modiloader | d3954aa089e2f6208ee2cf610d9639ef1fb918b9b01ff866e8a9a8ca3a95c6c9

Analysis

max time kernel
148s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-09-2024 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e728db244cee6dc853fea92eff438faa_JaffaCakes118.exe
Size

53KB
MD5

e728db244cee6dc853fea92eff438faa
SHA1

77f46692e6b16e6530dc7d49963ddf72bb7fdfc6
SHA256

d3954aa089e2f6208ee2cf610d9639ef1fb918b9b01ff866e8a9a8ca3a95c6c9
SHA512

180027b0a6cf1acf887bf97f7f6ce33f7d5e597c7019ff6661c073ad2d4a32a2667bf732fd931e26feb35542217d7905cc875746eee8394ecc1937af67c52cc6
SSDEEP

1536:MRgtnqqUfLqqqqqDTSqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqg:/vSmI0x/tP0EEferY

Score

10^/10

modiloader discovery persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/memory/2560-40-0x0000000000400000-0x0000000000413000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-42-0x0000000000400000-0x0000000000413000-memory.dmp	modiloader_stage2
behavioral1/memory/2560-41-0x0000000000400000-0x0000000000413000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
1032	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2872	msnmsgre48.exe
2560	AppLaunch.exe
2436	Project.exe

Loads dropped DLL 5 IoCs

pid	Process
2704	e728db244cee6dc853fea92eff438faa_JaffaCakes118.exe
2704	e728db244cee6dc853fea92eff438faa_JaffaCakes118.exe
2872	msnmsgre48.exe
2872	msnmsgre48.exe
2872	msnmsgre48.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2560-35-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2560-32-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2560-28-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2560-36-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2560-26-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2560-39-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2560-40-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2560-42-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2560-41-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msnmsgre = "\"C:\\ProgramData\\msnmsgre48.exe\""	Project.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2872 set thread context of 2560	2872	msnmsgre48.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e728db244cee6dc853fea92eff438faa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgre48.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Project.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1032	cmd.exe
3060	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3060	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2872	msnmsgre48.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	e728db244cee6dc853fea92eff438faa_JaffaCakes118.exe
Token: SeDebugPrivilege	2872	msnmsgre48.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2872	2704	e728db244cee6dc853fea92eff438faa_JaffaCakes118.exe	31
PID 2704 wrote to memory of 2872	2704	e728db244cee6dc853fea92eff438faa_JaffaCakes118.exe	31
PID 2704 wrote to memory of 2872	2704	e728db244cee6dc853fea92eff438faa_JaffaCakes118.exe	31
PID 2704 wrote to memory of 2872	2704	e728db244cee6dc853fea92eff438faa_JaffaCakes118.exe	31
PID 2704 wrote to memory of 1032	2704	e728db244cee6dc853fea92eff438faa_JaffaCakes118.exe	32
PID 2704 wrote to memory of 1032	2704	e728db244cee6dc853fea92eff438faa_JaffaCakes118.exe	32
PID 2704 wrote to memory of 1032	2704	e728db244cee6dc853fea92eff438faa_JaffaCakes118.exe	32
PID 2704 wrote to memory of 1032	2704	e728db244cee6dc853fea92eff438faa_JaffaCakes118.exe	32
PID 1032 wrote to memory of 3060	1032	cmd.exe	34
PID 1032 wrote to memory of 3060	1032	cmd.exe	34
PID 1032 wrote to memory of 3060	1032	cmd.exe	34
PID 1032 wrote to memory of 3060	1032	cmd.exe	34
PID 2872 wrote to memory of 2560	2872	msnmsgre48.exe	35
PID 2872 wrote to memory of 2560	2872	msnmsgre48.exe	35
PID 2872 wrote to memory of 2560	2872	msnmsgre48.exe	35
PID 2872 wrote to memory of 2560	2872	msnmsgre48.exe	35
PID 2872 wrote to memory of 2560	2872	msnmsgre48.exe	35
PID 2872 wrote to memory of 2560	2872	msnmsgre48.exe	35
PID 2872 wrote to memory of 2560	2872	msnmsgre48.exe	35
PID 2872 wrote to memory of 2560	2872	msnmsgre48.exe	35
PID 2872 wrote to memory of 2560	2872	msnmsgre48.exe	35
PID 2872 wrote to memory of 2560	2872	msnmsgre48.exe	35
PID 2872 wrote to memory of 2560	2872	msnmsgre48.exe	35
PID 2872 wrote to memory of 2436	2872	msnmsgre48.exe	36
PID 2872 wrote to memory of 2436	2872	msnmsgre48.exe	36
PID 2872 wrote to memory of 2436	2872	msnmsgre48.exe	36
PID 2872 wrote to memory of 2436	2872	msnmsgre48.exe	36

