modiloader | 890ef0a1b7d1562793af39dd63bee30e5205c1ad42779cb55e6ed66ef9e87101

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe
Size

663KB
MD5

da093f7b426f3ee3a4f95d43b15f5eb1
SHA1

4e4544f2af4f2001b9d1f394e11aa5852f138927
SHA256

890ef0a1b7d1562793af39dd63bee30e5205c1ad42779cb55e6ed66ef9e87101
SHA512

fdf2a52449b66ee69dfdfda8c3d36dbc08318f0c093423f17361c4a0b264d231eb2be28371024d17c8ce81f2e59d94cc65a4f78bb5c3a65dd573bb15e16762b0
SSDEEP

12288:rdbF0vRP+370p4pEU2bIgJcGmQqMeh76Z85nuDTLTkwcmZgwc:rdBwP+IoDcFJXZehvuD7bZgx

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 7 IoCs

resource	yara_rule
behavioral1/memory/2444-31-0x0000000000400000-0x0000000000516000-memory.dmp	modiloader_stage2
behavioral1/memory/2444-30-0x0000000000400000-0x0000000000516000-memory.dmp	modiloader_stage2
behavioral1/memory/1056-66-0x0000000000400000-0x0000000000516000-memory.dmp	modiloader_stage2
behavioral1/memory/2348-72-0x0000000002830000-0x0000000002946000-memory.dmp	modiloader_stage2
behavioral1/memory/2444-68-0x0000000000400000-0x0000000000516000-memory.dmp	modiloader_stage2
behavioral1/memory/1788-107-0x0000000000400000-0x0000000000516000-memory.dmp	modiloader_stage2
behavioral1/memory/2844-108-0x0000000000400000-0x0000000000516000-memory.dmp	modiloader_stage2

Executes dropped EXE 4 IoCs

pid	Process
2444	5.exe
1056	Recycled
2844	5.exe
1788	Recycled

Loads dropped DLL 10 IoCs

pid	Process
2348	da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe
2348	da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe
2444	5.exe
2444	5.exe
2444	5.exe
2348	da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe
2348	da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe
2844	5.exe
2844	5.exe
2844	5.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	5.exe
File opened (read-only)	\??\E:	5.exe
File opened (read-only)	\??\I:	5.exe
File opened (read-only)	\??\L:	5.exe
File opened (read-only)	\??\E:	5.exe
File opened (read-only)	\??\I:	5.exe
File opened (read-only)	\??\T:	5.exe
File opened (read-only)	\??\Z:	5.exe
File opened (read-only)	\??\Y:	5.exe
File opened (read-only)	\??\P:	5.exe
File opened (read-only)	\??\Q:	5.exe
File opened (read-only)	\??\S:	5.exe
File opened (read-only)	\??\X:	5.exe
File opened (read-only)	\??\W:	5.exe
File opened (read-only)	\??\N:	5.exe
File opened (read-only)	\??\Y:	5.exe
File opened (read-only)	\??\O:	5.exe
File opened (read-only)	\??\R:	5.exe
File opened (read-only)	\??\X:	5.exe
File opened (read-only)	\??\M:	5.exe
File opened (read-only)	\??\Z:	5.exe
File opened (read-only)	\??\B:	5.exe
File opened (read-only)	\??\O:	5.exe
File opened (read-only)	\??\P:	5.exe
File opened (read-only)	\??\W:	5.exe
File opened (read-only)	\??\G:	5.exe
File opened (read-only)	\??\K:	5.exe
File opened (read-only)	\??\T:	5.exe
File opened (read-only)	\??\A:	5.exe
File opened (read-only)	\??\Q:	5.exe
File opened (read-only)	\??\R:	5.exe
File opened (read-only)	\??\A:	5.exe
File opened (read-only)	\??\V:	5.exe
File opened (read-only)	\??\H:	5.exe
File opened (read-only)	\??\J:	5.exe
File opened (read-only)	\??\K:	5.exe
File opened (read-only)	\??\M:	5.exe
File opened (read-only)	\??\H:	5.exe
File opened (read-only)	\??\J:	5.exe
File opened (read-only)	\??\N:	5.exe
File opened (read-only)	\??\U:	5.exe
File opened (read-only)	\??\G:	5.exe
File opened (read-only)	\??\L:	5.exe
File opened (read-only)	\??\S:	5.exe
File opened (read-only)	\??\U:	5.exe
File opened (read-only)	\??\V:	5.exe

