modiloader | d8a384183e01127e892d8f7545fbc5c22333e08bf2251282e130dd445957e641

Analysis

max time kernel
140s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

759cd76c94fbd48a0341abfe88abfa98_JaffaCakes118.exe
Size

43KB
MD5

759cd76c94fbd48a0341abfe88abfa98
SHA1

b7ce525e857fe34e9c7cf1fd5cb288d941cd621e
SHA256

d8a384183e01127e892d8f7545fbc5c22333e08bf2251282e130dd445957e641
SHA512

79d0dbfb9c84e5ea4f44238a36f47c9e782f602b666de20119c01eaef65299fc10ee9b788d6d0b8ac1bc84d1e781ed92371bc9b6bc0fdc5aec4469f62ad33ff8
SSDEEP

768:kvVElnMvr0kTCNMm3Deg06m4cb5WOvi4oUw46c538HbP1MTp8WiUQS3+vxoha5re:kvVEJjMm3Deg9AQ4w46c538HbPW+vUQ0

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 5 IoCs

resource	yara_rule
behavioral2/memory/5056-4-0x0000000002020000-0x0000000002033000-memory.dmp	modiloader_stage2
behavioral2/files/0x0009000000023470-3.dat	modiloader_stage2
behavioral2/memory/5056-7-0x0000000000400000-0x000000000041D000-memory.dmp	modiloader_stage2
behavioral2/memory/5056-8-0x0000000002020000-0x0000000002033000-memory.dmp	modiloader_stage2
behavioral2/memory/5056-30-0x0000000002020000-0x0000000002033000-memory.dmp	modiloader_stage2

Loads dropped DLL 2 IoCs

pid	Process
5056	759cd76c94fbd48a0341abfe88abfa98_JaffaCakes118.exe
5056	759cd76c94fbd48a0341abfe88abfa98_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo2.dll	759cd76c94fbd48a0341abfe88abfa98_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	759cd76c94fbd48a0341abfe88abfa98_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5056	759cd76c94fbd48a0341abfe88abfa98_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\759cd76c94fbd48a0341abfe88abfa98_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\759cd76c94fbd48a0341abfe88abfa98_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\MSInfo\SysInfo2.dll

Filesize
56KB

MD5
04cb97773c95887787a02e04ec3908af

SHA1
6b64496d03b007de6f3acbaa977a353e514df72a

SHA256
d13911770deb902ec08e6e45c792fe40540d81c19ed24c39ddf20a1452171efe

SHA512
d05b9b6ad21df43b606fe4cec8427ea0f1ec0c02e8b3e3931414225a6ede5db0118bf084c8d21ba717cf59a11470d592989e8d6af3ba3fd6d5c6eb01ca8b8a82

Download Submit
memory/5056-4-0x0000000002020000-0x0000000002033000-memory.dmp

Filesize
76KB

Download
memory/5056-7-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/5056-8-0x0000000002020000-0x0000000002033000-memory.dmp

Filesize
76KB

Download
memory/5056-30-0x0000000002020000-0x0000000002033000-memory.dmp

Filesize
76KB

Download