modiloader | 0ee7ba499d324fdda533c85a7bc8c1a47d0e352e2c4ee34c3908ae0aef7c0e7b

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-09-2024 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df0e91aa54b4db95c393ebe489c60c1c_JaffaCakes118.exe
Size

1.5MB
MD5

df0e91aa54b4db95c393ebe489c60c1c
SHA1

c1743673b32cfbd2debfb673908b92dc94a71720
SHA256

0ee7ba499d324fdda533c85a7bc8c1a47d0e352e2c4ee34c3908ae0aef7c0e7b
SHA512

1196e3e1cc84cee894ca21684e01838754ce08844aee9ad3d93c8318dad8ce1485751c9bb2cf3da5b1a2f3efbc76628976e5ba8d47456a820a4df0953e124197
SSDEEP

12288:2DEpUTy2uN7CdXfjJh2SXGXUIaJ1kR5aZmjwgJAaZmjwgJQgJnaZmjs:lbN7CdXfNh2+mUnwR5YNu

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2292-19-0x0000000000400000-0x000000000058B000-memory.dmp	modiloader_stage2

Executes dropped EXE 4 IoCs

pid	Process
1572	clean.exe
2268	ÈÑäÇãÌ ÒíÇÏÉ ÍÓÇÈ ÇáÓßÇíÈ.exe
1164	clean.exe
2684	clean.exe

Loads dropped DLL 6 IoCs

pid	Process
2292	df0e91aa54b4db95c393ebe489c60c1c_JaffaCakes118.exe
2292	df0e91aa54b4db95c393ebe489c60c1c_JaffaCakes118.exe
2292	df0e91aa54b4db95c393ebe489c60c1c_JaffaCakes118.exe
2292	df0e91aa54b4db95c393ebe489c60c1c_JaffaCakes118.exe
1572	clean.exe
1164	clean.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1572 set thread context of 1164	1572	clean.exe	30
PID 1164 set thread context of 2684	1164	clean.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clean.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df0e91aa54b4db95c393ebe489c60c1c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clean.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ÈÑäÇãÌ ÒíÇÏÉ ÍÓÇÈ ÇáÓßÇíÈ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clean.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2684	clean.exe
2684	clean.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1572	clean.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2268	ÈÑäÇãÌ ÒíÇÏÉ ÍÓÇÈ ÇáÓßÇíÈ.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 1572	2292	df0e91aa54b4db95c393ebe489c60c1c_JaffaCakes118.exe	28
PID 2292 wrote to memory of 1572	2292	df0e91aa54b4db95c393ebe489c60c1c_JaffaCakes118.exe	28
PID 2292 wrote to memory of 1572	2292	df0e91aa54b4db95c393ebe489c60c1c_JaffaCakes118.exe	28
PID 2292 wrote to memory of 1572	2292	df0e91aa54b4db95c393ebe489c60c1c_JaffaCakes118.exe	28
PID 2292 wrote to memory of 2268	2292	df0e91aa54b4db95c393ebe489c60c1c_JaffaCakes118.exe	29
PID 2292 wrote to memory of 2268	2292	df0e91aa54b4db95c393ebe489c60c1c_JaffaCakes118.exe	29
PID 2292 wrote to memory of 2268	2292	df0e91aa54b4db95c393ebe489c60c1c_JaffaCakes118.exe	29
PID 2292 wrote to memory of 2268	2292	df0e91aa54b4db95c393ebe489c60c1c_JaffaCakes118.exe	29
PID 1572 wrote to memory of 1164	1572	clean.exe	30
PID 1572 wrote to memory of 1164	1572	clean.exe	30
PID 1572 wrote to memory of 1164	1572	clean.exe	30
PID 1572 wrote to memory of 1164	1572	clean.exe	30
PID 1572 wrote to memory of 1164	1572	clean.exe	30
PID 1572 wrote to memory of 1164	1572	clean.exe	30
PID 1572 wrote to memory of 1164	1572	clean.exe	30
PID 1572 wrote to memory of 1164	1572	clean.exe	30
PID 1572 wrote to memory of 1164	1572	clean.exe	30
PID 1164 wrote to memory of 2684	1164	clean.exe	31
PID 1164 wrote to memory of 2684	1164	clean.exe	31
PID 1164 wrote to memory of 2684	1164	clean.exe	31
PID 1164 wrote to memory of 2684	1164	clean.exe	31
PID 1164 wrote to memory of 2684	1164	clean.exe	31
PID 1164 wrote to memory of 2684	1164	clean.exe	31
PID 1164 wrote to memory of 2684	1164	clean.exe	31
PID 1164 wrote to memory of 2684	1164	clean.exe	31
PID 2684 wrote to memory of 1216	2684	clean.exe	21
PID 2684 wrote to memory of 1216	2684	clean.exe	21
PID 2684 wrote to memory of 1216	2684	clean.exe	21
PID 2684 wrote to memory of 1216	2684	clean.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\df0e91aa54b4db95c393ebe489c60c1c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\df0e91aa54b4db95c393ebe489c60c1c_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Users\Admin\AppData\Local\Temp\clean.exe
    "C:\Users\Admin\AppData\Local\Temp\clean.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Users\Admin\AppData\Local\Temp\clean.exe
      C:\Users\Admin\AppData\Local\Temp\clean.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1164
    - - C:\Users\Admin\AppData\Local\Temp\clean.exe
        
