modiloader | 0c042b25713870d325ab33bd4ce162c75b3ad4be54523be71a92db7da3c5faab

Analysis

max time kernel
118s
max time network
130s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10/09/2024, 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8297706845e0cc0fdec94c4790400ac_JaffaCakes118.exe
Size

769KB
MD5

d8297706845e0cc0fdec94c4790400ac
SHA1

8356b6a73bbf1424caa57d69c84adc86181dea48
SHA256

0c042b25713870d325ab33bd4ce162c75b3ad4be54523be71a92db7da3c5faab
SHA512

c7490331d2fef299a4c4be677bdd538499881120b46e2af360867391eea63ce3ad3dba314e8880615098d6633237755466ed2ac53488287ce205267f1a721c7b
SSDEEP

12288:tUllhB4VoTyQepBI7/F74rF28JPwgib/+S+OQuHYNATFy+mKS:C3ciTyQsy9sc8JPwTjLQu4NATLS

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/2164-2-0x0000000000210000-0x00000000002DA000-memory.dmp	modiloader_stage2
behavioral1/memory/2364-3-0x0000000000400000-0x00000000004CA000-memory.dmp	modiloader_stage2

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2364 set thread context of 2164	2364	d8297706845e0cc0fdec94c4790400ac_JaffaCakes118.exe	30

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt	d8297706845e0cc0fdec94c4790400ac_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d8297706845e0cc0fdec94c4790400ac_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432130227"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{50138B11-6F69-11EF-9D33-D6FE44FD4752} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2164	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2164	IEXPLORE.EXE
2164	IEXPLORE.EXE
2792	IEXPLORE.EXE
2792	IEXPLORE.EXE
2792	IEXPLORE.EXE
2792	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2164	2364	d8297706845e0cc0fdec94c4790400ac_JaffaCakes118.exe	30
PID 2364 wrote to memory of 2164	2364	d8297706845e0cc0fdec94c4790400ac_JaffaCakes118.exe	30
PID 2364 wrote to memory of 2164	2364	d8297706845e0cc0fdec94c4790400ac_JaffaCakes118.exe	30
PID 2364 wrote to memory of 2164	2364	d8297706845e0cc0fdec94c4790400ac_JaffaCakes118.exe	30
PID 2364 wrote to memory of 2164	2364	d8297706845e0cc0fdec94c4790400ac_JaffaCakes118.exe	30
PID 2164 wrote to memory of 2792	2164	IEXPLORE.EXE	31
PID 2164 wrote to memory of 2792	2164	IEXPLORE.EXE	31
PID 2164 wrote to memory of 2792	2164	IEXPLORE.EXE	31
PID 2164 wrote to memory of 2792	2164	IEXPLORE.EXE	31

C:\Users\Admin\AppData\Local\Temp\d8297706845e0cc0fdec94c4790400ac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d8297706845e0cc0fdec94c4790400ac_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364
- C:\program files\internet explorer\IEXPLORE.EXE
  "C:\program files\internet explorer\IEXPLORE.EXE"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2164 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
55537a3c2e3b742808282140e9694919

SHA1
f004ca044f412f56a7c51280da37597013de6fc5

SHA256
fb55fa40e3f545513a947bbb2c6d3b018f7c7df833e7452f3e1854ec2126ba88

SHA512
1548357b4d6dfd4619a6341e198061041947ea9eb0dc5e6bb2d7edfcee4bf9c458efb4b527445b27a21c19e4c4b1a069fb4bec8518a9017ff92e8d5cd972127a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b2775ba515ef237b8b744172f40650b

SHA1
b1988f1cda24aa3a98719331fbbe2b6568853a1f

SHA256
386b21b1eb70d9503e074b75455752f4d5d53cb7dbcb82219fd341dd75b2267a

SHA512
b9971fdb2a86f9bcb3e8ee2aef02a076cc0da9654f9e5863a6e6245f7d27721a7938c5627f36db91c3d9cd0155d3b31189a3578dfe8665253b71ae0f6e1c2809

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a59a70e7c87c09d018c20f21d675028

SHA1
1990a229ec4339a36796d0adfd48accec7e878d9

SHA256
078812a90f84b65b6594f49f82845226756caed1871685ab505c9c9f381be344

SHA512
d6cb7222c9fb38c4928800240992ef5b9f2fc122a1bfdcbd28f59bf1b149579885f3e4ae3f1fac27fddd6d54f5d318322cdc1552968227b42bf059cb37ee290a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b62d8d2c805fb3ae1169df9d591ada9

SHA1
e20e59affbc6d8762fedac118fc57fc592ee0151

SHA256
3d99921aa721bee7c9f9b1869ca09d858ab92e91e0223cdca4299e26ed7cd705

SHA512
05507da87090b9489607887ff2037e13758bc45ac7062c1e5332c6b43f03ece4fd3e51d11528507109d48a6bcedc5d0da21bab16aab7da9fe24cd94e54fa82d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a66d8ae923710f4ae4f0c78306362285

SHA1
e94a706d1e7b7b8a3cf923709d180a70f56c6694

SHA256
8dd0384c551c591154d4f51b057eeef92961a81e58ffcae306ec2aaf125539b2

SHA512
3ed5acd4f6a2360ecca359432718d112acf9bba72f0b5e21c6a300a11bb050ead7cd1586af446dc4345c96ea7c9201c14b46a4229009a061c86e48cd6fff35a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7f396e71cfbe3e61d61018fbf7d8cc9

SHA1
dd5277a19d690ca4f84fa7b5df36755e5fcee716

SHA256
d9e1c63f3bd3714d14fc010446dbcb5d0ffa7fd49ed69cf5da91198a7bad877b

SHA512
22a93eeea8852a37313fb130f393a5e3d0deeaba00761ef0bc3b7c65880cd8f0ce87d5961abe2a4e3762291d22e7d3ddd5cc33560068748ea88120b8b527cee0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71d8006e71b56d73822645bd782d3752

SHA1
761a339b5dd644c1c19158271f742eb95be83c3a

SHA256
9e8ac8017b15350b19f036d84f318c024bc878c69f38bcc97c2b9993e7ae631f

SHA512
f7fb669c32035d3abff930e490d9b76b4b041e21cc47d7b286ce0058658a95f0fcd45b122f81d5653349c2c8aefe367ffe5e25ffdd08608af6ed3aec04348b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b4b0537dd0478bb66cff107fdf7ad51f

SHA1
6fa54486c6c6ade980bbc6143f9e830af57274d0

SHA256
e424b133bef2ab6251a7936191a2f363ab9e04fe56a805bcb1c5ba067c83c740

SHA512
e29819f6e5d77fddcfe58432bb935e62e94178312785ecd6caa3f7ddeb3d0c1ed7fd71945115910596cae4d764aca5bda9918aed1978ae52c0606ffc17b3101d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb321d460bf05b9e3f1204b106d6ef7e

SHA1
3c579163493d0fe11b3c72785a4df104455acc0f

SHA256
066b09ca04e04e387d95704305c3dd64cfb7527d0bf83b28d2929005b9ee31d5

SHA512
892d3b9e3345ee5dc7f680f150baa45ec3374ed05d4b6e8983e92752981ac7b46577c6e31a300c21e7698116c34d4201f933b653b22e22d612c276e7ea237451

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7D8C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7D9F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2164-2-0x0000000000210000-0x00000000002DA000-memory.dmp

Filesize
808KB

Download
memory/2364-3-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2364-0-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download