Overview

overview

10

Static

static

10

193ea6da81...18.exe

windows7-x64

10

193ea6da81...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-06-2024 07:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe

  • Size

    667KB

  • MD5

    193ea6da81b5c7dd4ab6f8d75edacbad

  • SHA1

    b7b8efc05cbd82a238230bd0ae424487b0e43df6

  • SHA256

    300edf71749edacda3c092d9eb778673c9d7b1c49e215e3ea36ac22f80f74b07

  • SHA512

    847c2feca8d9af6f35e93e13b549b1170e05ceb2d475a8496a0df586b8df1dd955ab3f230ad100c734834887256c09349a80a4b2ec34955919ec4b7846cac75a

  • SSDEEP

    12288:WbMqmnEEb4E9F/ATyGv4XKGQi2lJLm1Giizl6oAlpxElrW1A:WI9EEb4Ev/ATEXKGVnGTzpA1Ec1A

Score
10/10
modiloaderevasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • ModiLoader Second Stage 8 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 10 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 22 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 54 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 17 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Users\Admin\AppData\Local\Temp\193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe
      193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2196
      • C:\Users\Admin\DV245F.exe
        C:\Users\Admin\DV245F.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2540
        • C:\Users\Admin\waace.exe
          "C:\Users\Admin\waace.exe"
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:2564
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del DV245F.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2652
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            5⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:2960
      • C:\Users\Admin\aohost.exe
        C:\Users\Admin\aohost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2496
        • C:\Users\Admin\aohost.exe
          aohost.exe
          4⤵
          • Executes dropped EXE
          • Maps connected drives based on registry
          • Suspicious behavior: EnumeratesProcesses
          PID:2148
      • C:\Users\Admin\bohost.exe
        C:\Users\Admin\bohost.exe
        3⤵
        • Modifies security service
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2616
        • C:\Users\Admin\bohost.exe
          C:\Users\Admin\bohost.exe startC:\Users\Admin\AppData\Roaming\4E53A\9EE86.exe%C:\Users\Admin\AppData\Roaming\4E53A
          4⤵
          • Executes dropped EXE
          PID:880
        • C:\Users\Admin\bohost.exe
          C:\Users\Admin\bohost.exe startC:\Program Files (x86)\3A436\lvvm.exe%C:\Program Files (x86)\3A436
          4⤵
          • Executes dropped EXE
          PID:1160
      • C:\Users\Admin\dohost.exe
        C:\Users\Admin\dohost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:736
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe
        3⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:2036
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:1232
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1984
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1808

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Active Setup

1
T1547.014

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Active Setup

1
T1547.014

Defense Evasion

Modify Registry

5
T1112

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Process Discovery

1
T1057

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\4E53A\A436.E53
    Filesize

    600B

    MD5

    d51f25747a6cb6ee5103e38ed789fafc

    SHA1

    58cfa91bddc6a774f25f7e5adb80a75e4330e7fa

    SHA256

    e78a1be3fc39a7956fbf25ea398edb80ec24775ff92838279b70074f79d88f7f

    SHA512

    f5cabb6238235c0b35ce2dd05baa28c59f6c3b24acfb0205599c352baccc0b0bc3fdef1371bce6fcd09e37ce2e396ceeee79714aeecacb3f35991cb6d360a4c6

    Download Submit
  • C:\Users\Admin\AppData\Roaming\4E53A\A436.E53
    Filesize

    996B

    MD5

    416ecdfe4698d01dc8554d95e9678f43

    SHA1

    6afd6a26e7ded194c5ceea636217566376191aa4

    SHA256

    e140e4f531e3d0dd46bf30e352d08b46949c2af9ed20662880c2c263cd5923be

    SHA512

    9271232cc0879126f6292723cfd31d1bcc914755101e50f9ce3d4c3ee348a65de7e1ec8a1b427fa8a44e5e47282ed53b15687c7f861aded470052fc504a3b6d3

    Download Submit
  • C:\Users\Admin\AppData\Roaming\4E53A\A436.E53
    Filesize

    1KB

    MD5

    7c6f57640fc3e8959c56fbf7126cf3a8

    SHA1

    a91d58ed6dae37524bd7485fbd180895d7f0c08e

    SHA256

    13a30ef052bebcbffa0ae3cfe12bbdba77c5ca3ed659ced8e5856a1d96a2265a

    SHA512

    e36af2566037f8259ee47647a9442d146d3add3c19e42951d28a84cae88410ef1646518819211351abe3aa6d5d67557e93c3606dccd23f2b6fb2579dcfb5bd3e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\4E53A\A436.E53
    Filesize

    1KB

    MD5

    1cf995d2316a2a67ab9283fba547cb09

    SHA1

    6c30a1144413a44b8a2d2f3645d785b3399e59ea

    SHA256

    03a3bd8cf4a44105b92b379c8cce4ce41ec18a0bdaac5222020cb9bd3d55a8de

    SHA512

    7a771705dd20ca4b6d30a3aae49f8bf0b11a2aa1568195b14526be06a66ce9982118aca85b55c8b55303d2e9a6db3f8db17d6ba6da45c33d6a33bb3b20b80c0d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\4E53A\A436.E53
    Filesize

    300B

    MD5

    70235ead2db53155171b367fa831f81b

    SHA1

    f1dca958316e7233eac49122942e653388e0a965

    SHA256

    a821d49c81032e604719bfde364f9f283ca9647499d445347ae96d279d0c4320

    SHA512

    d0d1c911d22b2edaa82ca5145ed2ffbfe80acb75d20380f0340e68713259dc8979f9079ba4ae8327a6c06c6db569601b4a8e530f20f3084b5acec953aa12ae2c

