modiloader | 3a5f033cf4ee8b35331a0f33d4692b4188e5fc7a9747a8635d317ff3ccd49600

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe
Size

588KB
MD5

7399b04ed244435c4d082b45a95c3ee7
SHA1

255fe7bb5c55c9751d2f6a6c09db14c4cd091676
SHA256

3a5f033cf4ee8b35331a0f33d4692b4188e5fc7a9747a8635d317ff3ccd49600
SHA512

a0baad8992538bb8f828d88f425efb53a9979de23d0417ee0bbd060189daa2c015b90472ca431036bb860826df5e3e5bcbd0ac86dd2d0fcb21b0fde9fdfa501f
SSDEEP

12288:CV2B6B7wwpuKO9vPYPN+Hb2aSkmIF3Z4mxxl+utJ2An+f0m6:CUBYBshHq+7W6QmXl/w9fi

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4896-62-0x0000000000400000-0x000000000055D000-memory.dmp	modiloader_stage2
behavioral2/memory/4884-68-0x0000000000400000-0x000000000055D000-memory.dmp	modiloader_stage2
behavioral2/memory/4896-75-0x0000000000400000-0x000000000055D000-memory.dmp	modiloader_stage2
behavioral2/memory/4884-73-0x0000000000400000-0x000000000055D000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

rejoice47.exe

pid process

4884 rejoice47.exe

pid	process
4884	rejoice47.exe

Drops file in System32 directory 2 IoCs

Processes:

rejoice47.exe

description	ioc	process
File created	C:\Windows\SysWOW64\_rejoice47.exe	rejoice47.exe
File opened for modification	C:\Windows\SysWOW64\_rejoice47.exe	rejoice47.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rejoice47.exe

description pid process target process

PID 4884 set thread context of 1664 4884 rejoice47.exe calc.exe

description	pid	process	target process
PID 4884 set thread context of 1664	4884	rejoice47.exe	calc.exe

Drops file in Program Files directory 2 IoCs

Processes:

7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice47.exe	7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice47.exe	7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4080 1664 WerFault.exe calc.exe

pid	pid_target	process	target process
4080	1664	WerFault.exe	calc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exerejoice47.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rejoice47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exerejoice47.exe

description	pid	process	target process
PID 4896 wrote to memory of 4884	4896	7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe	rejoice47.exe
PID 4896 wrote to memory of 4884	4896	7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe	rejoice47.exe
PID 4896 wrote to memory of 4884	4896	7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe	rejoice47.exe
PID 4884 wrote to memory of 1664	4884	rejoice47.exe	calc.exe
PID 4884 wrote to memory of 1664	4884	rejoice47.exe	calc.exe
PID 4884 wrote to memory of 1664	4884	rejoice47.exe	calc.exe
PID 4884 wrote to memory of 1664	4884	rejoice47.exe	calc.exe
PID 4884 wrote to memory of 1664	4884	rejoice47.exe	calc.exe
PID 4884 wrote to memory of 1372	4884	rejoice47.exe	IEXPLORE.EXE
PID 4884 wrote to memory of 1372	4884	rejoice47.exe	IEXPLORE.EXE
PID 4896 wrote to memory of 4592	4896	7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe	cmd.exe
PID 4896 wrote to memory of 4592	4896	7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe	cmd.exe
PID 4896 wrote to memory of 4592	4896	7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4896

C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice47.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice47.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\SysWOW64\calc.exe
"C:\Windows\system32\calc.exe"
3⤵
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 12
4⤵
- Program crash
PID:4080

C:\program files\internet explorer\IEXPLORE.EXE
"C:\program files\internet explorer\IEXPLORE.EXE"
3⤵
PID:1372

C:\Windows\SysWOW64\cmd.exe
cmd /c erase /F "C:\Users\Admin\AppData\Local\Temp\7399b04ed244435c4d082b45a95c3ee7_JaffaCakes118.exe"
2⤵
- System Location Discovery: System Language Discovery
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1664 -ip 1664
1⤵
PID:2332

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\MSInfo\rejoice47.exe
Filesize
588KB

MD5
7399b04ed244435c4d082b45a95c3ee7

SHA1
255fe7bb5c55c9751d2f6a6c09db14c4cd091676

SHA256
3a5f033cf4ee8b35331a0f33d4692b4188e5fc7a9747a8635d317ff3ccd49600

SHA512
a0baad8992538bb8f828d88f425efb53a9979de23d0417ee0bbd060189daa2c015b90472ca431036bb860826df5e3e5bcbd0ac86dd2d0fcb21b0fde9fdfa501f

Download Submit
memory/1664-71-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/4884-68-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/4884-73-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/4896-0-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/4896-1-0x0000000002320000-0x0000000002374000-memory.dmp

Filesize
336KB

Download
memory/4896-61-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-60-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-59-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-58-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-57-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-56-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-55-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-54-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-53-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-52-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-51-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-50-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-49-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-48-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-47-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-46-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-45-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-44-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-43-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-42-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-41-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-40-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-39-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-38-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-37-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-36-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-35-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-34-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-33-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-32-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-31-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-30-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-29-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-28-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-27-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-26-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-25-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-24-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-23-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-22-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-21-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-20-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-19-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-18-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-17-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4896-16-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/4896-15-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/4896-14-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/4896-13-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/4896-12-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/4896-11-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/4896-10-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/4896-9-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/4896-8-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/4896-7-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/4896-6-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/4896-5-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/4896-4-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/4896-3-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/4896-2-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/4896-62-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/4896-76-0x0000000002320000-0x0000000002374000-memory.dmp

Filesize
336KB

Download
memory/4896-75-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download