modiloader | 7b5736fa6467b3b9715b0b1c3761937a53952fbd01611dc5d2916efb0b3ed339

Analysis

max time kernel
140s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89463bf46c91af6aa2bb7a4e1a99d2f9_JaffaCakes118.exe
Size

595KB
MD5

89463bf46c91af6aa2bb7a4e1a99d2f9
SHA1

296a5e209746a2141cf7a4eb7951616252c6d090
SHA256

7b5736fa6467b3b9715b0b1c3761937a53952fbd01611dc5d2916efb0b3ed339
SHA512

20811928f57978563c5b2df1c74351b6f2e372c903ac3ae66d8063bac12092c605d1a747cc1c4e9ae3ef2eef8c31daa7511e6e0fab137b6130d24368e9a80e48
SSDEEP

12288:e/zQayHZOA8GaUV/nKBCY8oAv8+f2/F3Z4mxxtDqVTVOCMg:e70HBday/nKcY40+fQQmXsVTzMg

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 4 IoCs

resource	yara_rule
behavioral2/memory/1532-71-0x0000000000400000-0x000000000055E000-memory.dmp	modiloader_stage2
behavioral2/memory/2044-77-0x0000000000400000-0x000000000055E000-memory.dmp	modiloader_stage2
behavioral2/memory/2044-81-0x0000000000400000-0x000000000055E000-memory.dmp	modiloader_stage2
behavioral2/memory/1532-83-0x0000000000400000-0x000000000055E000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
2044	rejoice51.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rejoice51.exe	89463bf46c91af6aa2bb7a4e1a99d2f9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\rejoice51.exe	89463bf46c91af6aa2bb7a4e1a99d2f9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\rejoice51.exe	rejoice51.exe
File created	C:\Windows\SysWOW64\Delet.bat	89463bf46c91af6aa2bb7a4e1a99d2f9_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89463bf46c91af6aa2bb7a4e1a99d2f9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rejoice51.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 2044	1532	89463bf46c91af6aa2bb7a4e1a99d2f9_JaffaCakes118.exe	87
PID 1532 wrote to memory of 2044	1532	89463bf46c91af6aa2bb7a4e1a99d2f9_JaffaCakes118.exe	87
PID 1532 wrote to memory of 2044	1532	89463bf46c91af6aa2bb7a4e1a99d2f9_JaffaCakes118.exe	87
PID 1532 wrote to memory of 1868	1532	89463bf46c91af6aa2bb7a4e1a99d2f9_JaffaCakes118.exe	88
PID 1532 wrote to memory of 1868	1532	89463bf46c91af6aa2bb7a4e1a99d2f9_JaffaCakes118.exe	88
PID 1532 wrote to memory of 1868	1532	89463bf46c91af6aa2bb7a4e1a99d2f9_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\89463bf46c91af6aa2bb7a4e1a99d2f9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\89463bf46c91af6aa2bb7a4e1a99d2f9_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\SysWOW64\rejoice51.exe
  C:\Windows\system32\rejoice51.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\Delet.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Delet.bat

Filesize
212B

MD5
fbd4c0c021b4e5a766bf8bb59104e2ca

SHA1
a4e6775f24fff77775eca407c1e59c84b450cf57

SHA256
deac02e2bd413e741757ffd698fa07b147f51c6b13de871eb65cc21ca60a2a8b

SHA512
c5759814f7f84ceda5fa765cbc0f0bbdb21b348fa39ad6a8562a79e1b7363726791b48cd88f58a5f17d722050b3660948e088da7c394f51e60d512d3af48997c

Download Submit
C:\Windows\SysWOW64\rejoice51.exe

Filesize
595KB

MD5
89463bf46c91af6aa2bb7a4e1a99d2f9

SHA1
296a5e209746a2141cf7a4eb7951616252c6d090

SHA256
7b5736fa6467b3b9715b0b1c3761937a53952fbd01611dc5d2916efb0b3ed339

SHA512
20811928f57978563c5b2df1c74351b6f2e372c903ac3ae66d8063bac12092c605d1a747cc1c4e9ae3ef2eef8c31daa7511e6e0fab137b6130d24368e9a80e48

Download Submit
memory/1532-0-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1532-1-0x0000000002350000-0x00000000023A4000-memory.dmp

Filesize
336KB

Download
memory/1532-36-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-70-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-69-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-68-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-67-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-66-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-65-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-64-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-63-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-62-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-61-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-60-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-59-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-58-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-57-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-56-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-55-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-54-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-53-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-52-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-51-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-50-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-49-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-48-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-47-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-46-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-45-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-44-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-43-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-42-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-41-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-40-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-39-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-38-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-37-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-35-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-34-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-33-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-32-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-31-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-30-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-29-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-28-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-27-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-26-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-25-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-24-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-23-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-22-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-21-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-20-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-19-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-18-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-17-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1532-16-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/1532-15-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/1532-14-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/1532-13-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/1532-12-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/1532-11-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/1532-10-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/1532-9-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/1532-8-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1532-7-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1532-6-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/1532-5-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/1532-4-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/1532-3-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/1532-2-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/1532-71-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1532-84-0x0000000002350000-0x00000000023A4000-memory.dmp

Filesize
336KB

Download
memory/1532-83-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2044-77-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2044-81-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download