modiloader | 22ef698972355c98c72df206757d3ddbf1ba915975646716ef024bf4487ce9c9

Analysis

max time kernel
122s
max time network
133s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
19-06-2024 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0054700707d5b6c6bd34b0b47631124f_JaffaCakes118.exe
Size

710KB
MD5

0054700707d5b6c6bd34b0b47631124f
SHA1

50c25fdb6d972b4b275255b925c0d45e02c9a4e8
SHA256

22ef698972355c98c72df206757d3ddbf1ba915975646716ef024bf4487ce9c9
SHA512

aac0143e53ccc730c61d7c8b1f405d7f1c3ffef466d8fdc8388ec512af69a9536474e72a556d964a6f1a4b365f43f24b0d6f073e9e601d1919e84c630f7a780e
SSDEEP

12288:ytS5RTQ7aT7YilhjzAF4gv6tdiAUQJ0xkaa+MkHAT+pK:6c22T7BRS46qiAUrWLGATZ

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1144-2-0x0000000000170000-0x0000000000228000-memory.dmp	modiloader_stage2
behavioral1/memory/1968-3-0x0000000000400000-0x00000000004B8000-memory.dmp	modiloader_stage2

Suspicious use of SetThreadContext 1 IoCs

Processes:

0054700707d5b6c6bd34b0b47631124f_JaffaCakes118.exe

description pid process target process

PID 1968 set thread context of 1144 1968 0054700707d5b6c6bd34b0b47631124f_JaffaCakes118.exe IEXPLORE.EXE

description	pid	process	target process
PID 1968 set thread context of 1144	1968	0054700707d5b6c6bd34b0b47631124f_JaffaCakes118.exe	IEXPLORE.EXE

Drops file in Program Files directory 1 IoCs

Processes:

0054700707d5b6c6bd34b0b47631124f_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt	0054700707d5b6c6bd34b0b47631124f_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424990517"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DEB5B6D1-2E79-11EF-84D8-C2F93164A635} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1144 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1144 IEXPLORE.EXE
1144 IEXPLORE.EXE
2600 IEXPLORE.EXE
2600 IEXPLORE.EXE
2600 IEXPLORE.EXE
2600 IEXPLORE.EXE

pid	process
1144	IEXPLORE.EXE

pid	process
1144	IEXPLORE.EXE
1144	IEXPLORE.EXE
2600	IEXPLORE.EXE
2600	IEXPLORE.EXE
2600	IEXPLORE.EXE
2600	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0054700707d5b6c6bd34b0b47631124f_JaffaCakes118.exeIEXPLORE.EXE

description	pid	process	target process
PID 1968 wrote to memory of 1144	1968	0054700707d5b6c6bd34b0b47631124f_JaffaCakes118.exe	IEXPLORE.EXE
PID 1968 wrote to memory of 1144	1968	0054700707d5b6c6bd34b0b47631124f_JaffaCakes118.exe	IEXPLORE.EXE
PID 1968 wrote to memory of 1144	1968	0054700707d5b6c6bd34b0b47631124f_JaffaCakes118.exe	IEXPLORE.EXE
PID 1968 wrote to memory of 1144	1968	0054700707d5b6c6bd34b0b47631124f_JaffaCakes118.exe	IEXPLORE.EXE
PID 1968 wrote to memory of 1144	1968	0054700707d5b6c6bd34b0b47631124f_JaffaCakes118.exe	IEXPLORE.EXE
PID 1144 wrote to memory of 2600	1144	IEXPLORE.EXE	IEXPLORE.EXE
PID 1144 wrote to memory of 2600	1144	IEXPLORE.EXE	IEXPLORE.EXE
PID 1144 wrote to memory of 2600	1144	IEXPLORE.EXE	IEXPLORE.EXE
PID 1144 wrote to memory of 2600	1144	IEXPLORE.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\0054700707d5b6c6bd34b0b47631124f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0054700707d5b6c6bd34b0b47631124f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1968

C:\program files\internet explorer\IEXPLORE.EXE
"C:\program files\internet explorer\IEXPLORE.EXE"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1144

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1144 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2600

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5ab1045d73befe4c5e41487d26d38226

SHA1
352fcf6cdf97b860bc667930d588a97082562450

SHA256
c103f80196529dcc3b4c6241035e2ae3993d5f010f84b96d638b3d2ca399f5ea

SHA512
a0420d295188c241cbecbbc550bfdcf8850f3d7648d94dc40bc4dd9bd1408a9d97acefae945cc3eec63f1a97aba4adf3727964a69af6e9d0e397212531cc5677

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
60b4c6cf4580ed8e2c6c084c01c4952e

SHA1
4debbc0ff0a7c0775afec7859941353e79fe12ce

SHA256
7708cd98a98e45cf562b30b4fb5c7b8a21dacf1347da4fc7c03b30a37a0b0054

SHA512
595a1a43c40ea7f6bfed9f06c2c450da72268f99f60cb68d47518d2af927a112e3d67d128cd9223a4e6f4b20b4f6d4c2c8f810fb2530b4aadf9e5714f7a7a645

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
afe22070ecc7bc0fbc9a62f0a0f1e3ea

SHA1
f3f8fa480625d4af5ad9f0bc0c58573c82bf91a3

SHA256
74407d3c02f0650027b9f816dc7f284456c2560cb75731c93daa82485fbe428e

SHA512
c4e927feaff88d67469288df95211670d9b241efe150208d5053e508f32143301f8e02baae812348c35067bc9c7eee8edc518e97ac5df8fd25112f59b13a448b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
56b5e2b556a39593d67bcfb8e125034c

