modiloader | 13bb8aa3ae4746aa10a58373be05d9fdbdf0fce8130bd3f0174ec80259b082ea

Analysis

max time kernel
134s
max time network
136s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17-09-2024 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6b42f8c8473b3bd402cc577b7e7e45d_JaffaCakes118.exe
Size

1.1MB
MD5

e6b42f8c8473b3bd402cc577b7e7e45d
SHA1

d975f27316f663cd8c6f91c7e63258e757d92c52
SHA256

13bb8aa3ae4746aa10a58373be05d9fdbdf0fce8130bd3f0174ec80259b082ea
SHA512

39fbff56ab65c0b2dd254e58578e0106042dd6c0c33568193d535ea08dee68e3772495f1df5596dd69ebec2c21c01478a1e2ff3aeb6d30ce7b8cec312de54694
SSDEEP

24576:CsnRoeMFwf1IFdDjRf0zRCYG5K0QTKIEryivO6rG5MFlU/Mn68qPLIqv:CiieVf1If0oYG5eKkMO6KOn6829

Score

10^/10

modiloader bootkit defense_evasion discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader First Stage 3 IoCs

resource	yara_rule
behavioral1/memory/2908-31-0x0000000000400000-0x000000000044D000-memory.dmp	modiloader_stage1
behavioral1/memory/2908-33-0x0000000000400000-0x000000000044D000-memory.dmp	modiloader_stage1
behavioral1/memory/2908-34-0x0000000000400000-0x000000000044D000-memory.dmp	modiloader_stage1

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fretolltrel.url	smss.com

Executes dropped EXE 3 IoCs

pid	Process
2720	smss.com
2824	smss.com
2908	ipconfig.exe

Loads dropped DLL 3 IoCs

pid	Process
2284	cmd.exe
2720	smss.com
2824	smss.com

Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
2436	certutil.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ipconfig.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2824 set thread context of 2908	2824	smss.com	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e6b42f8c8473b3bd402cc577b7e7e45d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2292	PING.EXE
2840	PING.EXE

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2908	ipconfig.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2292	PING.EXE
2840	PING.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2824	smss.com

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2336	2412	e6b42f8c8473b3bd402cc577b7e7e45d_JaffaCakes118.exe	29
PID 2412 wrote to memory of 2336	2412	e6b42f8c8473b3bd402cc577b7e7e45d_JaffaCakes118.exe	29
PID 2412 wrote to memory of 2336	2412	e6b42f8c8473b3bd402cc577b7e7e45d_JaffaCakes118.exe	29
PID 2412 wrote to memory of 2336	2412	e6b42f8c8473b3bd402cc577b7e7e45d_JaffaCakes118.exe	29
PID 2412 wrote to memory of 1204	2412	e6b42f8c8473b3bd402cc577b7e7e45d_JaffaCakes118.exe	31
PID 2412 wrote to memory of 1204	2412	e6b42f8c8473b3bd402cc577b7e7e45d_JaffaCakes118.exe	31
PID 2412 wrote to memory of 1204	2412	e6b42f8c8473b3bd402cc577b7e7e45d_JaffaCakes118.exe	31
PID 2412 wrote to memory of 1204	2412	e6b42f8c8473b3bd402cc577b7e7e45d_JaffaCakes118.exe	31
PID 1204 wrote to memory of 2284	1204	cmd.exe	33
PID 1204 wrote to memory of 2284	1204	cmd.exe	33
PID 1204 wrote to memory of 2284	1204	cmd.exe	33
PID 1204 wrote to memory of 2284	1204	cmd.exe	33
PID 2284 wrote to memory of 2292	2284	cmd.exe	34
PID 2284 wrote to memory of 2292	2284	cmd.exe	34
PID 2284 wrote to memory of 2292	2284	cmd.exe	34
PID 2284 wrote to memory of 2292	2284	cmd.exe	34
PID 2284 wrote to memory of 2436	2284	cmd.exe	35
PID 2284 wrote to memory of 2436	2284	cmd.exe	35
PID 2284 wrote to memory of 2436	2284	cmd.exe	35
PID 2284 wrote to memory of 2436	2284	cmd.exe	35
PID 2284 wrote to memory of 2720	2284	cmd.exe	36
PID 2284 wrote to memory of 2720	2284	cmd.exe	36
PID 2284 wrote to memory of 2720	2284	cmd.exe	36
PID 2284 wrote to memory of 2720	2284	cmd.exe	36
PID 2284 wrote to memory of 2840	2284	cmd.exe	37
PID 2284 wrote to memory of 2840	2284	cmd.exe	37
PID 2284 wrote to memory of 2840	2284	cmd.exe	37
PID 2284 wrote to memory of 2840	2284	cmd.exe	37
PID 2720 wrote to memory of 2824	2720	smss.com	38
PID 2720 wrote to memory of 2824	2720	smss.com	38
PID 2720 wrote to memory of 2824	2720	smss.com	38
PID 2720 wrote to memory of 2824	2720	smss.com	38
PID 2824 wrote to memory of 2908	2824	smss.com	39
PID 2824 wrote to memory of 2908	2824	smss.com	39
PID 2824 wrote to memory of 2908	2824	smss.com	39
PID 2824 wrote to memory of 2908	2824	smss.com	39
PID 2824 wrote to memory of 2908	2824	smss.com	39

