modiloader | 33a012eb212119442faeb1886886a1089750d3e656bbf85f353a4521e7e85413

Analysis

max time kernel
153s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 17:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd45799c56f0dcd32270e4bf4ea157fa_JaffaCakes118.exe
Size

682KB
MD5

fd45799c56f0dcd32270e4bf4ea157fa
SHA1

49ffb5d87b42245656c4e5635d98b2a5a9e4382e
SHA256

33a012eb212119442faeb1886886a1089750d3e656bbf85f353a4521e7e85413
SHA512

3fad588b545de3bbe43cee0168dae8b420cccec72a99868f06be1560c111f19b871abb34f56bde48d683c8500664ff265ea9c1157afef7db36dfeb69fa3e94e8
SSDEEP

12288:NXWniocbQsVHkmabnl7ssqKp0gM+G4whvSJ7oySY+6ra9q0AlL6kSH1NDFIV:NXkiocksCmabnl7ssqWhU4ue8yJoqckL

Score

10^/10

modiloader evasion trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	tazebama.dl_

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/memory/2384-10-0x0000000000400000-0x000000000048C000-memory.dmp	modiloader_stage2
behavioral2/memory/2384-64-0x0000000000400000-0x000000000048C000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	fd45799c56f0dcd32270e4bf4ea157fa_JaffaCakes118.exe

Executes dropped EXE 5 IoCs

pid	Process
1896	tazebama.dl_
936	ÈÇÊÔ ÕæÊ.exe
716	superscan v3.0.exe
1712	ÈÇÊÔ ÕæÊ.exe
1868	ÈÇÊÔ ÕæÊ.exe

Loads dropped DLL 1 IoCs

pid	Process
2384	fd45799c56f0dcd32270e4bf4ea157fa_JaffaCakes118.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a00000002325f-56.dat	upx
behavioral2/memory/716-63-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/1712-68-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/1712-71-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/1712-72-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/1712-83-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/716-94-0x0000000000400000-0x000000000042A000-memory.dmp	upx

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	tazebama.dl_
File opened (read-only)	\??\J:	tazebama.dl_
File opened (read-only)	\??\I:	tazebama.dl_
File opened (read-only)	\??\E:	tazebama.dl_
File opened (read-only)	\??\X:	tazebama.dl_
File opened (read-only)	\??\U:	tazebama.dl_
File opened (read-only)	\??\R:	tazebama.dl_
File opened (read-only)	\??\Q:	tazebama.dl_
File opened (read-only)	\??\P:	tazebama.dl_
File opened (read-only)	\??\L:	tazebama.dl_
File opened (read-only)	\??\H:	tazebama.dl_
File opened (read-only)	\??\G:	tazebama.dl_
File opened (read-only)	\??\V:	tazebama.dl_
File opened (read-only)	\??\T:	tazebama.dl_
File opened (read-only)	\??\W:	tazebama.dl_
File opened (read-only)	\??\S:	tazebama.dl_
File opened (read-only)	\??\M:	tazebama.dl_
File opened (read-only)	\??\K:	tazebama.dl_
File opened (read-only)	\??\Z:	tazebama.dl_
File opened (read-only)	\??\Y:	tazebama.dl_
File opened (read-only)	\??\N:	tazebama.dl_

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\autorun.inf	tazebama.dl_
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 936 set thread context of 1712	936	ÈÇÊÔ ÕæÊ.exe	98
PID 1712 set thread context of 1868	1712	ÈÇÊÔ ÕæÊ.exe	99