        C:\Users\Admin\AppData\Local\Temp\clean.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2684
- - C:\Users\Admin\AppData\Local\Temp\ÈÑäÇãÌ ÒíÇÏÉ ÍÓÇÈ ÇáÓßÇíÈ.exe
    "C:\Users\Admin\AppData\Local\Temp\ÈÑäÇãÌ ÒíÇÏÉ ÍÓÇÈ ÇáÓßÇíÈ.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\clean.exe

Filesize
409KB

MD5
fd390e7de47ffa0e4115da779c877663

SHA1
c60660a2eb031e18d5bad8ea356ffbc1664c7c89

SHA256
bd418649672cc1b4cb9e0267cb60a91ad9bb4be2d6a3bbe6ad98a08111dcda9b

SHA512
99cdb78642a505a2e6c01dd25012f3b51c6cfc6801323bb118316e3d05ae8c858fcfec62813445d649fd573a6ba95bb89aa030d51554b97cc68ef975fb3fd515

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÈÑäÇãÌ ÒíÇÏÉ ÍÓÇÈ ÇáÓßÇíÈ.exe

Filesize
1.1MB

MD5
41969e613bd7b243d3f541a3008c4ad1

SHA1
c4dc824a3c7d7a8c05084bf8e33b4b8c5f0764b9

SHA256
85f5b4ae3320eeeed167646e4c9a81ed52ce418b4a16682f794296cd72783f82

SHA512
a3064a5acda2cee99088ff7a18d70d5be06e987a6f58db9b74f45f3b2eb67041d1d025b39aef74e670b352e8a5f8d905c19aed655df82862000ba543c1b17631

Download Submit
memory/1164-28-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1164-30-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1164-26-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1164-32-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1164-36-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1164-41-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1164-39-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1164-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1216-58-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1216-55-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1572-24-0x0000000074B70000-0x000000007511B000-memory.dmp

Filesize
5.7MB

Download
memory/1572-23-0x0000000074B70000-0x000000007511B000-memory.dmp

Filesize
5.7MB

Download
memory/1572-42-0x0000000074B70000-0x000000007511B000-memory.dmp

Filesize
5.7MB

Download
memory/1572-20-0x0000000074B71000-0x0000000074B72000-memory.dmp

Filesize
4KB

Download
memory/2292-19-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/2684-44-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2684-46-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2684-48-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2684-51-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2684-53-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2684-54-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download