modiloader | 5583f5b72d10c941517c7030021cf37af8eebd66c1a78d138b5278691ad0c0aa

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbfda6049a06bec0ef71dd7b30c86195_JaffaCakes118.exe
Size

3.1MB
MD5

dbfda6049a06bec0ef71dd7b30c86195
SHA1

adfeff67dff78a8a43b7acd2c9b25bacdaf52ff4
SHA256

5583f5b72d10c941517c7030021cf37af8eebd66c1a78d138b5278691ad0c0aa
SHA512

f9e8946274f8936d775e274cce90a09767e341cd8148322ebfefeaf16a9d59167a7c811f116d55e8961f12cbd5bd55440f4e843a51cdef350f8c308581631fcb
SSDEEP

98304:YHYhm421gmGAxUsTa4GdXj1qv9+fh53UUdO8r:ZRUpfk405kUd

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2968-20-0x0000000000400000-0x000000000071C000-memory.dmp	modiloader_stage2

Executes dropped EXE 3 IoCs

pid	Process
3056	01.exe
1932	555.exe
2696	pleer.exe

Loads dropped DLL 9 IoCs

pid	Process
2968	dbfda6049a06bec0ef71dd7b30c86195_JaffaCakes118.exe
2968	dbfda6049a06bec0ef71dd7b30c86195_JaffaCakes118.exe
2968	dbfda6049a06bec0ef71dd7b30c86195_JaffaCakes118.exe
2968	dbfda6049a06bec0ef71dd7b30c86195_JaffaCakes118.exe
1932	555.exe
1932	555.exe
2696	pleer.exe
2696	pleer.exe
2696	pleer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	555.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pleer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbfda6049a06bec0ef71dd7b30c86195_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3056	01.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 3056	2968	dbfda6049a06bec0ef71dd7b30c86195_JaffaCakes118.exe	30
PID 2968 wrote to memory of 3056	2968	dbfda6049a06bec0ef71dd7b30c86195_JaffaCakes118.exe	30
PID 2968 wrote to memory of 3056	2968	dbfda6049a06bec0ef71dd7b30c86195_JaffaCakes118.exe	30
PID 2968 wrote to memory of 3056	2968	dbfda6049a06bec0ef71dd7b30c86195_JaffaCakes118.exe	30
PID 2968 wrote to memory of 1932	2968	dbfda6049a06bec0ef71dd7b30c86195_JaffaCakes118.exe	31
PID 2968 wrote to memory of 1932	2968	dbfda6049a06bec0ef71dd7b30c86195_JaffaCakes118.exe	31
PID 2968 wrote to memory of 1932	2968	dbfda6049a06bec0ef71dd7b30c86195_JaffaCakes118.exe	31
PID 2968 wrote to memory of 1932	2968	dbfda6049a06bec0ef71dd7b30c86195_JaffaCakes118.exe	31
PID 1932 wrote to memory of 2696	1932	555.exe	33
PID 1932 wrote to memory of 2696	1932	555.exe	33
PID 1932 wrote to memory of 2696	1932	555.exe	33
PID 1932 wrote to memory of 2696	1932	555.exe	33

C:\Users\Admin\AppData\Local\Temp\dbfda6049a06bec0ef71dd7b30c86195_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dbfda6049a06bec0ef71dd7b30c86195_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Admin\AppData\Local\Temp\01.exe
  "C:\Users\Admin\AppData\Local\Temp\01.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3056
- C:\Users\Admin\AppData\Local\Temp\555.exe
  "C:\Users\Admin\AppData\Local\Temp\555.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\gallery\bin\pleer.exe
    C:\Users\Admin\AppData\Local\Temp\gallery\bin\pleer.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gallery\Bin\alb3d.log

Filesize
320B

MD5
c861d6049a0e19b314b495d3ec91b707

SHA1
d0e2cccb39ec3edf4498f1edca0c8ab52d6feaf6

SHA256
b49913f2812b11be0d04ae83210b8090851ef1737739d4a4ddf66b01576e49a7

SHA512
50f7c37a91224fcb1c9b713ee62483539a234f7f7e7f23fb6734735a4b68b88a859e2e206ac8c082c2fb7c301a2b06a3237c08928dd3264a1c24abc44c182807

Download Submit
C:\Users\Admin\AppData\Local\Temp\gallery\Bin\alb3dIrr.log

Filesize
332B

MD5
3cee19c36a63e95907dbc08a9d0c4624

SHA1
829e51e49cf2ccca8a6047c7bfaa1591882a33c4

SHA256
11abd0121c209681cb7100b6acbf20c58c0d34eff1ac4ed30beb5b7ce06e12eb

SHA512
4d1a65a6838b4a5ce083bcb8c2f51db525f172cb75d6958dfa3e63280fa126146c7b529cf764e2f304480d590679bf0a9179947ee2abd266af890393291f3f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\gallery\Bin\alb3dIrr.log

Filesize
101B

MD5
49641676defcbf273292fdde85269603

SHA1
1c96a921bf754fb49a839a88b0c64df14f33ae96

SHA256
97ad28cc9310c08f046221d739bb4b87d362fc8400692b5660a99c329e841700

SHA512
21711b95fc0d711f890c0a2c91b2dac38c36f54d9dfdd1acc5fac21378818b7efb0d992604ec47a426c0edb8be30ec14febb787a1b970d9665a588f316b0f0ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\gallery\Bin\alb3dIrr.log

Filesize
71B

MD5
8bcd410920b795ab282832a8288b0c04

SHA1
12333ece19270820a9633074d9cfbc026acebb62

SHA256
853daa74f779977670192e28ac77eb1e27da77ffb9d862371c0d407150ba794d

SHA512
8b38b2a8340c3a0792b0e7227b310b69be0d43147fa70c58e53ad8ab4184324380edefe1887dfe54363b492d339ee79af705ee462f912ccfbbcc2eb183d553f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gallery\bin\Packer.dll

Filesize
196KB

MD5
16d7e0b66ded0470ef0eaf695d9fa1ad

SHA1
282e63746509362c32a649fa5e5f91c6949fb4e9

SHA256
605391cde66c3987f184436977c4dbdf5485b0771f0951839e375a6a3dfae9ca

SHA512
4d1ae0c5d0d39ce3ce9c5100207291ddd5553139565bc18153efefaf0970a57d88134abdf933d804a2ec97ef99e0da64f38f96af578f8db931417b100527e6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\gallery\bin\galleryengine.dll

Filesize
1.6MB

MD5
712bd57e14ca030c542c7b52faf37227

SHA1
888e4f558a8ff28545a660aebc893fea827e499e

SHA256
f97a803c4662f6d074c4ca6f54cab956dd4cba4ce80bbd71f01987ff87773e35

SHA512
ac1450c31edd44dece5c7a23a0f04952fa49a8f789b10c136d986255847edbf8554f18f6da02e93c752c85c752a22507b7ef96667249eede738aebd9a1ce1d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\gallery\bin\irrlicht.dll

Filesize
1.2MB

MD5
fc090308b651c1a3a814660ca939c6b8

SHA1
fcafc5ceaa59d580efc4e29a0d19ce925ff53c0e

SHA256
b315e681e6612a841293043c81ba0f957ccdeaa0c339e7c0f0fe9fb8c5e48422

SHA512
d208de47789b86a80ed7f281b0560ee9102bdd886f1bf104c7e00f22f21f3bc137e4f020f8876651a1108274d49e260de1d1a61ab824ece35d7eb1c96cf54f98

Download Submit
\Users\Admin\AppData\Local\Temp\01.exe

Filesize
276KB

MD5
c38084798447b6482292a9894c03dba0

SHA1
cc2d3accbcd86cd783df0b5303a991937b1c6d81

SHA256
5704a1eb9e7b6e5e0ef4757d10c2c7b4c2a2295d575c36239637b0534ab17341

SHA512
f9c48117bf06a4df4107f9399d6a925f2f7703407f04ffeae6dd1cfe189eef8b76f5014a3398048239c4e82dd1e7d57fba26587898fb4c602893ee04abfdb7c9

Download Submit
\Users\Admin\AppData\Local\Temp\555.exe

Filesize
2.8MB

MD5
b7fcf25b78585786cc2ba34d1be4b060

SHA1
dc9948645afc47d5d7f5d28c80831514efeb810e

SHA256
df7cac7c1f7a8718b230dec0611006ee97d0d1e8d69fbb26f1f0d7048109a556

SHA512
74c7f40f1225f0ac3b5642f3d797ea3b12a955640b6c40b5386845eef52771d4be5a3cf11ec9e8dd024a02fadbba263183f1d8f2ebd9fb13a889be05b8bd113d

Download Submit
\Users\Admin\AppData\Local\Temp\gallery\Bin\pleer.exe

Filesize
204KB

MD5
a80cfb598a7ac2a7cf111420d9b8192d

SHA1
7afe95a972cd851b86ab850ead0a7cde494fedd0

SHA256
941733cc221873a0ffb41407b00c147f843202876cac390b02ca9ef4b5e75060

SHA512
f719a8e5bc61822acb3701a23e0edf14a93e0697ade597bb8833244f8001eebc613acf720c59fb6c8caa7f9f9148990fad11d3dafe0950982b45a779c4e5f4c3

Download Submit
memory/2696-63-0x00000000004E0000-0x0000000000515000-memory.dmp

Filesize
212KB

Download
memory/2696-66-0x0000000002220000-0x000000000235C000-memory.dmp

Filesize
1.2MB

Download
memory/2696-76-0x0000000000570000-0x000000000057A000-memory.dmp

Filesize
40KB

Download
memory/2696-75-0x0000000000570000-0x000000000057A000-memory.dmp

Filesize
40KB

Download
memory/2696-97-0x0000000000570000-0x000000000057A000-memory.dmp

Filesize
40KB

Download
memory/2696-96-0x0000000000570000-0x000000000057A000-memory.dmp

Filesize
40KB

Download
memory/2968-20-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download