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\ACRORD32.EXE	tazebama.dl_

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4364	1896	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1896	tazebama.dl_
1896	tazebama.dl_
1868	ÈÇÊÔ ÕæÊ.exe
1868	ÈÇÊÔ ÕæÊ.exe
1868	ÈÇÊÔ ÕæÊ.exe
1868	ÈÇÊÔ ÕæÊ.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
936	ÈÇÊÔ ÕæÊ.exe
1712	ÈÇÊÔ ÕæÊ.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 1896	2384	fd45799c56f0dcd32270e4bf4ea157fa_JaffaCakes118.exe	92
PID 2384 wrote to memory of 1896	2384	fd45799c56f0dcd32270e4bf4ea157fa_JaffaCakes118.exe	92
PID 2384 wrote to memory of 1896	2384	fd45799c56f0dcd32270e4bf4ea157fa_JaffaCakes118.exe	92
PID 2384 wrote to memory of 936	2384	fd45799c56f0dcd32270e4bf4ea157fa_JaffaCakes118.exe	96
PID 2384 wrote to memory of 936	2384	fd45799c56f0dcd32270e4bf4ea157fa_JaffaCakes118.exe	96
PID 2384 wrote to memory of 936	2384	fd45799c56f0dcd32270e4bf4ea157fa_JaffaCakes118.exe	96
PID 2384 wrote to memory of 716	2384	fd45799c56f0dcd32270e4bf4ea157fa_JaffaCakes118.exe	97
PID 2384 wrote to memory of 716	2384	fd45799c56f0dcd32270e4bf4ea157fa_JaffaCakes118.exe	97
PID 2384 wrote to memory of 716	2384	fd45799c56f0dcd32270e4bf4ea157fa_JaffaCakes118.exe	97
PID 936 wrote to memory of 1712	936	ÈÇÊÔ ÕæÊ.exe	98
PID 936 wrote to memory of 1712	936	ÈÇÊÔ ÕæÊ.exe	98
PID 936 wrote to memory of 1712	936	ÈÇÊÔ ÕæÊ.exe	98
PID 936 wrote to memory of 1712	936	ÈÇÊÔ ÕæÊ.exe	98
PID 936 wrote to memory of 1712	936	ÈÇÊÔ ÕæÊ.exe	98
PID 936 wrote to memory of 1712	936	ÈÇÊÔ ÕæÊ.exe	98
PID 936 wrote to memory of 1712	936	ÈÇÊÔ ÕæÊ.exe	98
PID 936 wrote to memory of 1712	936	ÈÇÊÔ ÕæÊ.exe	98
PID 1712 wrote to memory of 1868	1712	ÈÇÊÔ ÕæÊ.exe	99
PID 1712 wrote to memory of 1868	1712	ÈÇÊÔ ÕæÊ.exe	99
PID 1712 wrote to memory of 1868	1712	ÈÇÊÔ ÕæÊ.exe	99
PID 1712 wrote to memory of 1868	1712	ÈÇÊÔ ÕæÊ.exe	99
PID 1712 wrote to memory of 1868	1712	ÈÇÊÔ ÕæÊ.exe	99
PID 1712 wrote to memory of 1868	1712	ÈÇÊÔ ÕæÊ.exe	99
PID 1712 wrote to memory of 1868	1712	ÈÇÊÔ ÕæÊ.exe	99
PID 1868 wrote to memory of 3164	1868	ÈÇÊÔ ÕæÊ.exe	56
PID 1868 wrote to memory of 3164	1868	ÈÇÊÔ ÕæÊ.exe	56
PID 1868 wrote to memory of 3164	1868	ÈÇÊÔ ÕæÊ.exe	56
PID 1868 wrote to memory of 3164	1868	ÈÇÊÔ ÕæÊ.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3164
- C:\Users\Admin\AppData\Local\Temp\fd45799c56f0dcd32270e4bf4ea157fa_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fd45799c56f0dcd32270e4bf4ea157fa_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Documents and Settings\tazebama.dl_
    "C:\Documents and Settings\tazebama.dl_"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops autorun.inf file
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1896
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 760
      4⤵
      Program crash
      PID:4364
- - C:\Users\Admin\AppData\Local\Temp\ÈÇÊÔ ÕæÊ.exe
    "C:\Users\Admin\AppData\Local\Temp\ÈÇÊÔ ÕæÊ.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Users\Admin\AppData\Local\Temp\ÈÇÊÔ ÕæÊ.exe
      "C:\Users\Admin\AppData\Local\Temp\ÈÇÊÔ ÕæÊ.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1712
    - - C:\Users\Admin\AppData\Local\Temp\ÈÇÊÔ ÕæÊ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ÈÇÊÔ ÕæÊ.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1868
- - C:\Users\Admin\AppData\Local\Temp\superscan v3.0.exe
    "C:\Users\Admin\AppData\Local\Temp\superscan v3.0.exe"
    3⤵
    - Executes dropped EXE
    PID:716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1896 -ip 1896
1⤵
PID:556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5248 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:4804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\superscan v3.0.exe