C:\Users\Admin\AppData\Local\Temp\e728db244cee6dc853fea92eff438faa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e728db244cee6dc853fea92eff438faa_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704
- C:\ProgramData\msnmsgre48.exe
  "C:\ProgramData\msnmsgre48.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Users\Admin\AppData\Local\Temp\AppLaunch\AppLaunch.exe
    C:\Users\Admin\AppData\Local\Temp\\AppLaunch\AppLaunch.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2560
- - C:\Users\Admin\AppData\Local\Temp\Project.exe
    "C:\Users\Admin\AppData\Local\Temp\Project.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2436
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /k ping 0 & del "C:\Users\Admin\AppData\Local\Temp\e728db244cee6dc853fea92eff438faa_JaffaCakes118.exe" & exit
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\SysWOW64\PING.EXE
    ping 0
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\msnmsgre48.exe

Filesize
53KB

MD5
e728db244cee6dc853fea92eff438faa

SHA1
77f46692e6b16e6530dc7d49963ddf72bb7fdfc6

SHA256
d3954aa089e2f6208ee2cf610d9639ef1fb918b9b01ff866e8a9a8ca3a95c6c9

SHA512
180027b0a6cf1acf887bf97f7f6ce33f7d5e597c7019ff6661c073ad2d4a32a2667bf732fd931e26feb35542217d7905cc875746eee8394ecc1937af67c52cc6

Download Submit
\Users\Admin\AppData\Local\Temp\AppLaunch\AppLaunch.exe

Filesize
75KB

MD5
3d7d2e825c63ff501e896cf008c70d75

SHA1
24e1e56df2c1e85b224b4360235513e79f03d3fc

SHA256
037fc52b8fc6089338eb456f2b45638ed36c42a4dca7ace391d166b2329838a1

SHA512
57d06b2226221162e0b54eeea3de13af6386bd632d16f6ec0666da81e8e177157a778caf0e3df0fe6368ea0b0fd93dae92cbe3cbb8c484f9e1107ba371301f21

Download Submit
\Users\Admin\AppData\Local\Temp\Project.exe

Filesize
5KB

MD5
fd722bc246574f12bc298d7420dd27fe

SHA1
8f13477d04e74a0682755879c9670eb9390e187a

SHA256
97acc2bebfcbbec3b787d148c80701e674b1b6bf4c9e993b30e344e27692d341

SHA512
ae980ebfb02ff727236ee63a2cdfeeb0b33c1f59c142058edeb9030fb4f4f43f7f82cc965ebf77ee9ac71eb247dd24d9ff8ed02c37ae8792a70ad1a48c1bf41f

Download Submit
memory/2560-26-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2560-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2560-41-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2560-42-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2560-40-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2560-39-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2560-36-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2560-24-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2560-35-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2560-32-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2560-28-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2704-2-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-0-0x0000000074491000-0x0000000074492000-memory.dmp

Filesize
4KB

Download
memory/2704-4-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-17-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-1-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/2872-15-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/2872-16-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/2872-14-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/2872-55-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download