modiloader | 50d58f3bd8eece301f8a6dda5159f5a2f8769d0d97aec133f1eae3a4665b49e6

Analysis

max time kernel
141s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-06-2024 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe
Size

620KB
MD5

00d65b51da1e62f713a634679924b4a2
SHA1

a804276e193a3f3e242ad144cbc7d253ac8b51e1
SHA256

50d58f3bd8eece301f8a6dda5159f5a2f8769d0d97aec133f1eae3a4665b49e6
SHA512

f782256cf4e321ca001bb7c6010eb82ece392b005b921d40ca9ebc2ed705a92f4c332a2f9f1e755408947bae24111f9518bd63ed952b84da95b4168c658be036
SSDEEP

12288:PT0zDxahDgtZmwje94K/OAF3Z4mxxaZytbtOOIRS:PO+Dbwje9bLQmXAw

Score

10^/10

modiloader persistence privilege_escalation trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/292-101-0x0000000000400000-0x0000000000513000-memory.dmp	modiloader_stage2
behavioral1/memory/2060-102-0x0000000000400000-0x0000000000513000-memory.dmp	modiloader_stage2
behavioral1/memory/292-121-0x0000000000400000-0x0000000000513000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2916 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

windows_ipcomfig

pid process

2060 windows_ipcomfig

pid	process
2916	cmd.exe

pid	process
2060	windows_ipcomfig

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe

description	ioc	process
File opened (read-only)	\??\Q:	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe
File opened (read-only)	\??\Z:	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe
File opened (read-only)	\??\E:	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe
File opened (read-only)	\??\N:	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe
File opened (read-only)	\??\G:	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe
File opened (read-only)	\??\I:	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe
File opened (read-only)	\??\J:	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe
File opened (read-only)	\??\M:	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe
File opened (read-only)	\??\S:	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe
File opened (read-only)	\??\U:	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe
File opened (read-only)	\??\A:	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe
File opened (read-only)	\??\B:	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe
File opened (read-only)	\??\V:	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe
File opened (read-only)	\??\R:	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe
File opened (read-only)	\??\W:	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe
File opened (read-only)	\??\X:	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe
File opened (read-only)	\??\H:	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe
File opened (read-only)	\??\K:	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe
File opened (read-only)	\??\P:	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe
File opened (read-only)	\??\T:	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe
File opened (read-only)	\??\Y:	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe
File opened (read-only)	\??\L:	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe
File opened (read-only)	\??\O:	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe

description	ioc	process
File created	C:\AutoRun.inf	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe
File opened for modification	C:\AutoRun.inf	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe
File created	F:\AutoRun.inf	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe
File opened for modification	F:\AutoRun.inf	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

windows_ipcomfig

description pid process target process

PID 2060 set thread context of 2596 2060 windows_ipcomfig osk.exe

description	pid	process	target process
PID 2060 set thread context of 2596	2060	windows_ipcomfig	osk.exe

Drops file in Program Files directory 2 IoCs

Processes:

windows_ipcomfig

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\_windows_ipcomfig	windows_ipcomfig
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\_windows_ipcomfig	windows_ipcomfig

Drops file in Windows directory 3 IoCs

Processes:

00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\windows_ipcomfig	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe
File opened for modification	C:\Windows\windows_ipcomfig	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe
File created	C:\Windows\SgotoDel.bat	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2712 2060 WerFault.exe windows_ipcomfig

pid	pid_target	process	target process
2712	2060	WerFault.exe	windows_ipcomfig

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exewindows_ipcomfig

description	pid	process	target process
PID 292 wrote to memory of 2060	292	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe	windows_ipcomfig
PID 292 wrote to memory of 2060	292	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe	windows_ipcomfig
PID 292 wrote to memory of 2060	292	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe	windows_ipcomfig
PID 292 wrote to memory of 2060	292	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe	windows_ipcomfig
PID 2060 wrote to memory of 2596	2060	windows_ipcomfig	osk.exe
PID 2060 wrote to memory of 2596	2060	windows_ipcomfig	osk.exe
PID 2060 wrote to memory of 2596	2060	windows_ipcomfig	osk.exe
PID 2060 wrote to memory of 2596	2060	windows_ipcomfig	osk.exe
PID 2060 wrote to memory of 2596	2060	windows_ipcomfig	osk.exe
PID 2060 wrote to memory of 2596	2060	windows_ipcomfig	osk.exe
PID 2060 wrote to memory of 2712	2060	windows_ipcomfig	WerFault.exe
PID 2060 wrote to memory of 2712	2060	windows_ipcomfig	WerFault.exe
PID 2060 wrote to memory of 2712	2060	windows_ipcomfig	WerFault.exe
PID 2060 wrote to memory of 2712	2060	windows_ipcomfig	WerFault.exe
PID 292 wrote to memory of 2916	292	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe	cmd.exe
PID 292 wrote to memory of 2916	292	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe	cmd.exe
PID 292 wrote to memory of 2916	292	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe	cmd.exe
PID 292 wrote to memory of 2916	292	00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00d65b51da1e62f713a634679924b4a2_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:292