Drops autorun.inf file 1 TTPs 8 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	F:\AutoRun.inf	5.exe
File created	C:\AutoRun.inf	5.exe
File opened for modification	C:\AutoRun.inf	5.exe
File created	F:\AutoRun.inf	5.exe
File opened for modification	F:\AutoRun.inf	5.exe
File opened for modification	C:\AutoRun.inf	5.exe
File created	C:\AutoRun.inf	5.exe
File opened for modification	F:\AutoRun.inf	5.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1056 set thread context of 2952	1056	Recycled	33
PID 1056 set thread context of 2664	1056	Recycled	34
PID 1788 set thread context of 3040	1788	Recycled	39

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Recycled	5.exe
File opened for modification	C:\Program Files\Recycled	5.exe
File created	C:\Program Files\DelSvel.bat	5.exe
File opened for modification	C:\Program Files\Recycled	5.exe
File created	C:\Program Files\Recycled	5.exe
File opened for modification	C:\Program Files\DelSvel.bat	5.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\_Recycled	Recycled
File opened for modification	C:\Windows\_Recycled	Recycled
File opened for modification	C:\Windows\_Recycled	Recycled

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Recycled
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Recycled

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2444	2348	da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe	31
PID 2348 wrote to memory of 2444	2348	da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe	31
PID 2348 wrote to memory of 2444	2348	da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe	31
PID 2348 wrote to memory of 2444	2348	da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe	31
PID 2348 wrote to memory of 2444	2348	da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe	31
PID 2348 wrote to memory of 2444	2348	da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe	31
PID 2348 wrote to memory of 2444	2348	da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe	31
PID 2444 wrote to memory of 1056	2444	5.exe	32
PID 2444 wrote to memory of 1056	2444	5.exe	32
PID 2444 wrote to memory of 1056	2444	5.exe	32
PID 2444 wrote to memory of 1056	2444	5.exe	32
PID 2444 wrote to memory of 1056	2444	5.exe	32
PID 2444 wrote to memory of 1056	2444	5.exe	32
PID 2444 wrote to memory of 1056	2444	5.exe	32
PID 1056 wrote to memory of 2952	1056	Recycled	33
PID 1056 wrote to memory of 2952	1056	Recycled	33
PID 1056 wrote to memory of 2952	1056	Recycled	33
PID 1056 wrote to memory of 2952	1056	Recycled	33
PID 1056 wrote to memory of 2952	1056	Recycled	33
PID 1056 wrote to memory of 2952	1056	Recycled	33
PID 1056 wrote to memory of 2952	1056	Recycled	33
PID 1056 wrote to memory of 2952	1056	Recycled	33
PID 1056 wrote to memory of 2952	1056	Recycled	33
PID 1056 wrote to memory of 2664	1056	Recycled	34
PID 1056 wrote to memory of 2664	1056	Recycled	34
PID 1056 wrote to memory of 2664	1056	Recycled	34
PID 1056 wrote to memory of 2664	1056	Recycled	34
PID 1056 wrote to memory of 2664	1056	Recycled	34
PID 1056 wrote to memory of 2664	1056	Recycled	34
PID 1056 wrote to memory of 2664	1056	Recycled	34
PID 1056 wrote to memory of 2664	1056	Recycled	34
PID 1056 wrote to memory of 2664	1056	Recycled	34
PID 2444 wrote to memory of 2776	2444	5.exe	35
PID 2444 wrote to memory of 2776	2444	5.exe	35
PID 2444 wrote to memory of 2776	2444	5.exe	35
PID 2444 wrote to memory of 2776	2444	5.exe	35
PID 2444 wrote to memory of 2776	2444	5.exe	35
PID 2444 wrote to memory of 2776	2444	5.exe	35
PID 2444 wrote to memory of 2776	2444	5.exe	35
PID 2348 wrote to memory of 2844	2348	da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe	37
PID 2348 wrote to memory of 2844	2348	da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe	37
PID 2348 wrote to memory of 2844	2348	da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe	37
PID 2348 wrote to memory of 2844	2348	da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe	37
PID 2348 wrote to memory of 2844	2348	da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe	37
PID 2348 wrote to memory of 2844	2348	da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe	37
PID 2348 wrote to memory of 2844	2348	da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe	37
PID 2844 wrote to memory of 1788	2844	5.exe	38
PID 2844 wrote to memory of 1788	2844	5.exe	38
PID 2844 wrote to memory of 1788	2844	5.exe	38
PID 2844 wrote to memory of 1788	2844	5.exe	38
PID 2844 wrote to memory of 1788	2844	5.exe	38
PID 2844 wrote to memory of 1788	2844	5.exe	38
PID 2844 wrote to memory of 1788	2844	5.exe	38
PID 1788 wrote to memory of 3040	1788	Recycled	39
PID 1788 wrote to memory of 3040	1788	Recycled	39
PID 1788 wrote to memory of 3040	1788	Recycled	39
PID 1788 wrote to memory of 3040	1788	Recycled	39
PID 1788 wrote to memory of 3040	1788	Recycled	39
PID 1788 wrote to memory of 3040	1788	Recycled	39
PID 1788 wrote to memory of 3040	1788	Recycled	39
PID 1788 wrote to memory of 3040	1788	Recycled	39
PID 1788 wrote to memory of 3040	1788	Recycled	39
PID 2844 wrote to memory of 788	2844	5.exe	40
PID 2844 wrote to memory of 788	2844	5.exe	40

