modiloader | cde75a3200f09e5b326f7d66d58c4ea0f8cc735dd56e011aa16d5a25df244292

Analysis

max time kernel
120s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-09-2024 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e49eab0920e305dc0ed7f28eb8dcdb33_JaffaCakes118.exe
Size

438KB
MD5

e49eab0920e305dc0ed7f28eb8dcdb33
SHA1

b66462876c541674d8f9a8c68c3da6ab131f6473
SHA256

cde75a3200f09e5b326f7d66d58c4ea0f8cc735dd56e011aa16d5a25df244292
SHA512

bcae089a6e71386414a7b50811c3f1490dc957f95435e7445654dfe88a33f877513aee40d62442c019bd04653dd85489f8eb2abb8c2a9c3d18cf6e8783103c31
SSDEEP

6144:K8aiq19Kxjub6YEwfFkeApwGSff+bqdbWYmmCBmVCt53YzSZe27ziio6/Mc0FJ:K8an19KVf0fFbAp63EYmXg2Xiio6wFJ

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/1696-7-0x0000000000400000-0x0000000000640000-memory.dmp	modiloader_stage2
behavioral1/memory/1696-5-0x0000000000400000-0x0000000000640000-memory.dmp	modiloader_stage2

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1696 set thread context of 2352	1696	e49eab0920e305dc0ed7f28eb8dcdb33_JaffaCakes118.exe	30

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt	e49eab0920e305dc0ed7f28eb8dcdb33_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e49eab0920e305dc0ed7f28eb8dcdb33_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3AA8FDE1-741A-11EF-ADF2-46BBF83CD43C} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432646015"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2352	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2352	IEXPLORE.EXE
2352	IEXPLORE.EXE
2088	IEXPLORE.EXE
2088	IEXPLORE.EXE
2088	IEXPLORE.EXE
2088	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 2352	1696	e49eab0920e305dc0ed7f28eb8dcdb33_JaffaCakes118.exe	30
PID 1696 wrote to memory of 2352	1696	e49eab0920e305dc0ed7f28eb8dcdb33_JaffaCakes118.exe	30
PID 1696 wrote to memory of 2352	1696	e49eab0920e305dc0ed7f28eb8dcdb33_JaffaCakes118.exe	30
PID 1696 wrote to memory of 2352	1696	e49eab0920e305dc0ed7f28eb8dcdb33_JaffaCakes118.exe	30
PID 1696 wrote to memory of 2352	1696	e49eab0920e305dc0ed7f28eb8dcdb33_JaffaCakes118.exe	30
PID 2352 wrote to memory of 2088	2352	IEXPLORE.EXE	31
PID 2352 wrote to memory of 2088	2352	IEXPLORE.EXE	31
PID 2352 wrote to memory of 2088	2352	IEXPLORE.EXE	31
PID 2352 wrote to memory of 2088	2352	IEXPLORE.EXE	31

C:\Users\Admin\AppData\Local\Temp\e49eab0920e305dc0ed7f28eb8dcdb33_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e49eab0920e305dc0ed7f28eb8dcdb33_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1696
- C:\program files\internet explorer\IEXPLORE.EXE
  "C:\program files\internet explorer\IEXPLORE.EXE"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2352 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1303118536c7436b99eea0da88a6556c

SHA1
be17b3dcfdc64cf75c4e2c63984b3a1406924a43

SHA256
0d3c92d6379e828826f4d166a5d777a5f6c0f5dfaf0443e44cb3df17ece6c3ca

SHA512
53b12be16bae179f86b5ced050672e9e5fea82c54154742fd67aa56eeb49e454a86364279d94e722766556ee5ac7196beb904344a99ba972d084c139b47b74e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9548ae589f8b91776295387dc1c26e4e

SHA1
8aa7ffa9e020c8a33137b8cdec636c45a198ffe7

SHA256
eaaf142daa58ef873e6fdb0014cfc56b4b7ac822efb77d9d05a32149b44f4618

SHA512
a8101393038fce278ebd91fe428f418b799ee2b54bacedd169027cc95412c924a5ebb7d5c48ec159fad6c3ee4c69f65304e4b4c5ce68bb9b354dc29944c620db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27b46119ff759ab3b11a066f1e00812e

SHA1
449f9adea54d4f2a761893da473cfe6591abdedc

SHA256
f3ae54629f5c4f8a94ecf6f8567076737dc678ab3914d5693f8acd7db18117df

SHA512
042dedb6cecf27767cdc10c5aca49b3f194577c8b1412a5d483978ef4b1c9aab63c5e5bbcbf5def70ad0ddd33c5a45d99a7ba8457bed771aa421f63da6950647

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6521daddf80215124285686750e6c2c