C:\Windows\windows_ipcomfig
C:\Windows\windows_ipcomfig
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\SysWOW64\osk.exe
"C:\Windows\system32\osk.exe"
3⤵
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 300
3⤵
- Program crash
PID:2712

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SgotoDel.bat
2⤵
- Deletes itself
PID:2916

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SgotoDel.bat
Filesize
212B

MD5
3ee84fb381a9315eb3aea3dfd286a52d

SHA1
184a3fba83b9c6a8098d515c26d0135670cb1a6e

SHA256
1e342370ee60541fa466b802e44b11239db6a58dd8eb683c46f0ccae474aabbc

SHA512
2c4f47237705dcf38b08560e7ae695609a2769d0eca4b71a199f7c9125847dd79e622c7eed2d1a287499857eba42d852dd54802474b0b15665d03ae36f45983e

Download Submit
F:\windows_ipcomfig
Filesize
620KB

MD5
00d65b51da1e62f713a634679924b4a2

SHA1
a804276e193a3f3e242ad144cbc7d253ac8b51e1

SHA256
50d58f3bd8eece301f8a6dda5159f5a2f8769d0d97aec133f1eae3a4665b49e6

SHA512
f782256cf4e321ca001bb7c6010eb82ece392b005b921d40ca9ebc2ed705a92f4c332a2f9f1e755408947bae24111f9518bd63ed952b84da95b4168c658be036

Download Submit
memory/292-33-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-54-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-10-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/292-64-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-0-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/292-73-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-72-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-71-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-70-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-69-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-68-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-31-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-66-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-65-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-63-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-62-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-61-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-60-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-59-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-58-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-57-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-56-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-55-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-32-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-53-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-52-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-51-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-50-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-49-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-48-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-47-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-46-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-45-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-44-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-43-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-42-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-41-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-40-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-39-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-38-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-37-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-36-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-35-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-34-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-74-0x0000000003330000-0x0000000003331000-memory.dmp

Filesize
4KB

Download
memory/292-11-0x0000000003230000-0x0000000003330000-memory.dmp

Filesize
1024KB

Download
memory/292-67-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-30-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-29-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-28-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-27-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-26-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-25-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-24-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-23-0x0000000003330000-0x0000000003331000-memory.dmp

Filesize
4KB

Download
memory/292-22-0x0000000003330000-0x0000000003331000-memory.dmp

Filesize
4KB

Download
memory/292-21-0x0000000003330000-0x0000000003331000-memory.dmp

Filesize
4KB

Download
memory/292-20-0x0000000003330000-0x0000000003331000-memory.dmp

Filesize
4KB

Download
memory/292-19-0x0000000003330000-0x0000000003331000-memory.dmp

Filesize
4KB

Download
memory/292-18-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-17-0x0000000003240000-0x0000000003241000-memory.dmp

Filesize
4KB

Download
memory/292-16-0x0000000003240000-0x0000000003241000-memory.dmp

Filesize
4KB

Download
memory/292-15-0x0000000003240000-0x0000000003241000-memory.dmp

Filesize
4KB

Download
memory/292-14-0x0000000003240000-0x0000000003241000-memory.dmp

Filesize
4KB

Download
memory/292-13-0x0000000003240000-0x0000000003241000-memory.dmp

Filesize
4KB

Download
memory/292-12-0x0000000003240000-0x0000000003241000-memory.dmp

Filesize
4KB

Download
memory/292-9-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/292-8-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/292-7-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/292-6-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/292-5-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/292-4-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/292-3-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/292-2-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/292-90-0x0000000004370000-0x0000000004483000-memory.dmp

Filesize
1.1MB

Download
memory/292-91-0x0000000004370000-0x0000000004483000-memory.dmp

Filesize
1.1MB

Download
memory/292-101-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/292-103-0x0000000000280000-0x00000000002D4000-memory.dmp

Filesize
336KB

Download
memory/292-121-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/292-1-0x0000000000280000-0x00000000002D4000-memory.dmp

Filesize
336KB

Download
memory/292-104-0x0000000003230000-0x0000000003330000-memory.dmp

Filesize
1024KB

Download
memory/292-107-0x0000000003330000-0x0000000003331000-memory.dmp

Filesize
4KB

Download
memory/292-106-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/292-109-0x0000000004370000-0x0000000004483000-memory.dmp

Filesize
1.1MB

Download
memory/292-110-0x0000000004370000-0x0000000004483000-memory.dmp

Filesize
1.1MB

Download
memory/2060-102-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2060-92-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2596-96-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2596-98-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2596-99-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads