modiloader | 5583f5b72d10c941517c7030021cf37af8eebd66c1a78d138b5278691ad0c0aa

Analysis

max time kernel
140s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbfda6049a06bec0ef71dd7b30c86195_JaffaCakes118.exe
Size

3.1MB
MD5

dbfda6049a06bec0ef71dd7b30c86195
SHA1

adfeff67dff78a8a43b7acd2c9b25bacdaf52ff4
SHA256

5583f5b72d10c941517c7030021cf37af8eebd66c1a78d138b5278691ad0c0aa
SHA512

f9e8946274f8936d775e274cce90a09767e341cd8148322ebfefeaf16a9d59167a7c811f116d55e8961f12cbd5bd55440f4e843a51cdef350f8c308581631fcb
SSDEEP

98304:YHYhm421gmGAxUsTa4GdXj1qv9+fh53UUdO8r:ZRUpfk405kUd

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/2252-23-0x0000000000400000-0x000000000071C000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	dbfda6049a06bec0ef71dd7b30c86195_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
5024	01.exe
1488	555.exe
4088	pleer.exe

Loads dropped DLL 7 IoCs

pid	Process
4088	pleer.exe
4088	pleer.exe
4088	pleer.exe
4088	pleer.exe
4088	pleer.exe
4088	pleer.exe
4088	pleer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	555.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pleer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbfda6049a06bec0ef71dd7b30c86195_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5024	01.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 5024	2252	dbfda6049a06bec0ef71dd7b30c86195_JaffaCakes118.exe	85
PID 2252 wrote to memory of 5024	2252	dbfda6049a06bec0ef71dd7b30c86195_JaffaCakes118.exe	85
PID 2252 wrote to memory of 5024	2252	dbfda6049a06bec0ef71dd7b30c86195_JaffaCakes118.exe	85
PID 2252 wrote to memory of 1488	2252	dbfda6049a06bec0ef71dd7b30c86195_JaffaCakes118.exe	86
PID 2252 wrote to memory of 1488	2252	dbfda6049a06bec0ef71dd7b30c86195_JaffaCakes118.exe	86
PID 2252 wrote to memory of 1488	2252	dbfda6049a06bec0ef71dd7b30c86195_JaffaCakes118.exe	86
PID 1488 wrote to memory of 4088	1488	555.exe	92
PID 1488 wrote to memory of 4088	1488	555.exe	92
PID 1488 wrote to memory of 4088	1488	555.exe	92

C:\Users\Admin\AppData\Local\Temp\dbfda6049a06bec0ef71dd7b30c86195_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dbfda6049a06bec0ef71dd7b30c86195_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\01.exe
  "C:\Users\Admin\AppData\Local\Temp\01.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5024
- C:\Users\Admin\AppData\Local\Temp\555.exe
  "C:\Users\Admin\AppData\Local\Temp\555.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Users\Admin\AppData\Local\Temp\gallery\bin\pleer.exe
    C:\Users\Admin\AppData\Local\Temp\gallery\bin\pleer.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\01.exe

Filesize
276KB

MD5
c38084798447b6482292a9894c03dba0

SHA1
cc2d3accbcd86cd783df0b5303a991937b1c6d81

SHA256
5704a1eb9e7b6e5e0ef4757d10c2c7b4c2a2295d575c36239637b0534ab17341

SHA512
f9c48117bf06a4df4107f9399d6a925f2f7703407f04ffeae6dd1cfe189eef8b76f5014a3398048239c4e82dd1e7d57fba26587898fb4c602893ee04abfdb7c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\555.exe

Filesize
2.8MB

MD5
b7fcf25b78585786cc2ba34d1be4b060

SHA1
dc9948645afc47d5d7f5d28c80831514efeb810e

SHA256
df7cac7c1f7a8718b230dec0611006ee97d0d1e8d69fbb26f1f0d7048109a556

SHA512
74c7f40f1225f0ac3b5642f3d797ea3b12a955640b6c40b5386845eef52771d4be5a3cf11ec9e8dd024a02fadbba263183f1d8f2ebd9fb13a889be05b8bd113d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gallery\Bin\alb3dIrr.log

Filesize
1KB

MD5
9ec433908e23ba9e70181e6b4d0e665e

SHA1
81e1d3ed899730dd0e5f3eeb9aaf29a57eb6b185

SHA256
a9ddcbad3723a64f3183d7f6ce81f9f803922d8bff72de0f206c39203a4997d5

SHA512
7ddbeed101df45d88e517e2e060ee84fe8841b8f6d222c32cbacaf5eb5dfad4e24db0decaf5f0db7239767fdda1532597e3d3cc198347f8aeb460202e70071bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\gallery\Bin\alb3dIrr.log

Filesize
2KB

MD5
75e14110e87c776bc4d62e10aa4c595a

SHA1
6116ead98891e0bc8225db5969ce9b065d97a591

SHA256
c3b6b0753c91769ad3d2cb9b1831cc7d07902883a70421c578ab818cff811e7d

SHA512
4b31cae295e8d11f34f03b6bff289f934158840ef2ccd7826e8de3ccf02b468485acab5a276b7925191956807029d29b96c1b8be40c478d12a103e88f59ffa86

Download Submit
C:\Users\Admin\AppData\Local\Temp\gallery\Bin\pleer.exe

Filesize
204KB

MD5
a80cfb598a7ac2a7cf111420d9b8192d

SHA1
7afe95a972cd851b86ab850ead0a7cde494fedd0

SHA256
941733cc221873a0ffb41407b00c147f843202876cac390b02ca9ef4b5e75060

SHA512
f719a8e5bc61822acb3701a23e0edf14a93e0697ade597bb8833244f8001eebc613acf720c59fb6c8caa7f9f9148990fad11d3dafe0950982b45a779c4e5f4c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gallery\bin\Packer.dll

Filesize
196KB

MD5
16d7e0b66ded0470ef0eaf695d9fa1ad

SHA1
282e63746509362c32a649fa5e5f91c6949fb4e9

SHA256
605391cde66c3987f184436977c4dbdf5485b0771f0951839e375a6a3dfae9ca

SHA512
4d1ae0c5d0d39ce3ce9c5100207291ddd5553139565bc18153efefaf0970a57d88134abdf933d804a2ec97ef99e0da64f38f96af578f8db931417b100527e6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\gallery\bin\galleryengine.dll

Filesize
1.6MB

MD5
712bd57e14ca030c542c7b52faf37227

SHA1
888e4f558a8ff28545a660aebc893fea827e499e

SHA256
f97a803c4662f6d074c4ca6f54cab956dd4cba4ce80bbd71f01987ff87773e35

SHA512
ac1450c31edd44dece5c7a23a0f04952fa49a8f789b10c136d986255847edbf8554f18f6da02e93c752c85c752a22507b7ef96667249eede738aebd9a1ce1d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\gallery\bin\irrlicht.dll

Filesize
1.2MB

MD5
fc090308b651c1a3a814660ca939c6b8

SHA1
fcafc5ceaa59d580efc4e29a0d19ce925ff53c0e

SHA256
b315e681e6612a841293043c81ba0f957ccdeaa0c339e7c0f0fe9fb8c5e48422

SHA512
d208de47789b86a80ed7f281b0560ee9102bdd886f1bf104c7e00f22f21f3bc137e4f020f8876651a1108274d49e260de1d1a61ab824ece35d7eb1c96cf54f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\gallery\bin\walker_dll.dll

Filesize
200KB

MD5
6134c453e893072780026ac56952888e

SHA1
414e3419e3834ea0d192530127ff902fc17497d7

SHA256
3b1bf90268189d0bbdf0aa3617168822a782f772e14a3bfa95a8bac0fe9ec674

SHA512
b3becec89004a7d5187a87b64b78cba45db26fb42c4d22baffa199c76aae56b005285fc36ec0d216ba10cc7e7ea5fd6896f272e5c761048627cc001f0778806f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gallery\resources\album3d.dat

Filesize
73KB

MD5
db4985750d206cba3c88516af7d4c6c0

SHA1
840ff9c9b70561f5894ed921569bae9789f1a22b

SHA256
137996aaa2f46ecb313496f098e239796c4991dce96ebb72eb9dd5abb4033bea

SHA512
39f9304baa786dcd5aeeae4e560f2a8a1067eec88f142bdc4130ab3044e957fbee7df750e94efd0797a1290eb9a2c61e5e6bf82596d6c0dc604b37b04c4d9906

Download Submit
C:\Users\Admin\AppData\Local\Temp\gallery\resources\frames\flex_frame_gallery.3DS

Filesize
19KB

MD5
931d05f19eeb0566f65db61c67070320

SHA1
0d62061166e755865dd50fdf8298eaf13910d2fb

SHA256
9eebaab26ce6d709857bfd1a20c7a3c4222ca0d0dd3207789e5b45d19ecbb9c4

SHA512
2588922ff0b02a5e2eab9d1746303b1b6bea42346e9b3ca3f59d9bf164510ff270b4975817120d9e23cb11e85f0efc9325969bef6edfb3549c9b4d556bcf0913

Download Submit
C:\Users\Admin\AppData\Local\Temp\gallery\resources\frames\ph_plane.jpg

Filesize
12KB

MD5
e8ed6bc5cd43fe58b8713942b3cf4c6b

SHA1
b566ce633c745085c44980fc5a924e10fd518820

SHA256
f9b69476179b5942e0a8eb23191791da9e24093ac95199fa31e847411da18861

SHA512
99324f4abffd71a25bb5ac719bbc36d4cbb119c089ad337ba199dd4ba69ea3d32159c4c982aa7dc8fca2a53fb2a50154a95a86a4cc64fa2939b81ed5d0e653e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\gallery\resources\frames\ramka.jpg

Filesize
47KB

MD5
c901f66c0d975a8eada21bb1c091cde1

SHA1
55aace0dc0882943ae4e2d1826a22aeaeac73387

SHA256
c0a010dbc66d1cfb3ef11a712e30d932793fb2204e3ac5d7a7eb0162a23b0a60

SHA512
c409a1856ae7a8f8c27b994fc3d53b84b9b71205bae22dea1969c5fa905f1f2e4ac04a6dbdaab0fd2eb3f85886d0b6bddec17061a9b9bee3951778a6f8e2f9dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\gallery\resources\galleries\555.pgal

Filesize
155KB

MD5
dede983d4c47f79f6b65f0bab872dc6f

SHA1
ae144d69d9868603301195c91bda08aeb0012546

SHA256
670eedb35bd2d5d246b7b64d0dbf986da99a71d5cf1f92a20b6962bf4aa580d8

SHA512
8a9d81615507a85b8677c5c981a511e1259dc57cc972b74a5e6cbc883d8bb3c9158272df818f5dc0dc26cea7f5f4482bc64ef919820717442c3b1b2b4b8d40b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gallery\resources\scenes\shared_textures\CON003.JPG

Filesize
12KB

MD5
b71966b61e1acc6322351fff97e5d10f

SHA1
dba68fdc5b05d4754f1c6b5d1992a614962066c6

SHA256
d68ab209b2b40a3479de8a2f8b440c1b63e919de2d0faadb0114b0e7f27430fe

SHA512
3f7d704a0890f2560231d074317a710eae34ab5362495571ba1b3bb3ae2bb3bcb312a76dcb99e909c0cdb640f0c299cecf5fe0aca671cef6c58733bde53484a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\gallery\resources\scenes\shared_textures\carpet002.jpg

Filesize
32KB

MD5
21a236ba731a0511bccd5aff8911111d

SHA1
6cbd278d625c8c6e8e3dd3c4e33bfcb7bda6afca

SHA256
74a9c1ca8a43a444d02ca675ba1ff944bc0c258414a30b67cb4d28f177f1664d

SHA512
1f0c11d2bf896d758a7544b6138185d896718ed8078d26f1766fee13f38706012a91e4a2737bcc5a8cf3d6c063cb63291afde05285fc93be43abd703377dfbdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\gallery\resources\scenes\shared_textures\cskb004.jpg

Filesize
41KB

MD5
25131dc9f3ee3c23275e5ba9bcf79b6b

SHA1
1e40e40d5b96a9eb0afbdee74d7400fef508dd5a

SHA256
10fe3816d64420065160b622ebac2eb3c27e66775aeee96c597bfe6b5d416fa4

SHA512
e6c6932b05af0691842e3ecb9ba39993b1629501e29079624b1537ee5b52e03f085c4231aff67294af143cd7d966a96c53c304191fce1c02356a336d6cd0cba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\gallery\resources\scenes\shared_textures\fabric002x04.jpg

Filesize
47KB

MD5
512c77d6d5bfb30968ad90057912dfac

SHA1
d2d0c5695423559068624901cea51898b6e22467

SHA256
90f0885706cba276999ac15dcf83a062c2d7e79e357313920dcd9c7face450d9

SHA512
62cded94995362012a8cafe2aa947ce34919839c6df3daa016996f14f7d94180b94319898f9283f448ae97d937a30ae6a182626a672f5cab73a29388a1a05b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\gallery\resources\scenes\shared_textures\misc005.jpg

Filesize
8KB

MD5
6ab2a8f6dd08d33a3e4bfed7955426ee

SHA1
496e5c32254597f7e5c4ea48d9fd48e6e99fd1b1

SHA256
d81152c6bd1c9cf51af65d901cba79faf3bc24e6afdb2d5699859a90c4e20f19

SHA512
b0578da788f2b3f2888c5c50aad9fd6b19db88a9036f4a6965c0f72107b691b0bc0d14e388d6c9e8350f18c0fed1046f725a5b448b6acf6dde1b9db6e95de633

Download Submit
C:\Users\Admin\AppData\Local\Temp\gallery\resources\scenes\shared_textures\tiles_floor001.jpg

Filesize
20KB

MD5
8fa077dadcaaa53936dd01b7e2d8c0cf

SHA1
2dc4d7d5f1b720d8f2f849ec9a99b1a8d486ad98

SHA256
7fdd54b887165495532795f4eab3e4bd20a058d98b9af9cd5e2f941b42cda8c6

SHA512
11e7d1a4990fdbc0cfd622aee6f003c89200ef9abc32be72fe7ea179a7fc5d81697d7de8f84ee1c3b7758d989c0a90b780238c504c70abfc1b9747620c0d2660

Download Submit
C:\Users\Admin\AppData\Local\Temp\gallery\resources\scenes\showroom\Chairs.jpg

Filesize
161KB

MD5
955bf4aec2f9db466078eb9f1b08548b

SHA1
dd1874c61bcda2cde320f38bf8cf6c5ff2003402

SHA256
83d97875d489d1ab13442b76fd1333770d79a0ddbaaccd75cc00e5b181926ad3

SHA512
48a77c6f9073d12774808457b856f9b7a8e65e0e9ec5bfaaedaacead0fdfd254d1ca2f74ce451b8f9e17560c8c0cb810ec83c78e8e221d2851af082a7b181fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gallery\resources\scenes\showroom\Misc.jpg

Filesize
28KB

MD5
2f264637a9794a809fdfcdb16a697515

SHA1
d25311f29557c2ad30a05cff8eb45a6a112f5917

SHA256
21730140131d42193317379c517e1aac4d386ef8b54393e23df47cd2a734ca4d

SHA512
3bc49dee13e7dfafbcf6d03405990c24fb26c6d24a907ddae603d4f6c27c107cf25984d2b30b487d53dd8b6a72eb13aff388c08f6f2124071b36c15d17de2400

Download Submit
C:\Users\Admin\AppData\Local\Temp\gallery\resources\scenes\showroom\Roof and Floor.jpg

Filesize
113KB

MD5
0efe3ff56896a8bab0f9b31c2ca5650b

SHA1
a25be7bf0cbf09f23b71270e0265be73f8d2cdbb

SHA256
0443bccabbb1e607fc5405d7e67337f02bd319409ef71179208e165db1866289

SHA512
4a21e42acf06e97a328017127856962285820f209a62c37f943d3acec3246040d1589b46a4aafbacc93cb5c63f44f2ecdb4f2064b2c5f5be5f3d6accd93f67c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gallery\resources\scenes\showroom\Stolbiki.jpg

Filesize
52KB

MD5
920ae6bc4d02d8d47b27114446afb845

SHA1
8adf487a9dc8483050e2191030abad0fa72b220b

SHA256
81fe0816e6b598d088e7b828f4cc121492a427275eb8a1652dc7f1a9a1afec64

SHA512
0dd16835e4bccf625b14d30f743f47524131632430eaa1e2ce58cf7556d31984376480363d6a349bfa9ca50282df9084b14a90e03ca40f0bd4a35ba068f49e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\gallery\resources\scenes\showroom\Walls.png

Filesize
172KB

MD5
0059e21648224809778d0838e53214c5

SHA1
5734d88ef1d4e7b67c8cd62772e3ed1395658ac4

SHA256
96f774cb5958b5120dd26a32a2ae544474c9aa04f02459e61c1f1346a5432c61

SHA512
83a8c1d34590af9d646975705a94dfc747d641e90001812cc0a37b9a1ab20a6b48756be9a587717048bfa210c15643ff4620db2ed66013df01ed3d10a97498de

Download Submit
C:\Users\Admin\AppData\Local\Temp\gallery\resources\scenes\showroom\showroom.alb3d

Filesize
715KB

MD5
77d766faaffd22280a2584b7336d8611

SHA1
e4e6b48ba1b5c6d5b52769d50ec2acbefdd5d8aa

SHA256
d53705d3e581540084e1a5bb9e30ca186fae1c45d76714f613332ebf0ec17315

SHA512
b5ac1768323366fbbaeb8bb8f3f0c54fde13ec0ee302d2114874f80486a13661e948b48f587d1f48d5958aaa1e0a6945142e96d4aa07588a8e8ec03506b832f4

Download Submit
memory/2252-23-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4088-68-0x0000000002640000-0x000000000277C000-memory.dmp

Filesize
1.2MB

Download
memory/4088-63-0x00000000021E0000-0x0000000002215000-memory.dmp

Filesize
212KB

Download
memory/4088-157-0x0000000005F20000-0x0000000005F54000-memory.dmp

Filesize
208KB

Download