Filesize
245KB

MD5
0071813eb4668769a15fcd2d1ca1686d

SHA1
a9a02a14ea4e78af30b8b4a7e1c6ed500a36bc4d

SHA256
a4df0e59a28d75e143117051a04d52f4a61a9ea7b23c41ad51a3a829cad62b58

SHA512
285f760efac8ccfaba213e88998d37a5e3191071bb245f63d7952b65ec9a1e7ec214270beca65d9a3013db849f64977be7f6110425fd29fcc58eb78cac982e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÈÇÊÔ ÕæÊ.exe

Filesize
273KB

MD5
0df539fe12e647170112b53522e9bc8a

SHA1
5acbe197c0ae8b5d435b944a3e7107ac64a28976

SHA256
20847b0f9546766aeb521e7e1168a29b1249411556898ffdf34d559aab60d469

SHA512
a661495768449b1931c319a772f6220fc1d4ed2f100eec5f0fdd839c7f0786c02276539fd6bc1b1dc1b1e478aa446070cecf50a97ab12fa6a9bac86696d46810

Download Submit
C:\Users\tazebama.dl_

Filesize
151KB

MD5
d0571692ad4ef78bf228fa04d0e42c4f

SHA1
e0a77445c64afd3b444cbd0dc03f3ba01f93a8a6

SHA256
e645073811578d5d7e4ed393be78595da8fe2b7a8cb213ecbdaedce8d37a09c1

SHA512
68a293d219e705918d881b1d1415e6c60820998c4c99bb48990a4d70e3b78d5d8e4c4038c0388c2a1dd882cea626507d4da1c2ac8d81fc81803b6e6944770fc1

Download Submit
C:\Users\tazebama.dll

Filesize
32KB

MD5
b6a03576e595afacb37ada2f1d5a0529

SHA1
d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

SHA256
1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

SHA512
181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

Download Submit
C:\autorun.inf

Filesize
126B

MD5
163e20cbccefcdd42f46e43a94173c46

SHA1
4c7b5048e8608e2a75799e00ecf1bbb4773279ae

SHA256
7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

SHA512
e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

Download Submit
C:\zPharaoh.exe

Filesize
71KB

MD5
7446844a4a16e81c2a50c033f9a29c28

SHA1
9ff1fa63155cfd8d235b39fa56a858bb4c583b82

SHA256
375dd1e4b3829eb6dd6b9a5e734b961c530c8a746dfc5bbe8bdde5560dc435c1

SHA512
bd4d17604ef7027c43c5b9778426746616c9b6bbd9a8f7dea676c425ebb908c54b2ff3b75a9b6078deb118a6bb7f66e5c2dc705f39b12fe098bfa68e65fcc854

Download Submit
memory/716-63-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/716-94-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/936-73-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/936-65-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/936-54-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1712-68-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1712-83-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1712-80-0x0000000000430000-0x00000000004F9000-memory.dmp

Filesize
804KB

Download
memory/1712-72-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1712-71-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1868-82-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1868-85-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/1868-76-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1868-79-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1868-93-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/1868-81-0x0000000000400000-0x00000000004083A0-memory.dmp

Filesize
32KB

Download
memory/1868-92-0x0000000000400000-0x00000000004083A0-memory.dmp

Filesize
32KB

Download
memory/1896-12-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1896-84-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2384-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2384-10-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2384-64-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2384-7-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3164-87-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/3164-88-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download