modiloader | bae9f29fa9cb9a846f797126bb5cf173a73ee96f4631f0e205e061916991c6f4

Analysis

max time kernel
142s
max time network
117s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
18-09-2024 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8cd6c414b6ba8f89db38602ff479b4f_JaffaCakes118.exe
Size

519KB
MD5

e8cd6c414b6ba8f89db38602ff479b4f
SHA1

b4c737ece34270af502e9de1a18a3b28d71897be
SHA256

bae9f29fa9cb9a846f797126bb5cf173a73ee96f4631f0e205e061916991c6f4
SHA512

37b3afe6241a242200f0397d2036c5b7cb8d336632818484325ffc1333c3e3220f3e5c9a77d62325aae3975a2c02914ccb586faaf0c9045c6b5535d8bce061b6
SSDEEP

12288:IJUcMIIwQ2KRDkK98W9EuBje9rjwHkGUALB5TqK86zt9NH:IuuIwQ54K9wuZemH1ZTLZxL

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/2852-52-0x00000000003D0000-0x00000000003F3000-memory.dmp	modiloader_stage2
behavioral1/memory/2852-54-0x00000000003D0000-0x00000000003F3000-memory.dmp	modiloader_stage2

Executes dropped EXE 5 IoCs

pid	Process
2404	QQmuma.exe
2796	1.exe
2852	QQss.exe
2752	Server_Setup.exe
2820	360safe.com.cn.exe

Loads dropped DLL 14 IoCs

pid	Process
2536	e8cd6c414b6ba8f89db38602ff479b4f_JaffaCakes118.exe
2536	e8cd6c414b6ba8f89db38602ff479b4f_JaffaCakes118.exe
2404	QQmuma.exe
2536	e8cd6c414b6ba8f89db38602ff479b4f_JaffaCakes118.exe
2536	e8cd6c414b6ba8f89db38602ff479b4f_JaffaCakes118.exe
2796	1.exe
1888	cmd.exe
1888	cmd.exe
2852	QQss.exe
2736	cmd.exe
2752	Server_Setup.exe
2752	Server_Setup.exe
2752	Server_Setup.exe
2852	QQss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e8cd6c414b6ba8f89db38602ff479b4f_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\atmQQ2.dll	QQss.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\360safe.com.cn.exe	Server_Setup.exe
File opened for modification	C:\Windows\360safe.com.cn.exe	Server_Setup.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	360safe.com.cn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e8cd6c414b6ba8f89db38602ff479b4f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QQmuma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QQss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server_Setup.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2852	QQss.exe
2852	QQss.exe
2852	QQss.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	2852	QQss.exe
Token: SeDebugPrivilege	2752	Server_Setup.exe
Token: SeDebugPrivilege	2820	360safe.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2820	360safe.com.cn.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2852	QQss.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2404	2536	e8cd6c414b6ba8f89db38602ff479b4f_JaffaCakes118.exe	31
PID 2536 wrote to memory of 2404	2536	e8cd6c414b6ba8f89db38602ff479b4f_JaffaCakes118.exe	31
PID 2536 wrote to memory of 2404	2536	e8cd6c414b6ba8f89db38602ff479b4f_JaffaCakes118.exe	31
PID 2536 wrote to memory of 2404	2536	e8cd6c414b6ba8f89db38602ff479b4f_JaffaCakes118.exe	31
PID 2536 wrote to memory of 2404	2536	e8cd6c414b6ba8f89db38602ff479b4f_JaffaCakes118.exe	31
PID 2536 wrote to memory of 2404	2536	e8cd6c414b6ba8f89db38602ff479b4f_JaffaCakes118.exe	31
PID 2536 wrote to memory of 2404	2536	e8cd6c414b6ba8f89db38602ff479b4f_JaffaCakes118.exe	31
PID 2404 wrote to memory of 1888	2404	QQmuma.exe	32
PID 2404 wrote to memory of 1888	2404	QQmuma.exe	32
PID 2404 wrote to memory of 1888	2404	QQmuma.exe	32
PID 2404 wrote to memory of 1888	2404	QQmuma.exe	32
PID 2404 wrote to memory of 1888	2404	QQmuma.exe	32
PID 2404 wrote to memory of 1888	2404	QQmuma.exe	32
PID 2404 wrote to memory of 1888	2404	QQmuma.exe	32
PID 2536 wrote to memory of 2796	2536	e8cd6c414b6ba8f89db38602ff479b4f_JaffaCakes118.exe	34
PID 2536 wrote to memory of 2796	2536	e8cd6c414b6ba8f89db38602ff479b4f_JaffaCakes118.exe	34
PID 2536 wrote to memory of 2796	2536	e8cd6c414b6ba8f89db38602ff479b4f_JaffaCakes118.exe	34
PID 2536 wrote to memory of 2796	2536	e8cd6c414b6ba8f89db38602ff479b4f_JaffaCakes118.exe	34
PID 2536 wrote to memory of 2796	2536	e8cd6c414b6ba8f89db38602ff479b4f_JaffaCakes118.exe	34
PID 2536 wrote to memory of 2796	2536	e8cd6c414b6ba8f89db38602ff479b4f_JaffaCakes118.exe	34
PID 2536 wrote to memory of 2796	2536	e8cd6c414b6ba8f89db38602ff479b4f_JaffaCakes118.exe	34
PID 2796 wrote to memory of 2736	2796	1.exe	35
PID 2796 wrote to memory of 2736	2796	1.exe	35
PID 2796 wrote to memory of 2736	2796	1.exe	35
PID 2796 wrote to memory of 2736	2796	1.exe	35
PID 2796 wrote to memory of 2736	2796	1.exe	35
PID 2796 wrote to memory of 2736	2796	1.exe	35
PID 2796 wrote to memory of 2736	2796	1.exe	35
PID 1888 wrote to memory of 2852	1888	cmd.exe	37
PID 1888 wrote to memory of 2852	1888	cmd.exe	37
PID 1888 wrote to memory of 2852	1888	cmd.exe	37
PID 1888 wrote to memory of 2852	1888	cmd.exe	37
PID 1888 wrote to memory of 2852	1888	cmd.exe	37
PID 1888 wrote to memory of 2852	1888	cmd.exe	37
PID 1888 wrote to memory of 2852	1888	cmd.exe	37
PID 2736 wrote to memory of 2752	2736	cmd.exe	38
PID 2736 wrote to memory of 2752	2736	cmd.exe	38
PID 2736 wrote to memory of 2752	2736	cmd.exe	38
PID 2736 wrote to memory of 2752	2736	cmd.exe	38
PID 2736 wrote to memory of 2752	2736	cmd.exe	38
PID 2736 wrote to memory of 2752	2736	cmd.exe	38
PID 2736 wrote to memory of 2752	2736	cmd.exe	38
PID 2820 wrote to memory of 2336	2820	360safe.com.cn.exe	40
PID 2820 wrote to memory of 2336	2820	360safe.com.cn.exe	40
PID 2820 wrote to memory of 2336	2820	360safe.com.cn.exe	40
PID 2820 wrote to memory of 2336	2820	360safe.com.cn.exe	40