C:\Users\Admin\AppData\Local\Temp\da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Program Files\Recycled
    "C:\Program Files\Recycled"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1056
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\system32\explorer.exe"
      4⤵
      PID:2952
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files\DelSvel.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2776
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Program Files\Recycled
    "C:\Program Files\Recycled"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1788
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      PID:3040
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files\DelSvel.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AutoRun.inf

Filesize
78B

MD5
a773ae4de2e171236dcd29f504fa746d

SHA1
05e4288eb10193df2a86f9100723b29e9944a4dc

SHA256
37ef5391c5f24a796532d41171f2249e2a5c5acdabebfac95d8d945c6aa797d6

SHA512
29e8044fae927d964070ef3697d8e24273b0a7e6d686d9db0c27a23811e04b2662db295a1a44986715b8031711c95c752aeed3929c041dd6b440389c0a6b2253

Download Submit
C:\Program Files\DelSvel.bat

Filesize
144B

MD5
86b1fe237588d9300ddd03d4e320de34

SHA1
b8256e30625dbfdf274367c6208efb268eea1b65

SHA256
e41764798385408b82e96c9f789da08bf8f20e8961a35b7b282efd0b610d89fa

SHA512
3d9f6911a3104acd1548a17ae453edd86368160becd17d1a371be3b727e9f47cfc723b9db5942c8d8d3d91a1873fa65f772044806af17ce7b38bcc0967ba8389

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe

Filesize
630KB

MD5
250ca358ef55e5a02c2897de3dcfe7fe

SHA1
fca828dfe1162810e0d1c597c0ad6803d520cdc3

SHA256
bb1effb996d3399a598e4904280d08f2f616e417454a3e6ddb5d8078414fa72a

SHA512
e88157568647836d5bba64517eb1f7ee6fd56b63429fea8ba31a0863a1478a756dee0b4ece7e299e992b21fe80769e71ed34d23a0c897885dd4065c13c523af5

Download Submit
memory/1056-44-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/1056-66-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/1056-46-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/1788-107-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2348-71-0x0000000002830000-0x0000000002946000-memory.dmp

Filesize
1.1MB

Download
memory/2348-3-0x0000000001000000-0x0000000001155000-memory.dmp

Filesize
1.3MB

Download
memory/2348-109-0x0000000000800000-0x0000000000955000-memory.dmp

Filesize
1.3MB

Download
memory/2348-110-0x0000000001000000-0x0000000001155000-memory.dmp

Filesize
1.3MB

Download
memory/2348-2-0x00000000010AE000-0x00000000010AF000-memory.dmp

Filesize
4KB

Download
memory/2348-1-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2348-43-0x0000000002830000-0x0000000002946000-memory.dmp

Filesize
1.1MB

Download
memory/2348-42-0x00000000010AE000-0x00000000010AF000-memory.dmp

Filesize
4KB

Download
memory/2348-0-0x0000000001000000-0x0000000001155000-memory.dmp

Filesize
1.3MB

Download
memory/2348-39-0x0000000000800000-0x0000000000955000-memory.dmp

Filesize
1.3MB

Download
memory/2348-38-0x0000000001000000-0x0000000001155000-memory.dmp

Filesize
1.3MB

Download
memory/2348-12-0x0000000002830000-0x0000000002946000-memory.dmp

Filesize
1.1MB

Download
memory/2348-72-0x0000000002830000-0x0000000002946000-memory.dmp

Filesize
1.1MB

Download
memory/2348-13-0x0000000002830000-0x0000000002946000-memory.dmp

Filesize
1.1MB

Download
memory/2444-30-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2444-40-0x0000000004690000-0x00000000047A6000-memory.dmp

Filesize
1.1MB

Download
memory/2444-68-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2444-18-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/2444-19-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2444-31-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2444-17-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2664-54-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2844-75-0x0000000000A20000-0x0000000000B36000-memory.dmp

Filesize
1.1MB

Download
memory/2844-108-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2952-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2952-52-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/3040-94-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads