modiloader | a46db8b5f84724ed48fa71b55f001dd3bdce43a4e594e801209724d1a97403e7

Analysis

max time kernel
140s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df56132bc0e8ec82fc6aeb9e7cde5448_JaffaCakes118.exe
Size

641KB
MD5

df56132bc0e8ec82fc6aeb9e7cde5448
SHA1

07b848ed9d3d6b7ae1665773a93dc54c2b2ce5c2
SHA256

a46db8b5f84724ed48fa71b55f001dd3bdce43a4e594e801209724d1a97403e7
SHA512

3fd49cc6fc2e96a80e6f328c5f71b3e393ba9b554003996859d316f1508a1e9b67acd92ade025e9c5f0aec0cca58a2fd1b16fac71f9933cd64a1219f267c986d
SSDEEP

12288:DAPdPPbmV4YNvDHIm/BQMW8SgY4vqHISVcpE8QPuxF19KkXPh8GJZ:DAFKxomZ08SgDvQISVcu8QPCDAkdD

Score

10^/10

modiloader discovery evasion trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023428-5.dat	modiloader_stage2
behavioral2/memory/3356-9-0x0000000000400000-0x00000000004A2000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
3356	tmp.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df56132bc0e8ec82fc6aeb9e7cde5448_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3356	tmp.exe
Token: SeBackupPrivilege	1552	vssvc.exe
Token: SeRestorePrivilege	1552	vssvc.exe
Token: SeAuditPrivilege	1552	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3356	tmp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3016	df56132bc0e8ec82fc6aeb9e7cde5448_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 3356	3016	df56132bc0e8ec82fc6aeb9e7cde5448_JaffaCakes118.exe	83
PID 3016 wrote to memory of 3356	3016	df56132bc0e8ec82fc6aeb9e7cde5448_JaffaCakes118.exe	83
PID 3016 wrote to memory of 3356	3016	df56132bc0e8ec82fc6aeb9e7cde5448_JaffaCakes118.exe	83

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\df56132bc0e8ec82fc6aeb9e7cde5448_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df56132bc0e8ec82fc6aeb9e7cde5448_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  C:\Users\Admin\AppData\Local\Temp\tmp.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3356

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
617KB

MD5
cd791af96ca0f4634adf063ef2c8bd00

SHA1
01f4fc6481b74b93131c66f5b1dd0ce4d74a409c

SHA256
0e4145da5d809b89a4179226b1a69a9fb3941934865e27bb75ee55846473c55f

SHA512
c6e5020cb75a391ef28d5fc1a9b47ba7b4029539c167682668e30c48c4db771e3269d6ab674991ce0b483bd6f45f927b1d8c79e933462800204ecce37a440cff

Download Submit
memory/3016-0-0x0000000000400000-0x00000000004058B8-memory.dmp

Filesize
22KB

Download
memory/3016-8-0x0000000000400000-0x00000000004058B8-memory.dmp

Filesize
22KB

Download
memory/3356-7-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/3356-9-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download