modiloader | 890ef0a1b7d1562793af39dd63bee30e5205c1ad42779cb55e6ed66ef9e87101

Analysis

max time kernel
94s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe
Size

663KB
MD5

da093f7b426f3ee3a4f95d43b15f5eb1
SHA1

4e4544f2af4f2001b9d1f394e11aa5852f138927
SHA256

890ef0a1b7d1562793af39dd63bee30e5205c1ad42779cb55e6ed66ef9e87101
SHA512

fdf2a52449b66ee69dfdfda8c3d36dbc08318f0c093423f17361c4a0b264d231eb2be28371024d17c8ce81f2e59d94cc65a4f78bb5c3a65dd573bb15e16762b0
SSDEEP

12288:rdbF0vRP+370p4pEU2bIgJcGmQqMeh76Z85nuDTLTkwcmZgwc:rdBwP+IoDcFJXZehvuD7bZgx

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 4 IoCs

resource	yara_rule
behavioral2/memory/2120-38-0x0000000000400000-0x0000000000516000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-40-0x0000000000400000-0x0000000000516000-memory.dmp	modiloader_stage2
behavioral2/memory/4724-64-0x0000000000400000-0x0000000000516000-memory.dmp	modiloader_stage2
behavioral2/memory/1788-67-0x0000000000400000-0x0000000000516000-memory.dmp	modiloader_stage2

Executes dropped EXE 4 IoCs

pid	Process
4516	5.exe
2120	Recycled
4724	5.exe
1788	Recycled

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	5.exe
File opened (read-only)	\??\K:	5.exe
File opened (read-only)	\??\Q:	5.exe
File opened (read-only)	\??\Q:	5.exe
File opened (read-only)	\??\H:	5.exe
File opened (read-only)	\??\M:	5.exe
File opened (read-only)	\??\O:	5.exe
File opened (read-only)	\??\A:	5.exe
File opened (read-only)	\??\J:	5.exe
File opened (read-only)	\??\R:	5.exe
File opened (read-only)	\??\T:	5.exe
File opened (read-only)	\??\X:	5.exe
File opened (read-only)	\??\Y:	5.exe
File opened (read-only)	\??\E:	5.exe
File opened (read-only)	\??\J:	5.exe
File opened (read-only)	\??\G:	5.exe
File opened (read-only)	\??\H:	5.exe
File opened (read-only)	\??\L:	5.exe
File opened (read-only)	\??\U:	5.exe
File opened (read-only)	\??\N:	5.exe
File opened (read-only)	\??\G:	5.exe
File opened (read-only)	\??\T:	5.exe
File opened (read-only)	\??\Y:	5.exe
File opened (read-only)	\??\Z:	5.exe
File opened (read-only)	\??\M:	5.exe
File opened (read-only)	\??\V:	5.exe
File opened (read-only)	\??\A:	5.exe
File opened (read-only)	\??\W:	5.exe
File opened (read-only)	\??\I:	5.exe
File opened (read-only)	\??\P:	5.exe
File opened (read-only)	\??\S:	5.exe
File opened (read-only)	\??\B:	5.exe
File opened (read-only)	\??\O:	5.exe
File opened (read-only)	\??\S:	5.exe
File opened (read-only)	\??\L:	5.exe
File opened (read-only)	\??\R:	5.exe
File opened (read-only)	\??\W:	5.exe
File opened (read-only)	\??\E:	5.exe
File opened (read-only)	\??\Z:	5.exe
File opened (read-only)	\??\B:	5.exe
File opened (read-only)	\??\K:	5.exe
File opened (read-only)	\??\U:	5.exe
File opened (read-only)	\??\V:	5.exe
File opened (read-only)	\??\I:	5.exe
File opened (read-only)	\??\N:	5.exe
File opened (read-only)	\??\P:	5.exe

Drops autorun.inf file 1 TTPs 8 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AutoRun.inf	5.exe
File opened for modification	C:\AutoRun.inf	5.exe
File created	C:\AutoRun.inf	5.exe
File opened for modification	F:\AutoRun.inf	5.exe
File created	F:\AutoRun.inf	5.exe
File created	C:\AutoRun.inf	5.exe
File opened for modification	C:\AutoRun.inf	5.exe
File created	F:\AutoRun.inf	5.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2120 set thread context of 244	2120	Recycled	88
PID 2120 set thread context of 1988	2120	Recycled	90

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\DelSvel.bat	5.exe
File opened for modification	C:\Program Files\Recycled	5.exe
File created	C:\Program Files\Recycled	5.exe
File opened for modification	C:\Program Files\DelSvel.bat	5.exe
File created	C:\Program Files\Recycled	5.exe
File opened for modification	C:\Program Files\Recycled	5.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\_Recycled	Recycled
File created	C:\Windows\_Recycled	Recycled
File created	C:\Windows\_Recycled	Recycled
File opened for modification	C:\Windows\_Recycled	Recycled

Program crash 3 IoCs

pid	pid_target	Process	procid_target
316	1988	WerFault.exe	90
2096	244	WerFault.exe	88
4436	1788	WerFault.exe	98

