modiloader | 723c37d9264fb5328e0c266a919acbb165b13f31f4c973e3e5f2d6a693ebef64

Analysis

max time kernel
142s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2abb9bfc24c04408b2b30f975b2e04d_JaffaCakes118.exe
Size

683KB
MD5

d2abb9bfc24c04408b2b30f975b2e04d
SHA1

65a94a615886ab4c29e2339983f4fe0dff0a6eda
SHA256

723c37d9264fb5328e0c266a919acbb165b13f31f4c973e3e5f2d6a693ebef64
SHA512

6730570439fb66d1af6497e3986b700f35e448f991056729a3464248646ca3c4a49ed61afcbc6b77a4a693ae7d5bfb28f81c0ce687dec95ba7b444bc8ff67016
SSDEEP

12288:qB59tGKgLueUklEEBgpybO+OPCXeF3Z4mxxz+hlMkN0J6Yy7hNtp/SJi:MOndEEBgp8O+OKXeQmXz+skNcl0Ss

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/memory/3008-75-0x0000000000400000-0x000000000056B000-memory.dmp	modiloader_stage2
behavioral1/memory/2788-80-0x0000000000400000-0x000000000056B000-memory.dmp	modiloader_stage2
behavioral1/memory/3008-92-0x0000000000400000-0x000000000056B000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
2064	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2788	rejoice47.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2788 set thread context of 2704	2788	rejoice47.exe	31

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\_rejoice47.exe	rejoice47.exe
File opened for modification	C:\Windows\_rejoice47.exe	rejoice47.exe
File created	C:\Windows\SetupDel.bat	d2abb9bfc24c04408b2b30f975b2e04d_JaffaCakes118.exe
File created	C:\Windows\rejoice47.exe	d2abb9bfc24c04408b2b30f975b2e04d_JaffaCakes118.exe
File opened for modification	C:\Windows\rejoice47.exe	d2abb9bfc24c04408b2b30f975b2e04d_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2828	2788	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2abb9bfc24c04408b2b30f975b2e04d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rejoice47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2788	3008	d2abb9bfc24c04408b2b30f975b2e04d_JaffaCakes118.exe	30
PID 3008 wrote to memory of 2788	3008	d2abb9bfc24c04408b2b30f975b2e04d_JaffaCakes118.exe	30
PID 3008 wrote to memory of 2788	3008	d2abb9bfc24c04408b2b30f975b2e04d_JaffaCakes118.exe	30
PID 3008 wrote to memory of 2788	3008	d2abb9bfc24c04408b2b30f975b2e04d_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2704	2788	rejoice47.exe	31
PID 2788 wrote to memory of 2704	2788	rejoice47.exe	31
PID 2788 wrote to memory of 2704	2788	rejoice47.exe	31
PID 2788 wrote to memory of 2704	2788	rejoice47.exe	31
PID 2788 wrote to memory of 2704	2788	rejoice47.exe	31
PID 2788 wrote to memory of 2704	2788	rejoice47.exe	31
PID 2788 wrote to memory of 2828	2788	rejoice47.exe	32
PID 2788 wrote to memory of 2828	2788	rejoice47.exe	32
PID 2788 wrote to memory of 2828	2788	rejoice47.exe	32
PID 2788 wrote to memory of 2828	2788	rejoice47.exe	32
PID 3008 wrote to memory of 2064	3008	d2abb9bfc24c04408b2b30f975b2e04d_JaffaCakes118.exe	34
PID 3008 wrote to memory of 2064	3008	d2abb9bfc24c04408b2b30f975b2e04d_JaffaCakes118.exe	34
PID 3008 wrote to memory of 2064	3008	d2abb9bfc24c04408b2b30f975b2e04d_JaffaCakes118.exe	34
PID 3008 wrote to memory of 2064	3008	d2abb9bfc24c04408b2b30f975b2e04d_JaffaCakes118.exe	34
PID 3008 wrote to memory of 2064	3008	d2abb9bfc24c04408b2b30f975b2e04d_JaffaCakes118.exe	34
PID 3008 wrote to memory of 2064	3008	d2abb9bfc24c04408b2b30f975b2e04d_JaffaCakes118.exe	34
PID 3008 wrote to memory of 2064	3008	d2abb9bfc24c04408b2b30f975b2e04d_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\d2abb9bfc24c04408b2b30f975b2e04d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d2abb9bfc24c04408b2b30f975b2e04d_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\rejoice47.exe
  C:\Windows\rejoice47.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\system32\calc.exe"
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 300
    3⤵
    - Program crash
    PID:2828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\SetupDel.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SetupDel.bat

Filesize
212B

MD5
7cff697ac9b8df5f10be9795f85855f6

SHA1
e9acaf62eb9ce5336452da276b97a9ea75467194

SHA256
2357dc30cf94da09eca9726d439b899568367a2a3a17436e9be3203028ca8936

SHA512
283dcd94ac17e19586cae09d3b1265791e0c423a525fc7dab30c8c58721967db32e2e65bc25ea4e23993b392bc0c96b6648d4629d0963c4b8f0fd09bfe8efb29

Download Submit
C:\Windows\rejoice47.exe

Filesize
683KB

MD5
d2abb9bfc24c04408b2b30f975b2e04d

SHA1
65a94a615886ab4c29e2339983f4fe0dff0a6eda

SHA256
723c37d9264fb5328e0c266a919acbb165b13f31f4c973e3e5f2d6a693ebef64

SHA512
6730570439fb66d1af6497e3986b700f35e448f991056729a3464248646ca3c4a49ed61afcbc6b77a4a693ae7d5bfb28f81c0ce687dec95ba7b444bc8ff67016

Download Submit
memory/2704-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2704-73-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/2788-80-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/3008-30-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-26-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-57-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-56-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-55-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-54-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-53-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-52-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-51-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-50-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-49-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-48-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-47-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-46-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-45-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-44-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-43-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-42-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-41-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-40-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-39-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-38-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-37-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-36-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-35-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-34-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-33-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-32-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-31-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-0-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/3008-29-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-28-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-1-0x0000000000310000-0x0000000000364000-memory.dmp

Filesize
336KB

Download
memory/3008-25-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-27-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-24-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-23-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-22-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-21-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-20-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-19-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-18-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-17-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-16-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/3008-15-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/3008-14-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/3008-13-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/3008-12-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/3008-11-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/3008-10-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3008-9-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3008-8-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/3008-7-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3008-6-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/3008-5-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3008-4-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/3008-3-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3008-2-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/3008-64-0x00000000043A0000-0x000000000450B000-memory.dmp

Filesize
1.4MB

Download
memory/3008-65-0x00000000043A0000-0x000000000450B000-memory.dmp

Filesize
1.4MB

Download
memory/3008-75-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/3008-76-0x0000000000310000-0x0000000000364000-memory.dmp

Filesize
336KB

Download
memory/3008-77-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3008-78-0x00000000043A0000-0x000000000450B000-memory.dmp

Filesize
1.4MB

Download
memory/3008-92-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download