SHA1
dbf2144065a49ab4bb6f50b47b9103bfd5e2985f

SHA256
826eabb9e0590514f31598e8b7b81b8e2f6f03576cdf6c6a83740dd9346c0e0f

SHA512
946601f21499e8efff390e70ba026aff973979d53fd71b7df4a56480d391f87a2bba6e7473195ee67f3bfdadf69e7f34ab69c58ea9b0f82d50112f2976ca94a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
227da828e4cf3b7c04f54613c1db034f

SHA1
9117328d0706c995da701912e1e2c996a8a28f5d

SHA256
ff284fbf82bfb3f9f683be8d99860c072da8510fa55e9ed18241e5b634f6c3e5

SHA512
3ac843942a993eef0f2e01974bfaba53e0e3c18adecfaed9d71abf3ab077fcfaad466697fd55b2f406d9e36c4a6563bcf2b98df77b6dcc50c6dc8dce4cd4e1b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
0319b83a8cf4dc903e825a765215aecb

SHA1
d14bbb0ec4cf743429f43c202f92f2dad0e7e0c7

SHA256
f1478acd59eaca138eb331f77df020aeb9ac14362cfaa6fdf9899424a6c2d71a

SHA512
a206a1353181a929a7b053ec49d804308af72950715fa6fdd5928d84ad2be09e1f9f0e2ef6283b1fee7cee45d9e42327e317f59d56dd9bd1cbb7061e18dbc1bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
a6f01cf2f5f92833c0880fe67ec51f47

SHA1
eef27ffacd8915b3e78a7d547c5e46e7b2692212

SHA256
a0f5e08b174a2605f6747c816192c67b354de7f0d9aab4b930ea46c08e9f401c

SHA512
1a21b5c6accf561c0e25fed8374430697e1db385368e39201ca6cc393e0f35eb161347eaffdf87acde9a533798f39453f5af4afd796612436f405ec4dd2e3cf0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d80ab97d617ee0e9f36f40bf9b0e7509

SHA1
1c3baf9cafa4dd892a89bbeefaec9ec439e4f22f

SHA256
f93112866c6a5d663448bd0e122d32490cc502f0440b2113eb574492da735c16

SHA512
fe711d138a83064e901df83c9c81c8e36a52c66756ce793c837b7f5f04f1afe768efdbdb16fae9426e2312d404aa81890659706ea9cd677954b12065f76c3901

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
80f26bda660b63c4e71157c55a8459fb

SHA1
f9e5f2b9a92aae47a129b55fe211c3e4ef72077f

SHA256
69ec8e4cf21cf2990253d104d42c86f6755b047d524baa8dab5730149afdee07

SHA512
496d1ba8c4bd9b7bd77d0d31a94d3fae39549307eece2119a488cdad0e830c4dc846eacb397e8873ade537b6d1209051e85d4256ac3bacaf1238dad0183d8964

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
eeec808d2061d1683b6c1aef89ac504c

SHA1
3b2741bc0b342139b2459c92dd1c78d51f8eeb35

SHA256
d39eb7641e575fd32e07a7b752e195d2b2644afd745adcd2077637d984e3ef7f

SHA512
f6e489015265a03c814461ebade690ee31bca4dcd7998b4d349a66b998b9c710762a008cd39cc1fd22075339638a1270f2b071d799d59e08954fdd803f992aa9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
6e3481f86094ecc9fd68bdd67adbaea7

SHA1
17a837ea02093ada96d0a14492c68e0b77fae204

SHA256
47ca63bb2e99f21edd2cc028960b86a8226795be69ba56e9320d7cb6ff023b1b

SHA512
d463fffd990161d120de5fb2420ec40a97418cc34649da8aad49d19a140d5585291adb0ad557fe8fc9d80b76e1ab6c6875597f72d5c8c0006961e34928427c75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
9a096c46fb7cd63f616cef661aaa74d0

SHA1
bb4b5083f8d9193ea32162d0ca884e605bab8912

SHA256
41dbb53ebe58baa2629b80d5fcc668958caf6c2396bdefd144d67efc83408d2b

SHA512
e53b767858f7de3b3bd4a41afeb2e95456b2805c0897c88c7913c37bbc7579053e2f3100eae194cb062deae789ef12ba5a3e5518e0145efdaf378d8f75468f18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
4558d3a059d335bff7ef3d554a942f9d

SHA1
4edf3bfc3329d9c27397290b202b50523df343ab

SHA256
a83747b5c5182feefc285b081fb7a171ff2937dccb753b5ea7b45564a5feda42

SHA512
8cffc60e9792cad436ecc91b3ec7e2b0f845ed4e59e7783e6baa943fa2dc996ba6116e9d8cd9913e3acce6aa74166bcf1c764849f2a9153f9809d92c00c607e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
35af4f3dd6c6e41800c2c2e72db23138

SHA1
288a4d44e1d79e4ef92c98cb6bffe14514a6e1ae

SHA256
505651596787492414ce602f6671cf37223cf00d391adcb929598e6cfbe808cf

SHA512
38422c032d6c551d22a8d78068b1c23702b2a5d66d430d80102894b0ce4d22b55a98d98b93c86be6cb1c1fd0933c04b4667ad3885c5d9e2658ff34412d955ce1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
bfef44f0547b32e9f5011a2451115e05

SHA1
85ec6b8af75f6749444a010f027f62f35b45cb3a

SHA256
eceba880734b4156dd66fd49b79df9cf6f56501dce1b1ee7af0c47090fb9c734

SHA512
f52317be8e24d8790ac1702e4e4bd20341f7beff1293b76727b62c1df1c2c3414f6d7585330cc759e334724029627c7198136ede1d3f3b7c49f1964a993ce320

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab318F.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3222.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1144-2-0x0000000000170000-0x0000000000228000-memory.dmp

Filesize
736KB

Download
memory/1968-3-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1968-1-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download