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Recycled
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Recycled
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
244	explorer.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 4516	4588	da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe	84
PID 4588 wrote to memory of 4516	4588	da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe	84
PID 4588 wrote to memory of 4516	4588	da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe	84
PID 4516 wrote to memory of 2120	4516	5.exe	87
PID 4516 wrote to memory of 2120	4516	5.exe	87
PID 4516 wrote to memory of 2120	4516	5.exe	87
PID 2120 wrote to memory of 244	2120	Recycled	88
PID 2120 wrote to memory of 244	2120	Recycled	88
PID 2120 wrote to memory of 244	2120	Recycled	88
PID 2120 wrote to memory of 244	2120	Recycled	88
PID 2120 wrote to memory of 244	2120	Recycled	88
PID 2120 wrote to memory of 1988	2120	Recycled	90
PID 2120 wrote to memory of 1988	2120	Recycled	90
PID 2120 wrote to memory of 1988	2120	Recycled	90
PID 2120 wrote to memory of 1988	2120	Recycled	90
PID 2120 wrote to memory of 1988	2120	Recycled	90
PID 4516 wrote to memory of 2368	4516	5.exe	91
PID 4516 wrote to memory of 2368	4516	5.exe	91
PID 4516 wrote to memory of 2368	4516	5.exe	91
PID 4588 wrote to memory of 4724	4588	da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe	97
PID 4588 wrote to memory of 4724	4588	da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe	97
PID 4588 wrote to memory of 4724	4588	da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe	97
PID 4724 wrote to memory of 1788	4724	5.exe	98
PID 4724 wrote to memory of 1788	4724	5.exe	98
PID 4724 wrote to memory of 1788	4724	5.exe	98
PID 1788 wrote to memory of 1792	1788	Recycled	99
PID 1788 wrote to memory of 1792	1788	Recycled	99
PID 1788 wrote to memory of 1792	1788	Recycled	99
PID 4724 wrote to memory of 4160	4724	5.exe	102
PID 4724 wrote to memory of 4160	4724	5.exe	102
PID 4724 wrote to memory of 4160	4724	5.exe	102

C:\Users\Admin\AppData\Local\Temp\da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\da093f7b426f3ee3a4f95d43b15f5eb1_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Program Files\Recycled
    "C:\Program Files\Recycled"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\system32\explorer.exe"
      4⤵
      Suspicious use of UnmapMainImage
      PID:244
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 244 -s 12
        5⤵
        Program crash
        
        PID:2096
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      PID:1988
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 12
        5⤵
        Program crash
        
        PID:316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files\DelSvel.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2368
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Program Files\Recycled
    "C:\Program Files\Recycled"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1788
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\system32\explorer.exe"
      4⤵
      PID:1792
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 788
      4⤵
      Program crash
      PID:4436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files\DelSvel.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 244 -ip 244
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1988 -ip 1988
1⤵
PID:2584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1788 -ip 1788
1⤵
PID:3356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\DelSvel.bat

Filesize
144B

MD5
86b1fe237588d9300ddd03d4e320de34

SHA1
b8256e30625dbfdf274367c6208efb268eea1b65

SHA256
e41764798385408b82e96c9f789da08bf8f20e8961a35b7b282efd0b610d89fa

SHA512
3d9f6911a3104acd1548a17ae453edd86368160becd17d1a371be3b727e9f47cfc723b9db5942c8d8d3d91a1873fa65f772044806af17ce7b38bcc0967ba8389

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe

Filesize
630KB

MD5
250ca358ef55e5a02c2897de3dcfe7fe

SHA1
fca828dfe1162810e0d1c597c0ad6803d520cdc3

SHA256
bb1effb996d3399a598e4904280d08f2f616e417454a3e6ddb5d8078414fa72a

SHA512
e88157568647836d5bba64517eb1f7ee6fd56b63429fea8ba31a0863a1478a756dee0b4ece7e299e992b21fe80769e71ed34d23a0c897885dd4065c13c523af5

Download Submit
F:\AutoRun.inf

Filesize
78B

MD5
a773ae4de2e171236dcd29f504fa746d

SHA1
05e4288eb10193df2a86f9100723b29e9944a4dc

SHA256
37ef5391c5f24a796532d41171f2249e2a5c5acdabebfac95d8d945c6aa797d6

SHA512
29e8044fae927d964070ef3697d8e24273b0a7e6d686d9db0c27a23811e04b2662db295a1a44986715b8031711c95c752aeed3929c041dd6b440389c0a6b2253

Download Submit
memory/244-33-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/1788-67-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2120-28-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2120-39-0x00000000020B0000-0x0000000002104000-memory.dmp

Filesize
336KB

Download
memory/2120-38-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2120-30-0x00000000020B0000-0x0000000002104000-memory.dmp

Filesize
336KB

Download
memory/4516-10-0x00000000023B0000-0x0000000002404000-memory.dmp

Filesize
336KB

Download
memory/4516-9-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4516-41-0x00000000023B0000-0x0000000002404000-memory.dmp

Filesize
336KB

Download
memory/4516-13-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/4516-11-0x00000000034F0000-0x00000000034F3000-memory.dmp

Filesize
12KB

Download
memory/4516-12-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/4516-40-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4516-14-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/4588-0-0x0000000001000000-0x0000000001155000-memory.dmp

Filesize
1.3MB

Download
memory/4588-25-0x0000000001000000-0x0000000001155000-memory.dmp

Filesize
1.3MB

Download
memory/4588-43-0x00000000010AE000-0x00000000010AF000-memory.dmp

Filesize
4KB

Download
memory/4588-3-0x0000000001000000-0x0000000001155000-memory.dmp

Filesize
1.3MB

Download
memory/4588-1-0x00000000010AE000-0x00000000010AF000-memory.dmp

Filesize
4KB

Download
memory/4588-65-0x0000000001000000-0x0000000001155000-memory.dmp

Filesize
1.3MB

Download
memory/4588-2-0x0000000001000000-0x0000000001155000-memory.dmp

Filesize
1.3MB

Download
memory/4724-64-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads