modiloader | be5339e0acf858a662ad99173b47614e3a7d5cf3253ea295a6a97a4394e9e537

Analysis

max time kernel
80s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-09-2024 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db3ba834690c13dbefdca84190f1d53e_JaffaCakes118.exe
Size

98KB
MD5

db3ba834690c13dbefdca84190f1d53e
SHA1

01cb4cef6d5c2657d012cacab11ab7034340b971
SHA256

be5339e0acf858a662ad99173b47614e3a7d5cf3253ea295a6a97a4394e9e537
SHA512

34b2a07754ee3c8ee97147769ba7275fe97c59a67e19eb1d0200e0f9458ad81f6a83e1c6dcf024cb0f3f0b5f1c9b79c51061c88cdbfc394bc5657afc712404af
SSDEEP

3072:v3muquR1vtYZw4BTrilKAtJwFK3kFGFyRsJDM:75R16ZwmTcKwJwFKUbsJ

Score

10^/10

modiloader discovery trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/2208-7-0x0000000000010000-0x0000000000036000-memory.dmp	modiloader_stage2
behavioral1/memory/2728-12-0x0000000000010000-0x0000000000036000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
2728	apocalyps32.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2208-0-0x0000000000010000-0x0000000000036000-memory.dmp	upx
behavioral1/memory/2208-7-0x0000000000010000-0x0000000000036000-memory.dmp	upx
behavioral1/files/0x000f000000012262-6.dat	upx
behavioral1/memory/2728-12-0x0000000000010000-0x0000000000036000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\apocalyps32.exe	db3ba834690c13dbefdca84190f1d53e_JaffaCakes118.exe
File opened for modification	C:\Windows\apocalyps32.exe	db3ba834690c13dbefdca84190f1d53e_JaffaCakes118.exe
File created	C:\Windows\apocalyps32.exe	apocalyps32.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db3ba834690c13dbefdca84190f1d53e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apocalyps32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2728	2208	db3ba834690c13dbefdca84190f1d53e_JaffaCakes118.exe	30
PID 2208 wrote to memory of 2728	2208	db3ba834690c13dbefdca84190f1d53e_JaffaCakes118.exe	30
PID 2208 wrote to memory of 2728	2208	db3ba834690c13dbefdca84190f1d53e_JaffaCakes118.exe	30
PID 2208 wrote to memory of 2728	2208	db3ba834690c13dbefdca84190f1d53e_JaffaCakes118.exe	30
PID 2728 wrote to memory of 2808	2728	apocalyps32.exe	31
PID 2728 wrote to memory of 2808	2728	apocalyps32.exe	31
PID 2728 wrote to memory of 2808	2728	apocalyps32.exe	31
PID 2728 wrote to memory of 2808	2728	apocalyps32.exe	31

C:\Users\Admin\AppData\Local\Temp\db3ba834690c13dbefdca84190f1d53e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\db3ba834690c13dbefdca84190f1d53e_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\apocalyps32.exe
  -bs
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Program Files\Internet Explorer\iexplore.exe
    -bs
    3⤵
    PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\apocalyps32.exe

Filesize
98KB

MD5
db3ba834690c13dbefdca84190f1d53e

SHA1
01cb4cef6d5c2657d012cacab11ab7034340b971

SHA256
be5339e0acf858a662ad99173b47614e3a7d5cf3253ea295a6a97a4394e9e537

SHA512
34b2a07754ee3c8ee97147769ba7275fe97c59a67e19eb1d0200e0f9458ad81f6a83e1c6dcf024cb0f3f0b5f1c9b79c51061c88cdbfc394bc5657afc712404af

Download Submit
memory/2208-0-0x0000000000010000-0x0000000000036000-memory.dmp

Filesize
152KB

Download
memory/2208-7-0x0000000000010000-0x0000000000036000-memory.dmp

Filesize
152KB

Download
memory/2208-9-0x0000000000290000-0x00000000002B6000-memory.dmp

Filesize
152KB

Download
memory/2208-8-0x0000000000290000-0x00000000002B6000-memory.dmp

Filesize
152KB

Download
memory/2728-12-0x0000000000010000-0x0000000000036000-memory.dmp

Filesize
152KB

Download