C:\Users\Admin\AppData\Local\Temp\e8cd6c414b6ba8f89db38602ff479b4f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e8cd6c414b6ba8f89db38602ff479b4f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QQmuma.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QQmuma.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\\QQss.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Users\Admin\AppData\Local\Temp\QQss.exe
      C:\Users\Admin\AppData\Local\Temp\\QQss.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2852
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\\Server_Setup.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Users\Admin\AppData\Local\Temp\Server_Setup.exe
      C:\Users\Admin\AppData\Local\Temp\\Server_Setup.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2752

C:\Windows\360safe.com.cn.exe
C:\Windows\360safe.com.cn.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Server_Setup.exe

Filesize
743KB

MD5
1c40bb04bb3f4db9ef172eb74ea9bf04

SHA1
06a1d20fc462e4ee4107f3c0b13f7b296b444da5

SHA256
812ab61035b6c03330b0e18fa476b97770b1545d36a0d1758c05ace5c6cdd35b

SHA512
16b991385fc412e073be2f6983c8f813f1a1aa5129ebb73fbd7dc8672627ba2cd7f9e72daec67cb7a1db43213f2a7c68fbedfa6cb310457b759079aca4a38693

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\atmQQ2.dll

Filesize
20KB

MD5
792156e581fd554b3de137e1b56ad093

SHA1
48945b15ff0807c7827df244fa74444a961c9e99

SHA256
c1cf742cc4759151ec3fee59a4b6941a4850532c568c7159f303e0cc221d0690

SHA512
988cbd9f55a29fce94e486057571959cb921a2c21cc556ca2d2e6a7787d287441f2e6c4023068c8d3c0afa734fc904123161f77a6a2189b03eef19372b379eda

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

Filesize
876KB

MD5
81a2c3a358b5e1b8f14c51051040da07

SHA1
8aa4db0acf131baa0c6f02a85cb96bdcc352341e

SHA256
17d02b70e7c371ea26a98e20d486de9ab9fec5eecf90b504617b626aba0c0606

SHA512
e8295747b4357d926ebbd5ce3df1f23921f8932a3402903e3e5f57ef038235a523a592142e292b0904ed811784a56b662f81e22773375bb7e9d98e7b7cdb4c1d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\QQmuma.exe

Filesize
150KB

MD5
306b69910e8f204016e6392642771d06

SHA1
26600f4c252317205426e5eb8fa1f91203cd0678

SHA256
97c1f1aa43f8082f0ca2c10875d968c23ee25072b9b50d1076a4c568de480dc0

SHA512
2ae388d7c5f3932051629f87e8dc3582ae0cbe611f1544af155cfef334eef22f47fd89fb24228157d10a9c519ce1ea26d44a67aa9af851e577906a790d4148b4

Download Submit
\Users\Admin\AppData\Local\Temp\QQss.exe

Filesize
37KB

MD5
565b1eb66d960089e68ace0e3be3b9cc

SHA1
145f6fc174a5316e838ec458ab17ee1e0c12cffc

SHA256
3e3a488846068432f1697c9d8f1fed1762350c56572208448bfed16511c8e93d

SHA512
f6d0d5355685690f5f583730d85ea3da8b989dc3fff5858d7cae70cb4edbbb40b4b7294eacf607bbdeb1567600c4fabd912fc4adb011b150b0883494d811de94

Download Submit
memory/1888-32-0x0000000000280000-0x00000000002A9000-memory.dmp

Filesize
164KB

Download
memory/1888-31-0x0000000000280000-0x00000000002A9000-memory.dmp

Filesize
164KB

Download
memory/1888-46-0x0000000000280000-0x00000000002A9000-memory.dmp

Filesize
164KB

Download
memory/2404-14-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2752-45-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2796-25-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2820-48-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2852-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2852-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2852-34-0x00000000003B0000-0x00000000003D9000-memory.dmp

Filesize
164KB

Download
memory/2852-52-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2852-54-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download