modiloader | d1d726813376e69f2b92b2492e14ee1361381e41743da9c6f311b374385217ca

Analysis

max time kernel
93s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebcaa9341c0ef64dd93640c3a6babdd7_JaffaCakes118.exe
Size

549KB
MD5

ebcaa9341c0ef64dd93640c3a6babdd7
SHA1

444bd60b88bd077f6a1f01d9537211632be08eb9
SHA256

d1d726813376e69f2b92b2492e14ee1361381e41743da9c6f311b374385217ca
SHA512

e2ab840cb6a8bbb0245a3e3eeeaa6d968e4a7ab5e06e3a7b07fadd6af13ffcba18ac6cfb5067f970fa00818a7911ed0dfdb69502bc1499d43770b21aa315c4ad
SSDEEP

6144:4JelXOlOHOsJb5o+/aiG5eHKudohzF2idZecnl20lHRxp3ggEHtmm48D0v64hhsl:zcsPaBeKugxF3Z4mxxKMm4O19UzqIg

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral2/memory/452-45-0x0000000000400000-0x00000000004E0000-memory.dmp	modiloader_stage2
behavioral2/memory/2568-52-0x0000000000400000-0x00000000004E0000-memory.dmp	modiloader_stage2
behavioral2/memory/452-53-0x0000000000400000-0x00000000004E0000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
2568	wmplayer.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wmplayer.exe	ebcaa9341c0ef64dd93640c3a6babdd7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wmplayer.exe	ebcaa9341c0ef64dd93640c3a6babdd7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wmplayer.exe	wmplayer.exe
File created	C:\Windows\SysWOW64\Deleteme.bat	ebcaa9341c0ef64dd93640c3a6babdd7_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebcaa9341c0ef64dd93640c3a6babdd7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 2568	452	ebcaa9341c0ef64dd93640c3a6babdd7_JaffaCakes118.exe	82
PID 452 wrote to memory of 2568	452	ebcaa9341c0ef64dd93640c3a6babdd7_JaffaCakes118.exe	82
PID 452 wrote to memory of 2568	452	ebcaa9341c0ef64dd93640c3a6babdd7_JaffaCakes118.exe	82
PID 452 wrote to memory of 408	452	ebcaa9341c0ef64dd93640c3a6babdd7_JaffaCakes118.exe	83
PID 452 wrote to memory of 408	452	ebcaa9341c0ef64dd93640c3a6babdd7_JaffaCakes118.exe	83
PID 452 wrote to memory of 408	452	ebcaa9341c0ef64dd93640c3a6babdd7_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\ebcaa9341c0ef64dd93640c3a6babdd7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ebcaa9341c0ef64dd93640c3a6babdd7_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:452
- C:\Windows\SysWOW64\wmplayer.exe
  C:\Windows\system32\wmplayer.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\Deleteme.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Deleteme.bat

Filesize
212B

MD5
cfba06795ffdb72a7e43623f05a13c1b

SHA1
807df44eb130e6bea342039f937847f477da1e56

SHA256
e75ac24a96d65d94bf825197c66d51ed5aa324333ef4d57f8470b5ac37a86115

SHA512
2b2052bda6b375735fc0984c2f5be1052f8052fdec58d2e3742df0a9a3409241acb1e99c3372ee3125d692bb6c11d2997fb808d7acc805c7382d4062c3a642f7

Download Submit
C:\Windows\SysWOW64\wmplayer.exe

Filesize
549KB

MD5
ebcaa9341c0ef64dd93640c3a6babdd7

SHA1
444bd60b88bd077f6a1f01d9537211632be08eb9

SHA256
d1d726813376e69f2b92b2492e14ee1361381e41743da9c6f311b374385217ca

SHA512
e2ab840cb6a8bbb0245a3e3eeeaa6d968e4a7ab5e06e3a7b07fadd6af13ffcba18ac6cfb5067f970fa00818a7911ed0dfdb69502bc1499d43770b21aa315c4ad

Download Submit
memory/452-21-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/452-45-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/452-2-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/452-40-0x0000000003440000-0x0000000003443000-memory.dmp

Filesize
12KB

Download
memory/452-39-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/452-38-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/452-37-0x0000000003490000-0x0000000003491000-memory.dmp

Filesize
4KB

Download
memory/452-36-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/452-35-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/452-34-0x0000000003450000-0x0000000003453000-memory.dmp

Filesize
12KB

Download
memory/452-33-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/452-32-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/452-31-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/452-30-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/452-29-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/452-28-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/452-27-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/452-26-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/452-25-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/452-24-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/452-23-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/452-22-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/452-54-0x00000000022F0000-0x0000000002344000-memory.dmp

Filesize
336KB

Download
memory/452-41-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/452-16-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/452-18-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/452-17-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/452-19-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/452-15-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/452-14-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/452-13-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/452-12-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/452-11-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/452-10-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/452-9-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/452-8-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/452-7-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/452-6-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/452-5-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/452-4-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/452-3-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/452-20-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/452-42-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/452-1-0x00000000022F0000-0x0000000002344000-memory.dmp

Filesize
336KB

Download
memory/452-53-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/452-0-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2568-52-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download