modiloader | ac9b6b228428662663951eb88b013103819cc4e5503a09f55b6ed08fe3a096a6

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d96f0a5bc9622f2c0d85dfe21db9b53d_JaffaCakes118.exe
Size

19KB
MD5

d96f0a5bc9622f2c0d85dfe21db9b53d
SHA1

91a91d6587ac4b4a1ec00d2a47ba6982157b06c6
SHA256

ac9b6b228428662663951eb88b013103819cc4e5503a09f55b6ed08fe3a096a6
SHA512

a6aa099f81d1627048e10b53b88342b16fd1250329918fc9dc2643d3474a2de3c8005e14af781b0299b0240bf7c3bcc0b138fc24afa712b31140b0069c79ab95
SSDEEP

384:WWZ6uharjxMQrZQKJ0E98SORnT9MhWH0RaO6rDWAIGrJAOEBBK6nZy0sFFH:NZrW9F1LmE9UT9MhWURavIIJAp+6Q/H

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/828-15-0x0000000000400000-0x000000000041A000-memory.dmp	modiloader_stage2
behavioral1/memory/2376-16-0x0000000000400000-0x000000000041A000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
828	WinRaR.exe

Loads dropped DLL 2 IoCs

pid	Process
2376	d96f0a5bc9622f2c0d85dfe21db9b53d_JaffaCakes118.exe
2376	d96f0a5bc9622f2c0d85dfe21db9b53d_JaffaCakes118.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\WinRaR\WinRaR.exe	d96f0a5bc9622f2c0d85dfe21db9b53d_JaffaCakes118.exe
File opened for modification	C:\Windows\WinRaR\WinRaR.exe	d96f0a5bc9622f2c0d85dfe21db9b53d_JaffaCakes118.exe
File created	C:\Windows\WinRaR\WinRaR.dll	d96f0a5bc9622f2c0d85dfe21db9b53d_JaffaCakes118.exe
File opened for modification	C:\Windows\WinRaR\	WinRaR.exe
File created	C:\Windows\WinRaR\WinRaR.exe	WinRaR.exe
File created	C:\Windows\WinRaR\WinRaR.dll	WinRaR.exe
File opened for modification	C:\Windows\WinRaR\	d96f0a5bc9622f2c0d85dfe21db9b53d_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d96f0a5bc9622f2c0d85dfe21db9b53d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinRaR.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	2376	d96f0a5bc9622f2c0d85dfe21db9b53d_JaffaCakes118.exe
Token: SeRestorePrivilege	2376	d96f0a5bc9622f2c0d85dfe21db9b53d_JaffaCakes118.exe
Token: SeBackupPrivilege	2376	d96f0a5bc9622f2c0d85dfe21db9b53d_JaffaCakes118.exe
Token: SeRestorePrivilege	2376	d96f0a5bc9622f2c0d85dfe21db9b53d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 828	2376	d96f0a5bc9622f2c0d85dfe21db9b53d_JaffaCakes118.exe	30
PID 2376 wrote to memory of 828	2376	d96f0a5bc9622f2c0d85dfe21db9b53d_JaffaCakes118.exe	30
PID 2376 wrote to memory of 828	2376	d96f0a5bc9622f2c0d85dfe21db9b53d_JaffaCakes118.exe	30
PID 2376 wrote to memory of 828	2376	d96f0a5bc9622f2c0d85dfe21db9b53d_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\d96f0a5bc9622f2c0d85dfe21db9b53d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d96f0a5bc9622f2c0d85dfe21db9b53d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\WinRaR\WinRaR.exe
  C:\Windows\WinRaR\WinRaR.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\WinRaR\WinRaR.dll

Filesize
25KB

MD5
b9d0b6a3cbd670305fe6f1aad7e30bdb

SHA1
a3fbac17160bf5709023fb9355dd69554e770d0b

SHA256
6f7c73330c0f366c225c94a5883abf324a186bcf7c7ee94c2fd5d9dbdc71cdfb

SHA512
8ef2719ac53d8d1d35369583b7cc74ffc2a78771c15e6c686ca19c39571793a3ebe37f120c93a130003aba20178713f6f1d1be29c646ef0a66c9852af31447c7

Download Submit
\Windows\WinRaR\WinRaR.exe

Filesize
19KB

MD5
d96f0a5bc9622f2c0d85dfe21db9b53d

SHA1
91a91d6587ac4b4a1ec00d2a47ba6982157b06c6

SHA256
ac9b6b228428662663951eb88b013103819cc4e5503a09f55b6ed08fe3a096a6

SHA512
a6aa099f81d1627048e10b53b88342b16fd1250329918fc9dc2643d3474a2de3c8005e14af781b0299b0240bf7c3bcc0b138fc24afa712b31140b0069c79ab95

Download Submit
memory/828-15-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2376-16-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download