modiloader | a48beb720bc1445809a285075fcc986f068fa0bf84935b051b1b80f09e264c6d

Analysis

max time kernel
146s
max time network
139s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3fe69a851ad847f22b0c155c7800878_JaffaCakes118.exe
Size

2.1MB
MD5

d3fe69a851ad847f22b0c155c7800878
SHA1

4c4cf41ced40e10f41a3b9668a0196bc125bf926
SHA256

a48beb720bc1445809a285075fcc986f068fa0bf84935b051b1b80f09e264c6d
SHA512

f076bdc7a75d5e5dafdd50537fb888567e7376d84bf770b3ad60840ca7ed9bc2820a1ddb3c80085359242bdb5e26adc355f396e0f2fec26be2b9d1316550d9b8
SSDEEP

49152:dQrRN/3rOvViHA9FaiiQxfLhMfaWWk/OK:dQNN2ViHAg2zKaWN

Score

10^/10

modiloader discovery evasion trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 15 IoCs

resource	yara_rule
behavioral1/memory/2784-20-0x0000000000400000-0x0000000002E2E000-memory.dmp	modiloader_stage2
behavioral1/memory/2864-22-0x0000000000400000-0x0000000002E2E000-memory.dmp	modiloader_stage2
behavioral1/memory/2864-23-0x0000000000400000-0x0000000002E2E000-memory.dmp	modiloader_stage2
behavioral1/memory/2864-24-0x0000000000400000-0x0000000002E2E000-memory.dmp	modiloader_stage2
behavioral1/memory/2864-25-0x0000000000400000-0x0000000002E2E000-memory.dmp	modiloader_stage2
behavioral1/memory/2864-26-0x0000000000400000-0x0000000002E2E000-memory.dmp	modiloader_stage2
behavioral1/memory/2864-27-0x0000000000400000-0x0000000002E2E000-memory.dmp	modiloader_stage2
behavioral1/memory/2864-28-0x0000000000400000-0x0000000002E2E000-memory.dmp	modiloader_stage2
behavioral1/memory/2864-29-0x0000000000400000-0x0000000002E2E000-memory.dmp	modiloader_stage2
behavioral1/memory/2864-30-0x0000000000400000-0x0000000002E2E000-memory.dmp	modiloader_stage2
behavioral1/memory/2864-31-0x0000000000400000-0x0000000002E2E000-memory.dmp	modiloader_stage2
behavioral1/memory/2864-32-0x0000000000400000-0x0000000002E2E000-memory.dmp	modiloader_stage2
behavioral1/memory/2864-33-0x0000000000400000-0x0000000002E2E000-memory.dmp	modiloader_stage2
behavioral1/memory/2864-34-0x0000000000400000-0x0000000002E2E000-memory.dmp	modiloader_stage2
behavioral1/memory/2864-35-0x0000000000400000-0x0000000002E2E000-memory.dmp	modiloader_stage2

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	scardsvr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ttos.exe

