modiloader | fa069b96011c6bcad03b421e86a71acd6f9b53aa4295913844496595b8746f06

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/09/2024, 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8b2b31d90878886e6232e3ac7467463_JaffaCakes118.exe
Size

225KB
MD5

d8b2b31d90878886e6232e3ac7467463
SHA1

7e022e207919095a4c69ac3c9dad24d545d27324
SHA256

fa069b96011c6bcad03b421e86a71acd6f9b53aa4295913844496595b8746f06
SHA512

2509ccc42409eace6aa53f3106a2c4601f1cc2ced40c00884b4ea7ba059d87c03088e148934bc90d5d9127180a75c68e41a4c054575150bc46860e9bb3ba21d3
SSDEEP

3072:z8w8p1HxX43fAMVz0kUnIbOkKjIIKCpnhbNwIQZ3/nuGK/aUjxLOASEKB/X98Lie:sH583YIblK0EphBwIM8iU9LTSpa9Q+

Score

10^/10

modiloader collection discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 8 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012257-4.dat	modiloader_stage2
behavioral1/memory/2716-14-0x0000000010000000-0x000000001001B000-memory.dmp	modiloader_stage2
behavioral1/files/0x000c000000012257-23.dat	modiloader_stage2
behavioral1/memory/2444-32-0x0000000010000000-0x0000000010011000-memory.dmp	modiloader_stage2
behavioral1/files/0x000d000000012257-41.dat	modiloader_stage2
behavioral1/memory/2100-49-0x0000000010000000-0x0000000010017000-memory.dmp	modiloader_stage2
behavioral1/memory/2760-53-0x0000000000400000-0x000000000043E000-memory.dmp	modiloader_stage2
behavioral1/memory/2760-56-0x0000000000400000-0x000000000043E000-memory.dmp	modiloader_stage2

Executes dropped EXE 6 IoCs

pid	Process
2716	fin32.exe
2824	fin32.exe
2444	ykl32.exe
2608	ykl32.exe
2100	amr32.exe
2468	amr32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	fin32.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2716 set thread context of 2824	2716	fin32.exe	31
PID 2444 set thread context of 2608	2444	ykl32.exe	33
PID 2100 set thread context of 2468	2100	amr32.exe	35

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\hrk.klo	amr32.exe
File created	C:\Windows\fin32.exe	d8b2b31d90878886e6232e3ac7467463_JaffaCakes118.exe
File created	C:\Windows\hms.atr	fin32.exe
File created	C:\Windows\ykl32.exe	d8b2b31d90878886e6232e3ac7467463_JaffaCakes118.exe
File created	C:\Windows\gls.fdn	ykl32.exe
File created	C:\Windows\amr32.exe	d8b2b31d90878886e6232e3ac7467463_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ykl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d8b2b31d90878886e6232e3ac7467463_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2468	amr32.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2716	2760	d8b2b31d90878886e6232e3ac7467463_JaffaCakes118.exe	30
PID 2760 wrote to memory of 2716	2760	d8b2b31d90878886e6232e3ac7467463_JaffaCakes118.exe	30
PID 2760 wrote to memory of 2716	2760	d8b2b31d90878886e6232e3ac7467463_JaffaCakes118.exe	30
PID 2760 wrote to memory of 2716	2760	d8b2b31d90878886e6232e3ac7467463_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2824	2716	fin32.exe	31
PID 2716 wrote to memory of 2824	2716	fin32.exe	31
PID 2716 wrote to memory of 2824	2716	fin32.exe	31
PID 2716 wrote to memory of 2824	2716	fin32.exe	31
PID 2716 wrote to memory of 2824	2716	fin32.exe	31
PID 2716 wrote to memory of 2824	2716	fin32.exe	31
PID 2760 wrote to memory of 2444	2760	d8b2b31d90878886e6232e3ac7467463_JaffaCakes118.exe	32
PID 2760 wrote to memory of 2444	2760	d8b2b31d90878886e6232e3ac7467463_JaffaCakes118.exe	32
PID 2760 wrote to memory of 2444	2760	d8b2b31d90878886e6232e3ac7467463_JaffaCakes118.exe	32
PID 2760 wrote to memory of 2444	2760	d8b2b31d90878886e6232e3ac7467463_JaffaCakes118.exe	32
PID 2444 wrote to memory of 2608	2444	ykl32.exe	33
PID 2444 wrote to memory of 2608	2444	ykl32.exe	33
PID 2444 wrote to memory of 2608	2444	ykl32.exe	33
PID 2444 wrote to memory of 2608	2444	ykl32.exe	33
PID 2444 wrote to memory of 2608	2444	ykl32.exe	33
PID 2444 wrote to memory of 2608	2444	ykl32.exe	33
PID 2760 wrote to memory of 2100	2760	d8b2b31d90878886e6232e3ac7467463_JaffaCakes118.exe	34
PID 2760 wrote to memory of 2100	2760	d8b2b31d90878886e6232e3ac7467463_JaffaCakes118.exe	34
PID 2760 wrote to memory of 2100	2760	d8b2b31d90878886e6232e3ac7467463_JaffaCakes118.exe	34
PID 2760 wrote to memory of 2100	2760	d8b2b31d90878886e6232e3ac7467463_JaffaCakes118.exe	34
PID 2100 wrote to memory of 2468	2100	amr32.exe	35
PID 2100 wrote to memory of 2468	2100	amr32.exe	35
PID 2100 wrote to memory of 2468	2100	amr32.exe	35
PID 2100 wrote to memory of 2468	2100	amr32.exe	35
PID 2100 wrote to memory of 2468	2100	amr32.exe	35
PID 2100 wrote to memory of 2468	2100	amr32.exe	35

C:\Users\Admin\AppData\Local\Temp\d8b2b31d90878886e6232e3ac7467463_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d8b2b31d90878886e6232e3ac7467463_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\fin32.exe
  "C:\Windows\fin32.exe" /stext hms.atr
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\fin32.exe
    C:\Windows\fin32.exe /stext hms.atr
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook accounts
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2824
- C:\Windows\ykl32.exe
  "C:\Windows\ykl32.exe" /stext gls.fdn
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\ykl32.exe
    C:\Windows\ykl32.exe /stext gls.fdn
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2608
- C:\Windows\amr32.exe
  "C:\Windows\amr32.exe" /stext hrk.klo
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\amr32.exe
    C:\Windows\amr32.exe /stext hrk.klo
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\amr32.exe

Filesize
60KB

MD5
09793a96834bba80e5307d50066fb636

SHA1
35b9797316296164dd2618cef0a7ee6edd23c6bd

SHA256
3a5e64ed092b820f481142075cbd80bd5ba96d8a278e2f16a6bf92d24e367326

SHA512
545549ac7118ca0d3f380195cc7d89a97462c29681e4aae3f6fcf983b2a7ee73eb407dbcfd9172002b4867a58106a0a64782ed9e10209547c919d846ccfec84e

Download Submit
C:\Windows\fin32.exe

Filesize
79KB

MD5
efe70bd51a7fed491682e85c90e30b30

SHA1
66115bb1a4d66d837c297a38d9044e224afaa299

SHA256
4e01f5dbf42ecb032eb504d2794a885737277ef1923e16efcf4b53d2341b1e9d

SHA512
bd2de445d5c05c2e27b78637f6984de00783699719b0828b61a87d7c23e5bc80f6973cddd8044f5670361dbf3a7a58a1955692da62159ae5887cd4d6256d19e9

Download Submit
C:\Windows\hrk.klo

Filesize
311B

MD5
4308c609174a7a255fbf8c40ffce5ed5

SHA1
49f70784686518039362f8c7227b87f55ffd7433

SHA256
b1d0b9e60cb1fe68f5e24bf60129a30ed34f737da9c538c0b93d5a86437a4950

SHA512
2ec7ad811384ef9f2da1a65c8bbff9b841866ea9dfd17f93ae7d8c4e7346840fcb44e5d22c682fcd1577767ad37b4f1751d5b2e82b7db6a3b35648b4b6737bb3

Download Submit
C:\Windows\ykl32.exe

Filesize
40KB

MD5
96271ba60755e81edb0e6f8de6d0053d

SHA1
5edaf9d88f3baf906d289cb79d71ad2d59baa3ce

SHA256
9780234cec2bfc02250aeaf9067085659ff5bd406219b315884eec92c3a5ab55

SHA512
7ba966e9d2b5cb7846f35d1f4c40b323d4c89afd756e657bee0a20c05305818a5e79a64feee7b4c1e14dfee14821548b0837f5ef8fb85ba8c7649e442e5948f1

Download Submit
memory/2100-49-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/2444-32-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2468-51-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2468-48-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2468-45-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2608-27-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2608-36-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2608-30-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2608-35-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2608-34-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2716-14-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2760-53-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2760-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2824-16-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2824-18-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2824-17-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2824-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2824-12-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2824-8-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download