C:\Users\Admin\AppData\Local\Temp\e6b42f8c8473b3bd402cc577b7e7e45d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e6b42f8c8473b3bd402cc577b7e7e45d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo iaAl
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2336
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd < ebvnEYjDaVALkbGTf.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 GZBXX.QEwi
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2292
  - - C:\Windows\SysWOW64\certutil.exe
      certutil -decode NLuVWRuQeaPcX.com g
      4⤵
      Deobfuscate/Decode Files or Information
      System Location Discovery: System Language Discovery
      PID:2436
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\smss.com
      smss.com g
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\smss.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\smss.com g
        5⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2824
      - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ipconfig.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ipconfig.exe
        6⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:2908
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Deobfuscate/Decode Files or Information

T1140

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\NLuVWRuQeaPcX.com

Filesize
878KB

MD5
6ced33efc4baabf8a995618b114f24b5

SHA1
6c6f9af5b2e26191125133a6e25c11b7601c5ca0

SHA256
16092fe75b1eab4f9170587c0a9e830180bddcac59b720052c98e3708b533806

SHA512
f78c05378ef716090863a6e5d9b726c9f77a68a381d45a472fc6f17086214e2df9b54467d54cb903446d49a158dd3e2933958dc885738626d88bd52ba14ce166

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\WqYH.com

Filesize
921KB

MD5
392e5cc019e763f0019337277db81081

SHA1
9402765f17c7e2b0cf15520ffef56476a855ab2c

SHA256
852ed04ac131800dae464471a51a7d54063dad88ce1ebab7ce22fcab66900d01

SHA512
4e0de123e4ff6f40bacded145bc0505a73a2cf39ff01878b8703b1dd6fc0059d4ce1e39c0d6043b389b7ecee0126e326c6e258b0bf472bf297179b3b945db553

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\aUatvPApYluneSyCHK.com

Filesize
276KB

MD5
858ae006dae04cb1acc3f2d8117cbb0b

SHA1
a153ec4683cebda309d21379228336ecfe6f906b

SHA256
af6da91b7bed9a550b111a063bcaa83f3453ff2b4d8843331916a7f7ce6c533d

SHA512
d8463643deb772b3bb8200ebeea4274fde744838e31febb546268f14234666731415463c2544dff5fa5fa7abdbcc4e874a40476d94bf3454832163483217c130

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ebvnEYjDaVALkbGTf.com

Filesize
2KB

MD5
20699b8aad9439beb4ff190377ae344a

SHA1
cf0f8768c7f60e868343b686fbeae568bb7ea1ef

SHA256
0e555d609b4e5258451962ead01c34394519af11d7fff32259c50b131e1aba2a

SHA512
97176d4e402d7bc28f00d806b6bc7fda953886a7e41cdd2140d58f0b6cb210317a8fb6e8e4c5dd82b565ffea1b2340f8f16bb225bc2b53d8e0f720e8991eed73

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\g

Filesize
638KB

MD5
443b5f85c6e5f01b297075e5920891da

SHA1
409087316a0e53fc60208cd076e245c424a7d0dc

SHA256
ffb5578c22271ddcab4a957f3bb2a11f917b606508bafff1fcab091ac9b3fa33

SHA512
79e72effa9200d41859d7082867b4f35f4568d5ef4c974f494400c05d52d33fff35abea9169b41aed682f911ae0ae6b057e14fab61f3a27eecf5da76cf94aa0a

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ipconfig.exe

Filesize
26KB

MD5
cabb20e171770ff64614a54c1f31c033

SHA1
ea18043fedaf888f04c07f71f2006f3f479c0b41

SHA256
c0e3087d87c84776fe7ffca768a0793c02d28e34a821f0c9da32339af8e7e6a6

SHA512
a6a6beff693f2e2c71c0d8e12f6964e789aa4b370c1e0191b2b0ff038801fdb0038a54c0a8f2dbc0d399d2c016f89701c6b6275b3a2b6fa74fb2a5ea817c2d3b

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\smss.com

Filesize
921KB

MD5
7098bdf41092092927874259196e5d80

SHA1
7ed19875c88e93fe3c0cc38b8bff56c61d0a8307

SHA256
140864a83fd7c075010791ea30de0acf1ec4725febb1c30dec785b7a893d8558

SHA512
dcb5a1e7fa194546cdf0186d949eb16a638d9f0cdef9f0f149b13e27d046d36d196e4ea7c6ae7d733eaaca31ce1ebd3b11b614ce2607729b9e97feb18e282b03

Download Submit
memory/2908-31-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2908-33-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2908-34-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads