ad54ad

  • SHA1

    050a05945e9d6200d7a38b66d72273972cb7c4bd

  • SHA256

    08f8a8d98146521aec865b97ae8968208503580b04c3a61c8131e1ad1f94fc85

  • SHA512

    827b923067d41002b01047d5bdd56b6f6ab4c169d81f78b789d8984d0dd0de6a770172d2d1c5f428636ebd647512cbd5e149a58030dadb8e237fe4eaa42db287

  • SSDEEP

    6144:jWieYPVY7dSsxYomneDJ0JNWjJPDszxYc8MBnr1N05xq8kzBZ474+eQV/otb7KOa:saVsYomn60JgjJPDs1BlBrr05xb/EQ2

Score
10/10
modiloaderdefense_evasionpersistencetrojanupx

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
    defense_evasion
  • Loads dropped DLL 4 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\183eb38e6f8325b9c0841e29e5ad54ad_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2736
    • C:\Windows\msnmsgr.exe
      "C:\Windows\msnmsgr.exe"
      2⤵
      • Executes dropped EXE
      • Impair Defenses: Safe Mode Boot
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3600
      • C:\Windows\SysWOW64\ldapi32.exe
        C:\Windows\system32\ldapi32.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2820

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

1
T1562

Safe Mode Boot

1
T1562.009

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\ldapi32.exe
    Filesize

    20KB

    MD5

    92acb5d55bc589ea424d174b31f76686

    SHA1

    1f9f023b1ae0b1be5c397fe103ac520b371fbd6b

    SHA256

    3bea383242a4439634618a86993c8e70c43cb8810e5324f3f9c6b9cbe7b3ead4

    SHA512

    e89ea8bf0b6c2bd11072a5d455e67b2b8470292dfb8382a3bfb5da4a409b86390a62f448e7cdd496f286b1ac4097436efd83e886ae5b45accda6da7dc4d9938e

    Download Submit
  • C:\Windows\SysWOW64\ntswrl32.dll
    Filesize

    11KB

    MD5

    638f5a55fb714b6039ae0ace0ee70e44

    SHA1

    7b47cdf023822722b3b81e936cb16fbecb00babc

    SHA256

    7d671074387a6885c5a4815165242720be442689e276cf64cc376da49080bb1f

    SHA512

    68f8fb741566d9e4cb2a420a3fe179db59b29f9ab5f9aee7fd5312e1e7f0991b4d1491b2e557374ca7c4f3aee8948201721408601f68f9f86d36a4df5947e357

    Download Submit
  • C:\Windows\msnmsgr.exe
    Filesize

    316KB

    MD5

    02edc45fa5b103992445370695bc52e5

    SHA1

    32f765f906bf6bbd9fa4466a7602460bb7470d79

    SHA256

    d486b3777e5ea22d671dc3731b69c3b18c7fa55fe82f712651a73aa02d17ab20

    SHA512

    799c75a3af5927d0d0565a099c9098a008f7a44e7851b138c14473371a231b1c0db8cc8d57d53e8e3cf74b7fb668ff538e6437ae9cb08cdaa0f469e06c0499e5

    Download Submit
  • memory/2736-0-0x0000000000400000-0x000000000054A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2736-34-0x0000000000400000-0x000000000054A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2820-48-0x0000000000400000-0x000000000040C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/3600-35-0x0000000000400000-0x00000000005BC000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/3600-36-0x0000000000BA0000-0x0000000000BA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3600-55-0x0000000002B20000-0x0000000002B29000-memory.dmp
    Filesize

    36KB

    Download
  • memory/3600-54-0x0000000000400000-0x00000000005BC000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/3600-58-0x0000000000BA0000-0x0000000000BA1000-memory.dmp
    Filesize

    4KB

    Download