    Download Submit
  • \Users\Admin\DV245F.exe
    Filesize

    216KB

    MD5

    00b1af88e176b5fdb1b82a38cfdce35b

    SHA1

    c0f77262df92698911e0ac2f7774e93fc6b06280

    SHA256

    50f026d57fea9c00d49629484442ea59cccc0053d7db73168d68544a3bbf6f59

    SHA512

    9e55e7c440af901f9c6d0cdae619f6e964b9b75c9351c76ea64362ff161c150b12a1caabb3d2eb63353a59ae70e7159ca6b3793ed0cc11994766846ac316107f

    Download Submit
  • \Users\Admin\aohost.exe
    Filesize

    152KB

    MD5

    4401958b004eb197d4f0c0aaccee9a18

    SHA1

    50e600f7c5c918145c5a270b472b114faa72a971

    SHA256

    4c477ed134bc76fa7b912f1aad5e59d4f56f993baa16646e25fec2fdeed3bd8b

    SHA512

    f0548bdaafce2cde2f9d3bd1c26ed3c8e9321ef6d706bd372e18886d834828e5bb54ae44f19764e94574ceb4a1a2a99bdd8476e174b05114fcac9a6d4a2d58e6

    Download Submit
  • \Users\Admin\bohost.exe
    Filesize

    173KB

    MD5

    0578a41258df62b7b4320ceaafedde53

    SHA1

    50e7c0b00f8f1e5355423893f10ae8ee844d70f4

    SHA256

    18941e3030ef70437a5330e4689ec262f887f6f6f1da1cd66c0cbae2a76e75bf

    SHA512

    5870a73798bad1f92b4d79f20bf618112ec8917574f6b25ab968c47afff419a829eef57b0282fb4c53e6e636436c8cf52a01426c46bdd4a0ea948d371f0feb09

    Download Submit
  • \Users\Admin\dohost.exe
    Filesize

    24KB

    MD5

    d7390e209a42ea46d9cbfc5177b8324e

    SHA1

    eff57330de49be19d2514dd08e614afc97b061d2

    SHA256

    d2d49c37bdf2313756897245c3050494b39e824af448450eca1c0e83cf95b1e5

    SHA512

    de0eb11dd20cd9d74f47b138fb4189a299a57173fe2635150045b01629354f35b26e0575acd25501403af0db238a123b2e5a79582b47aee1d6e786f5eec1929d

    Download Submit
  • \Users\Admin\waace.exe
    Filesize

    216KB

    MD5

    d45c2df5d422e919bf92a9dd7c99140f

    SHA1

    254e7b934d579aba49538cb3794df8a6a0b81701

    SHA256

    1e972f867cd5408171660dcf9fcf6b0eda552bcf72095ae282bf39e14b225db4

    SHA512

    a94dab93389fdaf1a607b0bb497685b3da84986a380a59994fc75a3b5b1b5d0ba1752322d6c01e1f2675d00544d952225849037dcd0ffa2e7447bdc8129510ad

    Download Submit
  • memory/880-126-0x0000000000400000-0x0000000000452000-memory.dmp
    Filesize

    328KB

    Download
  • memory/1160-195-0x0000000000400000-0x0000000000452000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2148-132-0x0000000000400000-0x0000000000427000-memory.dmp
    Filesize

    156KB

    Download
  • memory/2148-58-0x0000000000400000-0x0000000000427000-memory.dmp
    Filesize

    156KB

    Download
  • memory/2148-68-0x0000000000400000-0x0000000000427000-memory.dmp
    Filesize

    156KB

    Download
  • memory/2148-54-0x0000000000400000-0x0000000000427000-memory.dmp
    Filesize

    156KB

    Download
  • memory/2148-56-0x0000000000400000-0x0000000000427000-memory.dmp
    Filesize

    156KB

    Download
  • memory/2148-67-0x0000000000400000-0x0000000000427000-memory.dmp
    Filesize

    156KB

    Download
  • memory/2148-62-0x0000000000400000-0x0000000000427000-memory.dmp
    Filesize

    156KB

    Download
  • memory/2196-12-0x0000000000400000-0x00000000004CF000-memory.dmp
    Filesize

    828KB

    Download
  • memory/2196-15-0x0000000000400000-0x00000000004CF000-memory.dmp
    Filesize

    828KB

    Download
  • memory/2196-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2196-2-0x0000000000400000-0x00000000004CF000-memory.dmp
    Filesize

    828KB

    Download
  • memory/2196-4-0x0000000000400000-0x00000000004CF000-memory.dmp
    Filesize

    828KB

    Download
  • memory/2196-6-0x0000000000400000-0x00000000004CF000-memory.dmp
    Filesize

    828KB

    Download
  • memory/2196-311-0x0000000000400000-0x00000000004CF000-memory.dmp
    Filesize

    828KB

    Download
  • memory/2196-131-0x0000000000400000-0x00000000004CF000-memory.dmp
    Filesize

    828KB

    Download
  • memory/2196-0-0x0000000000400000-0x00000000004CF000-memory.dmp
    Filesize

    828KB

    Download
  • memory/2196-16-0x0000000000400000-0x00000000004CF000-memory.dmp
    Filesize

    828KB

    Download
  • memory/2196-13-0x0000000000400000-0x00000000004CF000-memory.dmp
    Filesize

    828KB

    Download
  • memory/2196-14-0x0000000000400000-0x00000000004CF000-memory.dmp
    Filesize

    828KB

    Download
  • memory/2496-65-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2540-45-0x0000000004050000-0x0000000004B0A000-memory.dmp
    Filesize

    10.7MB

    Download
  • memory/2616-197-0x0000000000400000-0x0000000000452000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2616-133-0x0000000000400000-0x0000000000452000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2616-309-0x0000000000400000-0x0000000000452000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2616-315-0x0000000000400000-0x0000000000452000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2756-10-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download