Overview

overview

10

Static

static

3

18b9ffa877...18.exe

windows7-x64

10

18b9ffa877...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2024 04:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe

  • Size

    271KB

  • MD5

    18b9ffa8777c84994dd00d55d1d9f279

  • SHA1

    67687a599890925fd59698e574b9f4d27b5ea33e

  • SHA256

    44523c55625993a786873e2ff8fcec8a09733b1d62bb8bbe3ba70472630fc531

  • SHA512

    92872fb6c9ce0e3ff12393c4e735f59c5edd4db2dd86980b58d021c499dfb0d0b8608f87493c4f169106501b48f2fb84f80cfac19d8fb87cbf8c0971247cd232

  • SSDEEP

    6144:Wpq2BEEea7c8L7C7FB+P72WfxX2iGZTbIeLFLjs3glZ4Z:WgqEEea7tL7C7LxWffGvjeglZ4Z

Score
10/10
modiloaderevasionpersistencetrojanupx

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • ModiLoader Second Stage 16 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 7 IoCs
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1540
    • C:\Users\Admin\AppData\Local\Temp\26834.exe
      "C:\Users\Admin\AppData\Local\Temp\26834.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4200
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:4708
    • C:\Users\Admin\AppData\Local\Temp\95534.exe
      "C:\Users\Admin\AppData\Local\Temp\95534.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2352
      • C:\Windows\msvcnu32.exe
        "C:\Windows\msvcnu32.exe"
        3⤵
        • UAC bypass
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:3852
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2656

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\26834.exe
    Filesize

    142KB

    MD5

    35aff1b50d81dbcd833b6c23ee192894

    SHA1

    85ef9c2be6669a2ee8b52988b1ecc50cac5f7f3b

    SHA256

    8f2fa965e1ef653c1f2514d8a5a234ca7fb5a26d101f815f98adbf4307643e79

    SHA512

    1530072a370c3ceb3e0d9428feeb4eea342604911f2f1963c905a09aa53aaec5707bcf72f70b86f577e4d7834c4101c2377abd4e1d02fff91d5cf647e44faafb

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\95534.exe
    Filesize

    109KB

    MD5

    3a1f155b71223ef8f617d73b2aad273b

    SHA1

    57df3e31536ac258e01c2f66c980468b83313f1f

    SHA256

    898250c781d1a65e41db8817d02f11955d28215c9d432c06260706863a1b4921

    SHA512

    56678ba5afc8e63884f3e568e9297b7f88e904376b2cafc763f9d01b544f1d1a6fa5cf18f33205fbffa1c65a8c9cfb49f251976903f20520ee43698f077e112c

    Download Submit
  • C:\Windows\SYSTEM.INI
    Filesize

    259B

    MD5

    5141c4bc0236745336acd19764f463ee

    SHA1

    62c569217b64d20d5683c9854de86434b29cbad6

    SHA256

    3e12c485b9f4a99290f2d88d24c5cb152fa899628b816118f1a148f4f53869e3

    SHA512

    0b15f8cad28cc30d100df808d80740ede7fa98717f15e76a055fbc837e15d85897ac27ebc3ca5299ad4637a2a246fc79c6e0d790488e0a86fad6de79a03303b4

    Download Submit
  • C:\Windows\SysWOW64\vcmgcd32.dl_
    Filesize

    17KB

    MD5

    65ec81c36efd75f8e4490b0d42aa2ced

    SHA1

    9be34710a967a4ecd5a7e6be0568bf8e2d9be007

    SHA256

    021dde0dc1ee1a9fd800a889885e91f345acc916fb852850f0adb0257903fa04

    SHA512

    7ece65926ca500015b0722e2c0d071124dc951accad36390a4aee62da72ecf592e54ff815e5de056696102a6a397d6b9c5d59e263efee7e1582e303348194bdd