SHA1
35f39468f4c38d30522732eb7209d79e77bc7437

SHA256
d8f8819c0b39afa74054f12522acb40e37985cd7dfe57cd6b85b77cb1ebd5ded

SHA512
de533c8a4d89bf60e81db9693dbb9dcf9589953653d22556bda14476df28d2303a7afd90282c0ea3a4f0ffc54140100597f2c8b312bfb58c7da182aa7b1b165c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ca910fc37e24289ee7fb8bbb806c9fe

SHA1
058fbcc719ae1ad6953ca1defcdd2eea0391798a

SHA256
9f396bdf76adb43dbafd923c17435b9ee2af16c881411e2773bcaba93caa80f8

SHA512
5ce70735e81521fc8ef444845a94d78e4e67ace5f74ec1f5708827e0e2a49e8201605dcca84b444100d692523e3cfc53490b937333fe20fb77d08e6217c2ea34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
647af2a389811d6ad85d1ef8921db6f6

SHA1
1a4d1da023466cff869c79a0bedaacd72d9ad658

SHA256
231e644330d6ab9b9244e3f71602a1f5d2bc80b971137a6a0322e0ba7941fd07

SHA512
2d9a5629b8ec348dc40b3525de8fe8bce23d3809008898cda459070a4e6cb96b3495cdd61b824e12aedde1e46edbd88ece012a85d457389c088ca8d3fc296061

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc882a410a6476634f5ec85e50a37213

SHA1
ffaa3e33a3a107b93929d5d1b489ed1e56e735ac

SHA256
3ac1f3018ece2b73a1f6fadb01e7e942c36432997280bfd2820bbcde66196099

SHA512
25b7fe01e4a98a9bd327c9c660f8f0d51f33e83bf0e26b675cfece5e77d2df876bf5d1d1f46112f6a5da5a5a0bb074f4ea05dbf0caf3d988d194e53708c83c8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1671231836ced6f1af0b65ae17d24092

SHA1
9012ae55bba8054c904e62e2465109e5ef5b1d48

SHA256
7c07f9c64a9d8e97a565a019343e951d2e71d861ef29ded219ceba76f6e7898d

SHA512
515645746a1433bc1116d014f4dbcfd962d3acfee2ae689c1c05512198bf87d9e75c92812193485e7ce9f45eff656f8b6e8f2cb0ea5c936006731a2565199f5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b487ccab02e37c86474f5387e173b255

SHA1
b369d9f7f3a73117c1dccc79f0628e9fe6005586

SHA256
e864b69b84a237795d2a940174dbdb203cb0de31c5618b2acb402ae54a139fb4

SHA512
f1675138211342d25960d3e3e88fa9274b598680470d8d1570d74b46d2d3ce4a945f5d0651401b408d0b9ee6afa747ea3d14901ed2a149ffbb30aa8d24f0d393

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
397d120280c97db25d3e3a79015a1e86

SHA1
3ba68119bf84cff8272feb4e4ad6cc2692dd5cf4

SHA256
02655cc4a2d854f276653f7c028bb653cde222d297a266755d9474b93d16e0fe

SHA512
b88358552f480838b78f4a560177d5301c91b7c7590dc7b3abce7633c9732df0a0c16d9ef6b0cf54c8f34113ec09e599e276ebc76459a8fe4bfddce95e17f053

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a4509016a7a32e7639c588e4dbe9fa7

SHA1
b032bd80d0ae85fa951650cb495d513cd0dfb9fd

SHA256
601c2d62f06f7757b658958335d849b03faac2073e5a2256a244907a97af6895

SHA512
70a6cd209ded39486b95521ce28d7b1d04bf652a282a4ddda1341793855595c57ab7e625afc6c788340b108089482bc8f25519087685f2042a832d8ed2dcdf3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e4e1b50b782b5389f4037b449e4a6be

SHA1
09e2532f75d1bdd9c980eaadd4aaaae8df62e105

SHA256
972264b760903542f836a1136a700d3b4ff88f5833cccd4c6f2d7bccf20367a5

SHA512
b865b0c8b68aad13d70c36b7f683fb59fa5d1e82637333eec55a8903e10322573141cb3e926e6b2b85c8c6ab3fc7c85e57716f22010707c3046dc7f62f5cd104

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDDF3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDE06.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1696-5-0x0000000000400000-0x0000000000640000-memory.dmp

Filesize
2.2MB

Download
memory/1696-7-0x0000000000400000-0x0000000000640000-memory.dmp

Filesize
2.2MB

Download
memory/1696-1-0x0000000000400000-0x0000000000640000-memory.dmp

Filesize
2.2MB

Download
memory/1696-2-0x00000000005D1000-0x000000000063D000-memory.dmp

Filesize
432KB

Download
memory/1696-0-0x0000000000400000-0x0000000000640000-memory.dmp

Filesize
2.2MB

Download
memory/2352-4-0x00000000001F0000-0x0000000000430000-memory.dmp

Filesize
2.2MB

Download