Overview

overview

10

Static

static

3

1b68c1b281...18.exe

windows7-x64

10

1b68c1b281...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2024 13:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1b68c1b28122776e25be7d01e29aba23_JaffaCakes118.exe

  • Size

    449KB

  • MD5

    1b68c1b28122776e25be7d01e29aba23

  • SHA1

    aa865b99291d7630910ece3f956d32fec2626d85

  • SHA256

    dcadfd906850de7d6c5574d66fbef10485fdaa84429e7fb974f24cf0e9170a66

  • SHA512

    20f10c29a5a3ce56f4989cb946c1deb973f25a9c235f605999981cdf00c5b6d7b419b519c02bd3dee1df93513b996ba2b8ab491a3642c56f26cdfdf2dbbf35cb

  • SSDEEP

    12288:RMAOOl1nD7UHf5Zm46GByHmYetaIEWYRB3lpov:RrXncHf5k46MYmRaTWYdpo

Score
10/10
modiloadertrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 11 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b68c1b28122776e25be7d01e29aba23_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1b68c1b28122776e25be7d01e29aba23_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4536
    • C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice46.exe
      "C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice46.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4412
      • C:\Windows\SysWOW64\calc.exe
        "C:\Windows\system32\calc.exe"
        3⤵
          PID:3748
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 12
            4⤵
            • Program crash
            PID:456
        • C:\program files\internet explorer\IEXPLORE.EXE
          "C:\program files\internet explorer\IEXPLORE.EXE"
          3⤵
            PID:2464
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat""
          2⤵
            PID:3360
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3748 -ip 3748
          1⤵
            PID:4108

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Replication Through Removable Media

          1
          T1091

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          Peripheral Device Discovery

          1
          T1120

          System Information Discovery

          1
          T1082

          Lateral Movement

          Replication Through Removable Media

          1
          T1091

          Collection

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat
            Filesize

            212B

            MD5

            e0460ce329af17c683546941917cc090

            SHA1

            f65f3356ee64143e0e1c9b408e968916f98f44a7

            SHA256

            37324d2f6dce7366401c80e8d209986abfec1ebd7702e0774a4023c7d9a5d5fa

            SHA512

            4407a1c33ebef1cc89a45b8feb26e9384387c4cc0dee5b6693b85aba48b8220c5f7b294daf8a4a91022197562d4323cdaa94acb30ceb2bd8c47ade4cb47086f4

            Download Submit
          • F:\rejoice46.exe
            Filesize

            449KB

            MD5

            1b68c1b28122776e25be7d01e29aba23

            SHA1

            aa865b99291d7630910ece3f956d32fec2626d85

            SHA256

            dcadfd906850de7d6c5574d66fbef10485fdaa84429e7fb974f24cf0e9170a66

            SHA512

            20f10c29a5a3ce56f4989cb946c1deb973f25a9c235f605999981cdf00c5b6d7b419b519c02bd3dee1df93513b996ba2b8ab491a3642c56f26cdfdf2dbbf35cb

            Download Submit
          • memory/3748-26-0x0000000000400000-0x0000000000552000-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/4412-25-0x0000000000400000-0x0000000000551500-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/4412-28-0x0000000000400000-0x0000000000551500-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/4412-29-0x0000000000400000-0x0000000000551500-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/4536-17-0x0000000000400000-0x0000000000551500-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/4536-4-0x0000000000400000-0x0000000000551500-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/4536-3-0x0000000000400000-0x0000000000551500-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/4536-6-0x0000000000400000-0x0000000000551500-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/4536-22-0x0000000000400000-0x0000000000551500-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/4536-2-0x0000000000401000-0x00000000004E1000-memory.dmp
            Filesize

            896KB

            Download
          • memory/4536-1-0x0000000000400000-0x0000000000551500-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/4536-18-0x0000000000400000-0x0000000000551500-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/4536-5-0x0000000000400000-0x0000000000551500-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/4536-32-0x0000000000400000-0x0000000000551500-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/4536-33-0x0000000000401000-0x00000000004E1000-memory.dmp
            Filesize

            896KB

            Download
          • memory/4536-0-0x0000000000400000-0x0000000000551500-memory.dmp
            Filesize

            1.3MB

            Download