    Download Submit
  • C:\Windows\SysWOW64\vcmgcd32.dll
    Filesize

    36KB

    MD5

    ae22ca9f11ade8e362254b452cc07f78

    SHA1

    4b3cb548c547d3be76e571e0579a609969b05975

    SHA256

    20cbcc9d1e6bd3c7ccacbe81fd26551b2ccfc02c00e8f948b9e9016c8b401db6

    SHA512

    9e1c725758a284ec9132f393a0b27b019a7dde32dc0649b468152876b1c77b195abc9689b732144d8c5b4d0b5fcb960a3074264cab75e6681932d3da2a644bc1

    Download Submit
  • C:\Windows\cmsetac.dll
    Filesize

    33KB

    MD5

    c970ccd2d8f5f335a07b950f0b474ac2

    SHA1

    32b16e0ed9aa94f56aecf5f74e9a6ad73d288ad4

    SHA256

    d6cfd2c79f82f44cfc32b7d1a2e54c3bdb68c0cc1a086785d61df9a4e860ca24

    SHA512

    0803a9d966b300458583a8d56019cc69fd9cd365fd48141cac1a3cbf8690371ff5584de4317e27d20438c9678bb24ed363c849b7816f1d6def0b258ddd8c5c61

    Download Submit
  • C:\Windows\ntdtcstp.dll
    Filesize

    7KB

    MD5

    67587e25a971a141628d7f07bd40ffa0

    SHA1

    76fcd014539a3bb247cc0b761225f68bd6055f6b

    SHA256

    e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

    SHA512

    6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

    Download Submit
  • memory/1540-4-0x00007FF80BC70000-0x00007FF80C611000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/1540-0-0x00007FF80BF25000-0x00007FF80BF26000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1540-5-0x000000001C350000-0x000000001C3EC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/1540-3-0x000000001C150000-0x000000001C1F6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/1540-35-0x00007FF80BC70000-0x00007FF80C611000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/1540-2-0x000000001BBD0000-0x000000001C09E000-memory.dmp
    Filesize

    4.8MB

    Download
  • memory/1540-1-0x00007FF80BC70000-0x00007FF80C611000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2352-33-0x0000000000400000-0x0000000000450000-memory.dmp
    Filesize

    320KB

    Download
  • memory/2352-92-0x0000000000400000-0x0000000000450000-memory.dmp
    Filesize

    320KB

    Download
  • memory/2352-89-0x0000000000920000-0x0000000000921000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3852-140-0x0000000000400000-0x0000000000450000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3852-144-0x0000000000400000-0x0000000000450000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3852-164-0x0000000000400000-0x0000000000450000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3852-160-0x0000000000400000-0x0000000000450000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3852-156-0x0000000000400000-0x0000000000450000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3852-103-0x00000000023A0000-0x00000000023AE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/3852-152-0x0000000000400000-0x0000000000450000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3852-108-0x0000000010000000-0x0000000010011000-memory.dmp
    Filesize

    68KB

    Download
  • memory/3852-148-0x0000000000400000-0x0000000000450000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3852-110-0x0000000000400000-0x0000000000450000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3852-111-0x0000000000970000-0x0000000000978000-memory.dmp
    Filesize

    32KB

    Download
  • memory/3852-112-0x00000000023A0000-0x00000000023AE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/3852-136-0x0000000000400000-0x0000000000450000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3852-115-0x0000000000400000-0x0000000000450000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3852-118-0x0000000000400000-0x0000000000450000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3852-132-0x0000000000400000-0x0000000000450000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3852-120-0x0000000000400000-0x0000000000450000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3852-128-0x0000000000400000-0x0000000000450000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3852-124-0x0000000000400000-0x0000000000450000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4200-18-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/4200-67-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/4200-68-0x0000000010000000-0x0000000010011000-memory.dmp
    Filesize

    68KB

    Download
  • memory/4200-32-0x0000000010000000-0x0000000010011000-memory.dmp
    Filesize

    68KB

    Download
  • memory/4708-113-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/4708-109-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/4708-139-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/4708-135-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/4708-143-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/4708-80-0x0000000010000000-0x0000000010011000-memory.dmp
    Filesize

    68KB

    Download
  • memory/4708-147-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/4708-127-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/4708-151-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/4708-119-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/4708-155-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/4708-131-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/4708-159-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/4708-70-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/4708-163-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/4708-123-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download