modiloader | fc5a28874f895d949ab0399f405adab985c90a5bd89dc1b78df86ff258836048

Analysis

max time kernel
144s
max time network
25s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
15-09-2024 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2aae49b4fec7654666e449a9e715a7b_JaffaCakes118.exe
Size

506KB
MD5

e2aae49b4fec7654666e449a9e715a7b
SHA1

6449ef425f8b756b882a402607fc3b78b1624b6c
SHA256

fc5a28874f895d949ab0399f405adab985c90a5bd89dc1b78df86ff258836048
SHA512

495c1690126e876645f3a369c38d9bce7e939253c9fd3c135ae8a86c9699d2e2f62525e16f4523e0275d746bf4872f9968b6dc03d6e2265ddbbe7665e200e4b3
SSDEEP

12288:F4/Pfg6oj5BKTM7IF3Z4mxxCfS8ZULahN:FyPVqBKGIQmXyS802N

Score

10^/10

modiloader discovery persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 8 IoCs

resource	yara_rule
behavioral1/memory/1164-39-0x0000000000400000-0x000000000048E000-memory.dmp	modiloader_stage2
behavioral1/memory/2224-42-0x0000000000460000-0x00000000004CF000-memory.dmp	modiloader_stage2
behavioral1/memory/2224-44-0x0000000000460000-0x00000000004CF000-memory.dmp	modiloader_stage2
behavioral1/memory/2224-46-0x0000000000460000-0x00000000004CF000-memory.dmp	modiloader_stage2
behavioral1/memory/2224-48-0x0000000000460000-0x00000000004CF000-memory.dmp	modiloader_stage2
behavioral1/memory/2224-50-0x0000000000460000-0x00000000004CF000-memory.dmp	modiloader_stage2
behavioral1/memory/2224-52-0x0000000000460000-0x00000000004CF000-memory.dmp	modiloader_stage2
behavioral1/memory/2224-54-0x0000000000460000-0x00000000004CF000-memory.dmp	modiloader_stage2

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\netrt\Parameters\ServiceDll = "C:\\Windows\\System32\\sysn.dll"	e2aae49b4fec7654666e449a9e715a7b_JaffaCakes118.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000018bf3-40.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
2224	svchost.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2224-41-0x0000000000460000-0x00000000004CF000-memory.dmp	upx
behavioral1/files/0x0008000000018bf3-40.dat	upx
behavioral1/memory/2224-42-0x0000000000460000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/2224-44-0x0000000000460000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/2224-46-0x0000000000460000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/2224-48-0x0000000000460000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/2224-50-0x0000000000460000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/2224-52-0x0000000000460000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/2224-54-0x0000000000460000-0x00000000004CF000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sysn.dll	e2aae49b4fec7654666e449a9e715a7b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sysn.dll	e2aae49b4fec7654666e449a9e715a7b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2aae49b4fec7654666e449a9e715a7b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeBackupPrivilege	1164	e2aae49b4fec7654666e449a9e715a7b_JaffaCakes118.exe
Token: SeRestorePrivilege	1164	e2aae49b4fec7654666e449a9e715a7b_JaffaCakes118.exe
Token: SeRestorePrivilege	1164	e2aae49b4fec7654666e449a9e715a7b_JaffaCakes118.exe
Token: SeRestorePrivilege	1164	e2aae49b4fec7654666e449a9e715a7b_JaffaCakes118.exe
Token: SeRestorePrivilege	1164	e2aae49b4fec7654666e449a9e715a7b_JaffaCakes118.exe
Token: SeRestorePrivilege	1164	e2aae49b4fec7654666e449a9e715a7b_JaffaCakes118.exe
Token: SeBackupPrivilege	1164	e2aae49b4fec7654666e449a9e715a7b_JaffaCakes118.exe
Token: SeRestorePrivilege	1164	e2aae49b4fec7654666e449a9e715a7b_JaffaCakes118.exe
Token: SeRestorePrivilege	1164	e2aae49b4fec7654666e449a9e715a7b_JaffaCakes118.exe
Token: SeRestorePrivilege	1164	e2aae49b4fec7654666e449a9e715a7b_JaffaCakes118.exe
Token: SeRestorePrivilege	1164	e2aae49b4fec7654666e449a9e715a7b_JaffaCakes118.exe
Token: SeRestorePrivilege	1164	e2aae49b4fec7654666e449a9e715a7b_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e2aae49b4fec7654666e449a9e715a7b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e2aae49b4fec7654666e449a9e715a7b_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k network
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\sysn.dll

Filesize
156KB

MD5
fd7ff3a505fff9cc75116db3f741ca2e

SHA1
eba74aa61621284b7a175e27047359481bad62e7

SHA256
44b0885b14c66f550633b47cb60535722b8e9d0690b02bc8a2fd0e9d0a304cda

SHA512
f98727b9ac0ee6579149ea4f05cedaa76a9314396819f392c3e72f25c39f186f847952383e725a898366c721d4d37874c289fc7cf2d4e9c1594b573130f28b73

Download Submit
memory/1164-14-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/1164-26-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/1164-38-0x0000000001CA0000-0x0000000001CF4000-memory.dmp

Filesize
336KB

Download
memory/1164-13-0x0000000001D00000-0x0000000001D01000-memory.dmp

Filesize
4KB

Download
memory/1164-29-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1164-11-0x00000000031A0000-0x00000000031A2000-memory.dmp

Filesize
8KB

Download
memory/1164-27-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/1164-12-0x0000000001D20000-0x0000000001D21000-memory.dmp

Filesize
4KB

Download
memory/1164-25-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/1164-24-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1164-23-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/1164-22-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/1164-21-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/1164-20-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/1164-19-0x0000000001D60000-0x0000000001D61000-memory.dmp

Filesize
4KB

Download
memory/1164-18-0x0000000001D30000-0x0000000001D31000-memory.dmp

Filesize
4KB

Download
memory/1164-17-0x0000000001D40000-0x0000000001D41000-memory.dmp

Filesize
4KB

Download
memory/1164-16-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/1164-15-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1164-0-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1164-30-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1164-39-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1164-28-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1164-10-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1164-9-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/1164-8-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1164-7-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1164-6-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1164-5-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1164-4-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1164-3-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1164-2-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1164-1-0x0000000001CA0000-0x0000000001CF4000-memory.dmp

Filesize
336KB

Download
memory/2224-41-0x0000000000460000-0x00000000004CF000-memory.dmp

Filesize
444KB

Download
memory/2224-42-0x0000000000460000-0x00000000004CF000-memory.dmp

Filesize
444KB

Download
memory/2224-44-0x0000000000460000-0x00000000004CF000-memory.dmp

Filesize
444KB

Download
memory/2224-46-0x0000000000460000-0x00000000004CF000-memory.dmp

Filesize
444KB

Download
memory/2224-48-0x0000000000460000-0x00000000004CF000-memory.dmp

Filesize
444KB

Download
memory/2224-50-0x0000000000460000-0x00000000004CF000-memory.dmp

Filesize
444KB

Download
memory/2224-52-0x0000000000460000-0x00000000004CF000-memory.dmp

Filesize
444KB

Download
memory/2224-54-0x0000000000460000-0x00000000004CF000-memory.dmp

Filesize
444KB

Download