modiloader | fc5535faced4f0165bc911bb15f2ed082afa14f3d3a81c207dc11896971d2719

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 01:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3b76dce7898efb01104f860ea3c90f06_JaffaCakes118.exe
Size

392KB
MD5

3b76dce7898efb01104f860ea3c90f06
SHA1

cd7de7df42b24d9bd62d1da5fdd3e9bfdd53c256
SHA256

fc5535faced4f0165bc911bb15f2ed082afa14f3d3a81c207dc11896971d2719
SHA512

fdbc4a0c2de437e7c917d02709af04f8f5162973b9b1264917fc692e4800d7aa9e5c667958f8cf47c66c96193e487f218c1020d79d0775f6b39c151dbf8af242
SSDEEP

12288:IhRTDAT2QF3Z4mxxy1P0KXpsj0JlETJWn8:IhS2QQmXHxjaETj

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/3296-95-0x00000000005C0000-0x00000000005E4000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
3296	server.exe

Loads dropped DLL 2 IoCs

pid	Process
3296	server.exe
3296	server.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3b76dce7898efb01104f860ea3c90f06_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\atmQQ2.dll	server.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3296	server.exe
3296	server.exe
3296	server.exe
3296	server.exe
3296	server.exe
3296	server.exe
3296	server.exe
3296	server.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3296	server.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3856 wrote to memory of 3296	3856	3b76dce7898efb01104f860ea3c90f06_JaffaCakes118.exe	83
PID 3856 wrote to memory of 3296	3856	3b76dce7898efb01104f860ea3c90f06_JaffaCakes118.exe	83
PID 3856 wrote to memory of 3296	3856	3b76dce7898efb01104f860ea3c90f06_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\3b76dce7898efb01104f860ea3c90f06_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b76dce7898efb01104f860ea3c90f06_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3856
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\MSInfo\atmQQ2.dll

Filesize
21KB

MD5
594054e159bef7151719ca7f5182961d

SHA1
a51ce91e94e3c68de0d4a0ac968d8a0242947d14

SHA256
64d8b1ed8a727d9385dd8d982beffcdb4a2cab4cbe29a429c237d25bf1aaa48a

SHA512
3de6fd264bd5ba0c7f3179955d422bbb042f028af7bb69e939f4e4cd0a8e322f2e7f858d3a8a6e27fab975aceff0cf6143344b364d663c9135a207b82757952d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
40KB

MD5
cf53c4211cadfc6a77daee5f959cba58

SHA1
621f543726cd5a246cf0daa0b822ea90ae1a5ca7

SHA256
b44965a5fb8d520b84087646f6dbf7671437e07913f2a6c9cdfe8272876c2b5b

SHA512
e91438e5275b873bf628a92cf998d159757ffa8e5d9c1075bc1fd9576f5c0088850bf7b2e32df3034411d141b7e000270a3e80e5e2b0175100c625edfec88163

Download Submit
memory/3296-95-0x00000000005C0000-0x00000000005E4000-memory.dmp

Filesize
144KB

Download
memory/3296-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3856-0-0x0000000001000000-0x0000000001081000-memory.dmp

Filesize
516KB

Download
memory/3856-1-0x00000000006A0000-0x00000000006F4000-memory.dmp

Filesize
336KB

Download
memory/3856-2-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/3856-3-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3856-11-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/3856-17-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/3856-50-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-49-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-63-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-62-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-61-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-60-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-75-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-59-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-58-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-78-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-77-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-84-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-83-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-82-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-81-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-80-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-79-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-76-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-57-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-56-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-55-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-54-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-53-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-52-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-87-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-86-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-85-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-51-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-48-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-47-0x0000000003080000-0x0000000003081000-memory.dmp

Filesize
4KB

Download
memory/3856-46-0x0000000003080000-0x0000000003081000-memory.dmp

Filesize
4KB

Download
memory/3856-45-0x0000000003080000-0x0000000003081000-memory.dmp

Filesize
4KB

Download
memory/3856-44-0x0000000003080000-0x0000000003081000-memory.dmp

Filesize
4KB

Download
memory/3856-43-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/3856-42-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/3856-41-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/3856-88-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-40-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/3856-39-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/3856-38-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/3856-37-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/3856-93-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-92-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-91-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-90-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-89-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-36-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/3856-35-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/3856-34-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/3856-33-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/3856-94-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-32-0x0000000003080000-0x0000000003081000-memory.dmp

Filesize
4KB

Download
memory/3856-31-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/3856-30-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/3856-29-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/3856-28-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/3856-27-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/3856-26-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/3856-25-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/3856-24-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/3856-23-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/3856-22-0x0000000003080000-0x0000000003081000-memory.dmp

Filesize
4KB

Download
memory/3856-21-0x0000000003080000-0x0000000003081000-memory.dmp

Filesize
4KB

Download
memory/3856-20-0x0000000003080000-0x0000000003081000-memory.dmp

Filesize
4KB

Download
memory/3856-19-0x0000000003080000-0x0000000003081000-memory.dmp

Filesize
4KB

Download
memory/3856-18-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/3856-16-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/3856-15-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/3856-14-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/3856-13-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/3856-12-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/3856-4-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/3856-10-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/3856-9-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/3856-8-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/3856-7-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/3856-6-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/3856-5-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/3856-97-0x0000000001000000-0x0000000001081000-memory.dmp

Filesize
516KB

Download
memory/3856-98-0x00000000006A0000-0x00000000006F4000-memory.dmp

Filesize
336KB

Download
memory/3856-99-0x0000000003080000-0x000000000309B000-memory.dmp

Filesize
108KB

Download
memory/3856-107-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/3856-106-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/3856-105-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/3856-104-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/3856-103-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/3856-102-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/3856-101-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/3856-108-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download