Executes dropped EXE 3 IoCs

pid	Process
2804	unlock.exe
2784	ttos.exe
2864	scardsvr.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine	ttos.exe
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine	scardsvr.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ttos.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	scardsvr.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2784	ttos.exe
2864	scardsvr.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\lock.rar	d3fe69a851ad847f22b0c155c7800878_JaffaCakes118.exe
File opened for modification	C:\Windows\lock.rar	d3fe69a851ad847f22b0c155c7800878_JaffaCakes118.exe
File opened for modification	C:\Windows\run.bat	d3fe69a851ad847f22b0c155c7800878_JaffaCakes118.exe
File created	C:\Windows\ttos.exe	unlock.exe
File created	C:\Windows\scardsvr.exe	ttos.exe
File opened for modification	C:\Windows\scardsvr.exe	ttos.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_259498459	d3fe69a851ad847f22b0c155c7800878_JaffaCakes118.exe
File created	C:\Windows\unlock.exe	d3fe69a851ad847f22b0c155c7800878_JaffaCakes118.exe
File opened for modification	C:\Windows\unlock.exe	d3fe69a851ad847f22b0c155c7800878_JaffaCakes118.exe
File created	C:\Windows\run.bat	d3fe69a851ad847f22b0c155c7800878_JaffaCakes118.exe
File opened for modification	C:\Windows\ttos.exe	unlock.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ttos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scardsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3fe69a851ad847f22b0c155c7800878_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2364	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2364	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2784	ttos.exe
2864	scardsvr.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2252	2908	d3fe69a851ad847f22b0c155c7800878_JaffaCakes118.exe	30
PID 2908 wrote to memory of 2252	2908	d3fe69a851ad847f22b0c155c7800878_JaffaCakes118.exe	30
PID 2908 wrote to memory of 2252	2908	d3fe69a851ad847f22b0c155c7800878_JaffaCakes118.exe	30
PID 2908 wrote to memory of 2252	2908	d3fe69a851ad847f22b0c155c7800878_JaffaCakes118.exe	30
PID 2908 wrote to memory of 2252	2908	d3fe69a851ad847f22b0c155c7800878_JaffaCakes118.exe	30
PID 2908 wrote to memory of 2252	2908	d3fe69a851ad847f22b0c155c7800878_JaffaCakes118.exe	30
PID 2908 wrote to memory of 2252	2908	d3fe69a851ad847f22b0c155c7800878_JaffaCakes118.exe	30
PID 2252 wrote to memory of 2852	2252	cmd.exe	32
PID 2252 wrote to memory of 2852	2252	cmd.exe	32
PID 2252 wrote to memory of 2852	2252	cmd.exe	32
PID 2252 wrote to memory of 2852	2252	cmd.exe	32
PID 2252 wrote to memory of 2852	2252	cmd.exe	32
PID 2252 wrote to memory of 2852	2252	cmd.exe	32
PID 2252 wrote to memory of 2852	2252	cmd.exe	32
PID 2852 wrote to memory of 2804	2852	cmd.exe	34
PID 2852 wrote to memory of 2804	2852	cmd.exe	34
PID 2852 wrote to memory of 2804	2852	cmd.exe	34
PID 2852 wrote to memory of 2804	2852	cmd.exe	34
PID 2852 wrote to memory of 2804	2852	cmd.exe	34
PID 2852 wrote to memory of 2804	2852	cmd.exe	34
PID 2852 wrote to memory of 2804	2852	cmd.exe	34
PID 2852 wrote to memory of 2364	2852	cmd.exe	36
PID 2852 wrote to memory of 2364	2852	cmd.exe	36
PID 2852 wrote to memory of 2364	2852	cmd.exe	36
PID 2852 wrote to memory of 2364	2852	cmd.exe	36
PID 2852 wrote to memory of 2364	2852	cmd.exe	36
PID 2852 wrote to memory of 2364	2852	cmd.exe	36
PID 2852 wrote to memory of 2364	2852	cmd.exe	36
PID 2852 wrote to memory of 2784	2852	cmd.exe	37
PID 2852 wrote to memory of 2784	2852	cmd.exe	37
PID 2852 wrote to memory of 2784	2852	cmd.exe	37
PID 2852 wrote to memory of 2784	2852	cmd.exe	37
PID 2852 wrote to memory of 2784	2852	cmd.exe	37
PID 2852 wrote to memory of 2784	2852	cmd.exe	37
PID 2852 wrote to memory of 2784	2852	cmd.exe	37
PID 2784 wrote to memory of 2864	2784	ttos.exe	38
PID 2784 wrote to memory of 2864	2784	ttos.exe	38
PID 2784 wrote to memory of 2864	2784	ttos.exe	38
PID 2784 wrote to memory of 2864	2784	ttos.exe	38
PID 2784 wrote to memory of 1392	2784	ttos.exe	39
PID 2784 wrote to memory of 1392	2784	ttos.exe	39
PID 2784 wrote to memory of 1392	2784	ttos.exe	39
PID 2784 wrote to memory of 1392	2784	ttos.exe	39

C:\Users\Admin\AppData\Local\Temp\d3fe69a851ad847f22b0c155c7800878_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d3fe69a851ad847f22b0c155c7800878_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /min run.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K run.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\unlock.exe
      unlock.exe x lock.rar -o+ -p112233
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:2804
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2364
  - - C:\Windows\ttos.exe
      ttos.exe
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\scardsvr.exe
        
        C:\Windows\scardsvr.exe
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2864
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c erase /F ttos.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\lock.rar

