modiloader | 5defa642588973d1f05b5727da4abe62fc4af6abc85b510a2eaf28288502e1ca

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 21:20 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17912b6fe92a6a47b414b028685c60db_JaffaCakes118.exe
Size

480KB
MD5

17912b6fe92a6a47b414b028685c60db
SHA1

754b1918a98bf85cfdd925e1a50ff3de17e8b1ef
SHA256

5defa642588973d1f05b5727da4abe62fc4af6abc85b510a2eaf28288502e1ca
SHA512

4ebff1a4b24c80a0233bf42e8f84584f4cb9543e1102f95336eb5e0591b99e58dd86ac46cd6a870053161ac5712141630294c8ddcbf67aa915a4c3d77cd16ae2
SSDEEP

6144:J1zdTAymDA+k86XxqaCBeFndXF2idZecnl20lHRxp3gCncduD7yB9VCO6Sco4q8d:FT1jf86Xxd7F3Z4mxx9DqVTVOCLu

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/1728-36-0x0000000013140000-0x00000000131C4000-memory.dmp	modiloader_stage2
behavioral1/memory/2572-228-0x0000000013140000-0x00000000131C4000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
2660	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2572	netservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2572	netservice.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2660	1728	17912b6fe92a6a47b414b028685c60db_JaffaCakes118.exe	29
PID 1728 wrote to memory of 2660	1728	17912b6fe92a6a47b414b028685c60db_JaffaCakes118.exe	29
PID 1728 wrote to memory of 2660	1728	17912b6fe92a6a47b414b028685c60db_JaffaCakes118.exe	29
PID 1728 wrote to memory of 2660	1728	17912b6fe92a6a47b414b028685c60db_JaffaCakes118.exe	29
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31
PID 2572 wrote to memory of 2652	2572	netservice.exe	31

C:\Users\Admin\AppData\Local\Temp\17912b6fe92a6a47b414b028685c60db_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\17912b6fe92a6a47b414b028685c60db_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\17912b6fe92a6a47b414b028685c60db_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  PID:2660

C:\Users\Admin\Favorites\netservice.exe
C:\Users\Admin\Favorites\netservice.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\System32\svchost.exe
  2⤵
  PID:2652

Network

DNS

tzlin.3322.org

svchost.exe

Remote address:

8.8.8.8:53

Request

tzlin.3322.org

IN A

Response

No results found

8.8.8.8:53

tzlin.3322.org

dns

svchost.exe

60 B
124 B
1
1

DNS Request

tzlin.3322.org

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Favorites\netservice.exe

Filesize
480KB

MD5
17912b6fe92a6a47b414b028685c60db

SHA1
754b1918a98bf85cfdd925e1a50ff3de17e8b1ef

SHA256
5defa642588973d1f05b5727da4abe62fc4af6abc85b510a2eaf28288502e1ca

SHA512
4ebff1a4b24c80a0233bf42e8f84584f4cb9543e1102f95336eb5e0591b99e58dd86ac46cd6a870053161ac5712141630294c8ddcbf67aa915a4c3d77cd16ae2

Download Submit
memory/1728-19-0x0000000002190000-0x0000000002191000-memory.dmp

Filesize
4KB

Download
memory/1728-28-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1728-7-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/1728-6-0x0000000001B60000-0x0000000001B61000-memory.dmp

Filesize
4KB

Download
memory/1728-5-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1728-18-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/1728-3-0x0000000001B70000-0x0000000001B71000-memory.dmp

Filesize
4KB

Download
memory/1728-2-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/1728-1-0x0000000001BC0000-0x0000000001C14000-memory.dmp

Filesize
336KB

Download
memory/1728-26-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/1728-27-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/1728-25-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/1728-24-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/1728-23-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/1728-22-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1728-21-0x0000000001E40000-0x0000000001E41000-memory.dmp

Filesize
4KB

Download
memory/1728-20-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/1728-0-0x0000000013140000-0x00000000131C4000-memory.dmp

Filesize
528KB

Download
memory/1728-8-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/1728-29-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1728-4-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1728-17-0x0000000001E20000-0x0000000001E21000-memory.dmp

Filesize
4KB

Download
memory/1728-16-0x0000000001E30000-0x0000000001E31000-memory.dmp

Filesize
4KB

Download
memory/1728-15-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/1728-14-0x0000000001E50000-0x0000000001E51000-memory.dmp

Filesize
4KB

Download
memory/1728-13-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1728-12-0x0000000003110000-0x0000000003112000-memory.dmp

Filesize
8KB

Download
memory/1728-11-0x0000000001E00000-0x0000000001E01000-memory.dmp

Filesize
4KB

Download
memory/1728-10-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/1728-9-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1728-37-0x0000000001BC0000-0x0000000001C14000-memory.dmp

Filesize
336KB

Download
memory/1728-36-0x0000000013140000-0x00000000131C4000-memory.dmp

Filesize
528KB

Download
memory/2572-33-0x0000000013140000-0x00000000131C4000-memory.dmp

Filesize
528KB

Download
memory/2572-228-0x0000000013140000-0x00000000131C4000-memory.dmp

Filesize
528KB

Download
memory/2652-39-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2652-45-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2652-54-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download