modiloader | 7c816f5f58d4c732bc321e4a059877827952f6448305929630d34b1efc72c0da

Analysis

max time kernel
69s
max time network
135s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc1499f2cd9ff70637e4e446a168e82c_JaffaCakes118.exe
Size

263KB
MD5

dc1499f2cd9ff70637e4e446a168e82c
SHA1

30c7970e4bb515a3c40cec18cdf6afda91ce79e4
SHA256

7c816f5f58d4c732bc321e4a059877827952f6448305929630d34b1efc72c0da
SHA512

7fefef9e4a1254758725ac150e34a7e9138f3648eff927d44ae66425f64b761706997fe2a5b16c182f28f1671b7c08ef4bd7c0a30999303efe5c196733e68bf4
SSDEEP

6144:pt0TZbUFbRKHZCJ9ZXmhawDIVJ3uNgHYn+qR5rh:ITZbUCZCtXua8VWO+A59

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/1140-2-0x0000000000400000-0x0000000000507000-memory.dmp	modiloader_stage2
behavioral1/memory/1140-6-0x0000000000400000-0x0000000000507000-memory.dmp	modiloader_stage2

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1140 set thread context of 1748	1140	dc1499f2cd9ff70637e4e446a168e82c_JaffaCakes118.exe	29

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt	dc1499f2cd9ff70637e4e446a168e82c_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc1499f2cd9ff70637e4e446a168e82c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CF7DD0B1-70D9-11EF-9B59-D60C98DC526F} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432288496"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1748	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1748	IEXPLORE.EXE
1748	IEXPLORE.EXE
2216	IEXPLORE.EXE
2216	IEXPLORE.EXE
2216	IEXPLORE.EXE
2216	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 1748	1140	dc1499f2cd9ff70637e4e446a168e82c_JaffaCakes118.exe	29
PID 1140 wrote to memory of 1748	1140	dc1499f2cd9ff70637e4e446a168e82c_JaffaCakes118.exe	29
PID 1140 wrote to memory of 1748	1140	dc1499f2cd9ff70637e4e446a168e82c_JaffaCakes118.exe	29
PID 1140 wrote to memory of 1748	1140	dc1499f2cd9ff70637e4e446a168e82c_JaffaCakes118.exe	29
PID 1140 wrote to memory of 1748	1140	dc1499f2cd9ff70637e4e446a168e82c_JaffaCakes118.exe	29
PID 1748 wrote to memory of 2216	1748	IEXPLORE.EXE	30
PID 1748 wrote to memory of 2216	1748	IEXPLORE.EXE	30
PID 1748 wrote to memory of 2216	1748	IEXPLORE.EXE	30
PID 1748 wrote to memory of 2216	1748	IEXPLORE.EXE	30

C:\Users\Admin\AppData\Local\Temp\dc1499f2cd9ff70637e4e446a168e82c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc1499f2cd9ff70637e4e446a168e82c_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1140
- C:\program files\internet explorer\IEXPLORE.EXE
  "C:\program files\internet explorer\IEXPLORE.EXE"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1748 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee9c1587fc149b351ae237eeb6a9af48

SHA1
30b84f49858393d4c4717dbbf414acd551405b00

SHA256
9eff89312a08fd9627b88b0457de83ecc910727e3920c628c51816a9fd1f8ab8

SHA512
3e959b29d655758d608aed43b3cf4a45b545594beafd38d4a35822ecab9c8db5bdd0b2a7415ce8d7e40c675b728667a9faf36ad33f9597aa31569d8fd7ddc73e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b37fd2c6614b6081e08fbccdb209f486

SHA1
1485fe0c8eede047af2386985533a9f02c11d507

SHA256
cea6f3a4096039fcd4f14f2fe4eb8cb8bd7516443190f54e5ef7de7ddd408ad4

SHA512
463e3435f80d0211ae08eaff7ccdd33d3c0f9eefa1dc31837ae894bed1a52361c55b8005b73b5907d197f09b2024084ebe0e6000ab5a07984a73ef79cdbc4e9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07fdb9f030fef7d9ee30c207c45b705b

SHA1
6de2fda85835f3b9f97e7d17d2551ebfaa32d2b2

SHA256
6298204f73c46b0a20b34fae9468c1e1fe705d13e5c88fed6e6b9c8d0bee936c

SHA512
3901b3f884df322e533fd128fe6091e88fccbb2f851daff073ca8a4287dfb4d9632da62ece753803e8982d0aeda19bc8376174c9350457ccc4f27caabcbe140a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e96b81903ba2151f40133438c500e2b

SHA1
859a6852941f9e3d46c779283b590d4a5f231f23

SHA256
c63139cd6e0e27a437757011ad9a19e54bbe6074067f658545f13f042384eb5a

SHA512
32171dfbfaee8306a382703cd942b725a841495b69e1897810888cb9697174dbca508be90bb5d732937d615735a1febc86b7f42aeb5310f47731aaa564178910

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a67cb866e8d9b398a558e161b7388eb9

SHA1
21fc583e9350d548d84e7a9f592277fb73ed5790

SHA256
3f5e05e04b22c1c96fb36c200d58d03c50d8d4c55b2398043c1584639c3de024

SHA512
02b4da91e3aab3708dbdf0bc6183611b505132957ec2e22064f275dca5ab976ea9b898a1591f2efdce2c35ca9e84e2747514130d4d9f7869150557a89e8e67eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
378496788685ea7a828624b298e15c43

SHA1
9a6a4dafda90d12fb7ade54944de017ec93b41cd

SHA256
4c6fce91ae497f7c0d2e8dc79664dfb608645a5f25e8621e7ba16b8ecd5494e0

SHA512
e1a38821aa5c8450ae696f4bc054d9f8f8f9012cdb2835d35b7daf5b841453653ac3ba90f9a5bfbf4d6d4ab2dbbe1de8b5a2cbf021d6ea2ddee8bb3787e2b302

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bba5c5c3b1a8cbeaa371f3046a439b8a

SHA1
e9bc5d5410b2780a73c71b32ff15e8195d3dcf17

SHA256
63ae24208dabadad5dd5ab89bb5938c5eaf49900216b57a74f478fd150460a39

SHA512
dd55f58a4a5d735b82404fbafd27aeacce6c358e300e681be0fef151168c98e92d9c1527bb91c75f5136774f430e5ab66b74cf8c053ace48463ea24eab0b26ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47856c65584b78ab33d900cc8f34e13c

SHA1
2df9fefa1b1a5d5379a4a526ffa0ccec3dfdbd9e

SHA256
1df33f0f21c930d5b2727470e820b2ee843e301f2eef80f7dbd7d72bb2cdf204

SHA512
33b9ed6411884e27d0cefc20f746111917743251b6240e8275ab1782fbeca68881ec1833fa93a697f704337e9686c8c15fee1215258922ac03d63da8d6c83f4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1eef446e570706069b338fc4758e6d38

SHA1
b8310713f45d80cc358336f7e40b690ce5520c70

SHA256
327ea5e4b09374cc3e4f94d2b189402e1375c09a9ece132d1c1289da0e69b9fa

SHA512
a68c28eae3c8aedb3f295a352eec7980afc1707980db3192de422ec1bb43c253b6483e6c0b33c7a532fb215991e048bfffc838a09c6955166ce04c7caa583faf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eaf1018fe28847ed6de05f50858780f9

SHA1
27653062887cff097a6b46ca594ce7ea18799b18

SHA256
b853e9f96eb0dfeb9517491817bc0f355206e26e5f0be3814d3a8ec4ac5ad738

SHA512
40fc7133afc5c68caa7090094a39930410f60919fd1ea55c9ec65035c13e1f39267e2745cf75934054baeabbfd52713fbcbeeb404d7467848b338753e3cedbac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c792813725b2c4fbc0f0d3ed8ea6fde

SHA1
d6d60edc3ebbef86b4da3668e326e1d8290539e9

SHA256
d39dfed69d9c7e698a955da80be9b1a89d27f17e29f6dc635a93617f5629c2d4

SHA512
f83ac518e31d7cd27f6a4ebcf56086196bc8cf1eaeb2ed3122a33e57abe4512907f34dc40f07c7af53d0106e8c83f6e387623e3c90acf472d59aef1e144f8c50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e1365cdfb38e9f94c5a05dc46753db1

SHA1
9d3b98b704fe5179c3c97dea3d0252b7399ef3e4

SHA256
fd569bb0c587569930c2df5642dbe520d3c7b33718a68ee103c1af99f92a2905

SHA512
24d1f8a326e4fa2b164155a5649a677b6ddc9bd8477edf755be690aecf106a185bbe46f048974f1d1d8988e930455c8241069314b3feb00f9a48cf8cb6d5c48a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb3e27222b268427f64ab444b4063aa6

SHA1
885ff27906bbcd3ed3145df6fa7ad20e7fe2bf79

SHA256
ba8f6ef61ded59917505241e1c5e25a8ec650e654cc583d12b3abfdd4292a962

SHA512
200e7e8497bc4ab75d83fb27e030dcf036802ef0bbd162ef094e9dc46b063cf642f484e0f27e5c772f097ca8581770b7b82553045a79b4b324793efd4ba97559

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e10bd9a8c53d746dc92fea92406e20af

SHA1
2cd95e0040ca7057d07a62eef23b2e32e8e57ff6

SHA256
46be766d054a59327a574e642247f9bfa69645999a10b20e56c2753c4061f7bc

SHA512
64bba94e94ecf76600382d1a144db86abf10af354de443cf6819fceacdede6f0b1098fd52aa0661154c159e0d3109177b23c6d8baa62d6195246b9bdd645ec6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3787bcd5c855d9e8a962d99ecb4a426d

SHA1
f7ac580d7ab48434a27c7e7c91accffbcfda6969

SHA256
08807f302e2bcc7f7ec7213bab3da734971e4655172e277009b484b8193d0252

SHA512
8e694b92cec973d23fb5dcf829f6e4850da70d150286131f96e643e593acbb1877c874e36c0af046fff986eb2dbc922cf0042e5bc49c7df5a208e516ee3fdbd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb1174550fcb38cf62dc834db76a8db3

SHA1
22cd391242a2147d40ee16b89e6aaa2761247f62

SHA256
e614744dce9918f156a0bfb1b134672b52f5eb98fb46038590920fe4df306a07

SHA512
484790b9110629c7b5f6de8f1f08005483ae2527d9a95fcf2efbb064c03cd9a44fdbba622fa19372c3412caf2b27598c0f462e36996f21e92cb5286f088c14bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ee8e320359655331a104a29e5b4740c

SHA1
4bdb3831b92e3f72e732db113fac45af119c7254

SHA256
48bd61d6870d6327d8d8bc59cc40c99114c192ea132f554194c99b2e4178b6e4

SHA512
90c13e21035dafda8a0e2ec11b39b0aa896bd0ee1a1c4b589ea819d152d70b7fab1093a54c68d88e7af711c69311b74c52ddfcd1103d0f4e2bfc3239ce5de457

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBCAE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBD7C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1140-6-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1140-0-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1140-1-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1140-2-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1140-3-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1748-5-0x0000000000060000-0x0000000000167000-memory.dmp

Filesize
1.0MB

Download