modiloader | c18f54bdea2fb66a02a2f871de2b02c1f4ff8bc40789eb17a7050a6926e26230

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb7856b7aef5910a570127af7a95a2ff_JaffaCakes118.exe
Size

836KB
MD5

eb7856b7aef5910a570127af7a95a2ff
SHA1

3331364b06ad31c6953009dd838f8a1c3c98d6ec
SHA256

c18f54bdea2fb66a02a2f871de2b02c1f4ff8bc40789eb17a7050a6926e26230
SHA512

3f3a5e81bf6dcd0c0bc9355c67c339e2faead9de638dc89a11a544fe6984a75d10e94de2691b86f669c370a154be447fc77d528bd8bcc5f3a9a408317483bf19
SSDEEP

24576:JPipyklwCMvru5KKTOFWQbwRseoT0u28mczO7+:JPi+VWQb28T0dczA+

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012102-3.dat	modiloader_stage2
behavioral1/memory/2188-12-0x0000000000400000-0x00000000004D9000-memory.dmp	modiloader_stage2
behavioral1/memory/2156-20-0x0000000000400000-0x00000000004D9000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
1712	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2188	qq.exe

Loads dropped DLL 2 IoCs

pid	Process
2156	eb7856b7aef5910a570127af7a95a2ff_JaffaCakes118.exe
2156	eb7856b7aef5910a570127af7a95a2ff_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Delet.bat	eb7856b7aef5910a570127af7a95a2ff_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\qq.exe	eb7856b7aef5910a570127af7a95a2ff_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\qq.exe	eb7856b7aef5910a570127af7a95a2ff_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\qq.exe	qq.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb7856b7aef5910a570127af7a95a2ff_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2188	2156	eb7856b7aef5910a570127af7a95a2ff_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2188	2156	eb7856b7aef5910a570127af7a95a2ff_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2188	2156	eb7856b7aef5910a570127af7a95a2ff_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2188	2156	eb7856b7aef5910a570127af7a95a2ff_JaffaCakes118.exe	30
PID 2156 wrote to memory of 1712	2156	eb7856b7aef5910a570127af7a95a2ff_JaffaCakes118.exe	31
PID 2156 wrote to memory of 1712	2156	eb7856b7aef5910a570127af7a95a2ff_JaffaCakes118.exe	31
PID 2156 wrote to memory of 1712	2156	eb7856b7aef5910a570127af7a95a2ff_JaffaCakes118.exe	31
PID 2156 wrote to memory of 1712	2156	eb7856b7aef5910a570127af7a95a2ff_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\eb7856b7aef5910a570127af7a95a2ff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eb7856b7aef5910a570127af7a95a2ff_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\qq.exe
  C:\Windows\system32\qq.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2188
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Delet.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Delet.bat

Filesize
212B

MD5
d6dd8cd5b21d03e07e163011bc2ecdc1

SHA1
421e1adef22e1ac5e3c4baa4a921f7b4731e11d8

SHA256
47c1602ab1051075f6aa7b8465e1ae986428a92d2a8784be022bf4048f0f7a6d

SHA512
87916256a9c1eb104330d1b1b9b142f85f9f3fe1855353002c9de0cecb79d76095e600f89421d4229ada91081bb59a94b4743617086595417ebad9a87583806a

Download Submit
\Windows\SysWOW64\qq.exe

Filesize
836KB

MD5
eb7856b7aef5910a570127af7a95a2ff

SHA1
3331364b06ad31c6953009dd838f8a1c3c98d6ec

SHA256
c18f54bdea2fb66a02a2f871de2b02c1f4ff8bc40789eb17a7050a6926e26230

SHA512
3f3a5e81bf6dcd0c0bc9355c67c339e2faead9de638dc89a11a544fe6984a75d10e94de2691b86f669c370a154be447fc77d528bd8bcc5f3a9a408317483bf19

Download Submit
memory/2156-0-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2156-20-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2188-10-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2188-12-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download