Filesize
1.8MB

MD5
8c5b1ca8052d37478aa2e16ad29dd6d5

SHA1
513e9058612df6043a4f61d116e4e14cafae0b9f

SHA256
f179a78065a9d91e6edf856d4523ef6f6eac700a6cc86dd9edaf632dcec1aa64

SHA512
65f5e410a8d2c84d3eb40f8aa8f9db17b3bd78b54fd0133fe6789ea584d4558bd99040c78bd2c27e2bcbfb0870b831876d59a5737e50d6d8f149aa587606aa9a

Download Submit
C:\Windows\run.bat

Filesize
182B

MD5
1c67a67c7ac1e82a82cc86cd5f9a6b9a

SHA1
d37dbb863ebaf56786e471c9a6f23b70aa0e9d0a

SHA256
424e295c608c4accd6890abfcf9f279bc0180fb51435b509d0b780807e477466

SHA512
6c6611187d9e8eced7f8ea84fb5a416b3d86271f986590d33b89a730d561f4ee80ad6bc0f4ef8b9bfbd874f658831d9ddc9c8ed970f275e07acccbde47ad6694

Download Submit
C:\Windows\ttos.exe

Filesize
1.8MB

MD5
b6447730ee66d1436c009fa75f2158b2

SHA1
dcddabb4f1439b77b5b75f6eab9987fdb08a936d

SHA256
3b39d38b4782f3befd5bbb93e7b6f86d717b955987b97aa2f440d7792b0062ec

SHA512
aa8c5da2691cc84ff8c294104b4356cf71282be11116b2b4e605b2abe8bd8509aba61ce9570bd9e81461ea892ada0d72a288131c3404ea9cef9a14304a7076fd

Download Submit
C:\Windows\unlock.exe

Filesize
240KB

MD5
49710e363e4c247716508672f909d5ba

SHA1
74538e7a6515166fd6e83b9c72ee28e529e462e8

SHA256
cffd9238edb8484c2831508505e81a733f5074ba002f98e573dbdb7118c687ad

SHA512
e863b4bcb332a552d73a9dc2e41a4e86a4b528cd46991d3489c129ff46973778f65fac73051bd4a6d33e5c15b1154bc761bda376a767f48a3cc1d9391ada700f

Download Submit
memory/2784-14-0x0000000000400000-0x0000000002E2E000-memory.dmp

Filesize
42.2MB

Download
memory/2784-20-0x0000000000400000-0x0000000002E2E000-memory.dmp

Filesize
42.2MB

Download
memory/2852-21-0x0000000002700000-0x000000000512E000-memory.dmp

Filesize
42.2MB

Download
memory/2864-25-0x0000000000400000-0x0000000002E2E000-memory.dmp

Filesize
42.2MB

Download
memory/2864-29-0x0000000000400000-0x0000000002E2E000-memory.dmp

Filesize
42.2MB

Download
memory/2864-24-0x0000000000400000-0x0000000002E2E000-memory.dmp

Filesize
42.2MB

Download
memory/2864-22-0x0000000000400000-0x0000000002E2E000-memory.dmp

Filesize
42.2MB

Download
memory/2864-26-0x0000000000400000-0x0000000002E2E000-memory.dmp

Filesize
42.2MB

Download
memory/2864-27-0x0000000000400000-0x0000000002E2E000-memory.dmp

Filesize
42.2MB

Download
memory/2864-28-0x0000000000400000-0x0000000002E2E000-memory.dmp

Filesize
42.2MB

Download
memory/2864-23-0x0000000000400000-0x0000000002E2E000-memory.dmp

Filesize
42.2MB

Download
memory/2864-30-0x0000000000400000-0x0000000002E2E000-memory.dmp

Filesize
42.2MB

Download
memory/2864-31-0x0000000000400000-0x0000000002E2E000-memory.dmp

Filesize
42.2MB

Download
memory/2864-32-0x0000000000400000-0x0000000002E2E000-memory.dmp

Filesize
42.2MB

Download
memory/2864-33-0x0000000000400000-0x0000000002E2E000-memory.dmp

Filesize
42.2MB

Download
memory/2864-34-0x0000000000400000-0x0000000002E2E000-memory.dmp

Filesize
42.2MB

Download
memory/2864-35-0x0000000000400000-0x0000000002E2E000-memory.dmp

Filesize
42.2MB

Download