modiloader | 21be6f449fdbf66a9f69faeb5f74f19a0d8290067a5449299e4d5eec43e4bcfe

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-06-2024 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe
Size

581KB
MD5

02f2fb981df03a14510e5c320752248d
SHA1

1a62b7edd945483cf4cd434c073ab0e1d58ef564
SHA256

21be6f449fdbf66a9f69faeb5f74f19a0d8290067a5449299e4d5eec43e4bcfe
SHA512

b624cc51289194e64cc7cff5125efb4cb8f8cfcce257c86b9caf059c672fddb358ae77ba5ef73cdf155d2636729dcc53755492cbc399e12761a4375c62bc1b62
SSDEEP

12288:MudEJ0qv/aVIZerIa3F3Z4mxxooEtlK+kt9T2MTL:MQEb5qQmXhGG

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1732-111-0x0000000000400000-0x0000000000554000-memory.dmp	modiloader_stage2
behavioral1/memory/2820-112-0x0000000000400000-0x0000000000554000-memory.dmp	modiloader_stage2
behavioral1/memory/1732-132-0x0000000000400000-0x0000000000554000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

688 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

17mf8.cn.exe

pid process

2820 17mf8.cn.exe

pid	process
688	cmd.exe

pid	process
2820	17mf8.cn.exe

Loads dropped DLL 5 IoCs

Processes:

02f2fb981df03a14510e5c320752248d_JaffaCakes118.exeWerFault.exe

pid	process
1732	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe
1732	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe
2424	WerFault.exe
2424	WerFault.exe
2424	WerFault.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe

description	ioc	process
File opened (read-only)	\??\Q:	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe
File opened (read-only)	\??\A:	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe
File opened (read-only)	\??\N:	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe
File opened (read-only)	\??\P:	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe
File opened (read-only)	\??\T:	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe
File opened (read-only)	\??\U:	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe
File opened (read-only)	\??\E:	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe
File opened (read-only)	\??\I:	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe
File opened (read-only)	\??\K:	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe
File opened (read-only)	\??\R:	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe
File opened (read-only)	\??\S:	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe
File opened (read-only)	\??\W:	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe
File opened (read-only)	\??\X:	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe
File opened (read-only)	\??\B:	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe
File opened (read-only)	\??\H:	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe
File opened (read-only)	\??\L:	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe
File opened (read-only)	\??\O:	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe
File opened (read-only)	\??\V:	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe
File opened (read-only)	\??\Y:	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe
File opened (read-only)	\??\Z:	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe
File opened (read-only)	\??\G:	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe
File opened (read-only)	\??\J:	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe
File opened (read-only)	\??\M:	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe

description	ioc	process
File opened for modification	F:\AutoRun.inf	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe
File created	C:\AutoRun.inf	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe
File opened for modification	C:\AutoRun.inf	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe
File created	F:\AutoRun.inf	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

Processes:

17mf8.cn.exe

description	ioc	process
File created	C:\Windows\SysWOW64\_17mf8.cn.exe	17mf8.cn.exe
File opened for modification	C:\Windows\SysWOW64\_17mf8.cn.exe	17mf8.cn.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

17mf8.cn.exe

description pid process target process

PID 2820 set thread context of 1252 2820 17mf8.cn.exe calc.exe

description	pid	process	target process
PID 2820 set thread context of 1252	2820	17mf8.cn.exe	calc.exe

Drops file in Program Files directory 3 IoCs

Processes:

02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\17mf8.cn.exe	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\17mf8.cn.exe	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2424 2820 WerFault.exe 17mf8.cn.exe

pid	pid_target	process	target process
2424	2820	WerFault.exe	17mf8.cn.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe17mf8.cn.exe

