modiloader | 2669b69ec69dfd251a32e327180fcc3b30c1d9fa451cb15ffb00fb8cb0e2d591

Analysis

max time kernel
134s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0118eec5cb782536073327ab65aec67_JaffaCakes118.exe
Size

673KB
MD5

c0118eec5cb782536073327ab65aec67
SHA1

ea27b890f873f5c7011ade3beda3c1f3f6a97fe7
SHA256

2669b69ec69dfd251a32e327180fcc3b30c1d9fa451cb15ffb00fb8cb0e2d591
SHA512

f1f1ac8759c1a9285c69388e8a485d84ccf3177c541e3b6ffb1c847263793f00cae84a2fb88b4f768c24e3fadd588e55f6c4f2cb44ba7146846b04121f5108fc
SSDEEP

12288:jmaWd0zLoWcodNpB4VnBcQXF3Z4mxx7d4t0KIi1sjJ1gV0wfIc1Pa:6aWuwedjmBRXQmX7qtz1GjJYICPa

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/1608-79-0x0000000000400000-0x00000000004BE000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	c0118eec5cb782536073327ab65aec67_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1608	¸´¼þ 8_server.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fiele Ps.txt	¸´¼þ 8_server.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1608 set thread context of 4892	1608	¸´¼þ 8_server.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
220	4892	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0118eec5cb782536073327ab65aec67_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	¸´¼þ 8_server.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 1608	1648	c0118eec5cb782536073327ab65aec67_JaffaCakes118.exe	85
PID 1648 wrote to memory of 1608	1648	c0118eec5cb782536073327ab65aec67_JaffaCakes118.exe	85
PID 1648 wrote to memory of 1608	1648	c0118eec5cb782536073327ab65aec67_JaffaCakes118.exe	85
PID 1608 wrote to memory of 4892	1608	¸´¼þ 8_server.exe	86
PID 1608 wrote to memory of 4892	1608	¸´¼þ 8_server.exe	86
PID 1608 wrote to memory of 4892	1608	¸´¼þ 8_server.exe	86
PID 1608 wrote to memory of 4892	1608	¸´¼þ 8_server.exe	86
PID 1608 wrote to memory of 4892	1608	¸´¼þ 8_server.exe	86

C:\Users\Admin\AppData\Local\Temp\c0118eec5cb782536073327ab65aec67_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c0118eec5cb782536073327ab65aec67_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Users\Admin\AppData\Local\Temp\¸´¼þ 8_server.exe
  "C:\Users\Admin\AppData\Local\Temp\¸´¼þ 8_server.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\SysWOW64\mstsc.exe
    "C:\Windows\system32\mstsc.exe"
    3⤵
    PID:4892
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 12
      4⤵
      Program crash
      PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4892 -ip 4892
1⤵
PID:956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\¸´¼þ 8_server.exe

Filesize
355KB

MD5
d67bd7934f35727c3fa265b1e5ce7771

SHA1
ae520276426fb0c2ba70b11ee664b7b039b91775

SHA256
6f77cd3edda5c2bd0f36178f18ec9833b14b2b3547ae3ca2eb992f413b399602

SHA512
446aae1f3f16c808295bc07befeaac9683cf58aae879f9b6758fb770d6b70707be2cf1479e0cf5d710342f220b101865214fbe4d23023f068eb1fa560a5bd635

Download Submit
memory/1608-79-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1648-0-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1648-1-0x00000000007F0000-0x0000000000844000-memory.dmp

Filesize
336KB

Download
memory/1648-62-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/1648-63-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/1648-66-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1648-51-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/1648-65-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1648-64-0x0000000003420000-0x0000000003423000-memory.dmp

Filesize
12KB

Download
memory/1648-61-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/1648-60-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/1648-59-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/1648-58-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/1648-57-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/1648-55-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/1648-54-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/1648-53-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/1648-52-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/1648-27-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/1648-48-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/1648-47-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/1648-46-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/1648-45-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/1648-44-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/1648-43-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1648-42-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/1648-41-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/1648-40-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/1648-39-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/1648-38-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/1648-37-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/1648-36-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/1648-35-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1648-34-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/1648-33-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1648-32-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/1648-31-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/1648-30-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/1648-29-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/1648-28-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/1648-26-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/1648-25-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/1648-24-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/1648-23-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/1648-22-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/1648-21-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/1648-20-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/1648-19-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/1648-18-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/1648-17-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/1648-56-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/1648-50-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/1648-49-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/1648-16-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/1648-15-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/1648-14-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/1648-13-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/1648-12-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/1648-11-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/1648-10-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/1648-9-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/1648-8-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/1648-7-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/1648-6-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/1648-5-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1648-4-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/1648-3-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/1648-2-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/1648-75-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1648-76-0x00000000007F0000-0x0000000000844000-memory.dmp

Filesize
336KB

Download
memory/4892-78-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download