description	pid	process	target process
PID 1732 wrote to memory of 2820	1732	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe	17mf8.cn.exe
PID 1732 wrote to memory of 2820	1732	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe	17mf8.cn.exe
PID 1732 wrote to memory of 2820	1732	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe	17mf8.cn.exe
PID 1732 wrote to memory of 2820	1732	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe	17mf8.cn.exe
PID 2820 wrote to memory of 1252	2820	17mf8.cn.exe	calc.exe
PID 2820 wrote to memory of 1252	2820	17mf8.cn.exe	calc.exe
PID 2820 wrote to memory of 1252	2820	17mf8.cn.exe	calc.exe
PID 2820 wrote to memory of 1252	2820	17mf8.cn.exe	calc.exe
PID 2820 wrote to memory of 1252	2820	17mf8.cn.exe	calc.exe
PID 2820 wrote to memory of 1252	2820	17mf8.cn.exe	calc.exe
PID 2820 wrote to memory of 2424	2820	17mf8.cn.exe	WerFault.exe
PID 2820 wrote to memory of 2424	2820	17mf8.cn.exe	WerFault.exe
PID 2820 wrote to memory of 2424	2820	17mf8.cn.exe	WerFault.exe
PID 2820 wrote to memory of 2424	2820	17mf8.cn.exe	WerFault.exe
PID 1732 wrote to memory of 688	1732	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe	cmd.exe
PID 1732 wrote to memory of 688	1732	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe	cmd.exe
PID 1732 wrote to memory of 688	1732	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe	cmd.exe
PID 1732 wrote to memory of 688	1732	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe	cmd.exe
PID 1732 wrote to memory of 688	1732	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe	cmd.exe
PID 1732 wrote to memory of 688	1732	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe	cmd.exe
PID 1732 wrote to memory of 688	1732	02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02f2fb981df03a14510e5c320752248d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1732

C:\Program Files\Common Files\Microsoft Shared\MSINFO\17mf8.cn.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\17mf8.cn.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\SysWOW64\calc.exe
"C:\Windows\system32\calc.exe"
3⤵
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 300
3⤵
- Loads dropped DLL
- Program crash
PID:2424

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat""
2⤵
- Deletes itself
PID:688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\17mf8.cn.exe

Filesize
581KB

MD5
02f2fb981df03a14510e5c320752248d

SHA1
1a62b7edd945483cf4cd434c073ab0e1d58ef564

SHA256
21be6f449fdbf66a9f69faeb5f74f19a0d8290067a5449299e4d5eec43e4bcfe

SHA512
b624cc51289194e64cc7cff5125efb4cb8f8cfcce257c86b9caf059c672fddb358ae77ba5ef73cdf155d2636729dcc53755492cbc399e12761a4375c62bc1b62

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\SetupDel.bat

Filesize
212B

MD5
2f142b6a47107d2a85f8985f38ed7348

SHA1
a1072abe67d5b58cbfff88d3ceff425da5212699

SHA256
dbda6bff5a91b6a467c9ad38bf1ef2b423ee820d9a93228cd84d70e8e251a3ad

SHA512
87af0fa279e72f4dc127f798617f0a44576d61608952454e8d9f25565d9b0cbad444b92f380a15a9756ceafda148acb531b3f5a2488dcdcf47ac2239615665d4

Download Submit
memory/1252-103-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1252-106-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1252-104-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1732-34-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-57-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-75-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-74-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-73-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-72-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-71-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-70-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-69-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-68-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-67-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-66-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-65-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-64-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-63-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-62-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-61-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-60-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-59-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-58-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-30-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-56-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-55-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-54-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-53-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-52-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-51-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-50-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-49-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-48-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-31-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-46-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-45-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-44-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-43-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-42-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-41-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-40-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-39-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-38-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-37-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-36-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-35-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-77-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-33-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-32-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-47-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-76-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-26-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-28-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-27-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-29-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-25-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-24-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-23-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-22-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-21-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-20-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-19-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-18-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-17-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-16-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1732-15-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1732-14-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1732-13-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1732-12-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1732-11-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1732-10-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1732-9-0x0000000001E40000-0x0000000001E41000-memory.dmp

Filesize
4KB

Download
memory/1732-8-0x0000000001E10000-0x0000000001E11000-memory.dmp

Filesize
4KB

Download
memory/1732-7-0x0000000001E20000-0x0000000001E21000-memory.dmp

Filesize
4KB

Download
memory/1732-6-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1732-4-0x0000000001E30000-0x0000000001E31000-memory.dmp

Filesize
4KB

Download
memory/1732-2-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/1732-1-0x0000000000560000-0x00000000005B4000-memory.dmp

Filesize
336KB

Download
memory/1732-5-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1732-3-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1732-98-0x0000000004370000-0x00000000044C4000-memory.dmp

Filesize
1.3MB

Download
memory/1732-97-0x0000000004370000-0x00000000044C4000-memory.dmp

Filesize
1.3MB

Download
memory/1732-111-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1732-132-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1732-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1732-113-0x0000000000560000-0x00000000005B4000-memory.dmp

Filesize
336KB

Download
memory/1732-114-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1732-116-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1732-115-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1732-117-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1732-121-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1732-120-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1732-119-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1732-123-0x0000000004370000-0x00000000044C4000-memory.dmp

Filesize
1.3MB

Download
memory/2820-112-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2820-99-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download