modiloader | b05e70f56f91954cf0a9cfc72ec5a3a4cf5c6b4ec9703d5b87119121e0cc4356

Analysis

max time kernel
143s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebceb7f190b577c1f70dd6bc1b8733a8_JaffaCakes118.exe
Size

1.7MB
MD5

ebceb7f190b577c1f70dd6bc1b8733a8
SHA1

3f8707b124e18d2d37f2a880e9fe4fa900e4c215
SHA256

b05e70f56f91954cf0a9cfc72ec5a3a4cf5c6b4ec9703d5b87119121e0cc4356
SHA512

e9386a91c23dc3e878602a0a09935569f7391d901508847300595bdf059191440d1fc893beddb1b5db22f59012889af8fb1e8379d2a8cb194c6571d6e7aa739e
SSDEEP

49152:OHvteiw6NuUmeT0EUzgf4TmT9DTe2HVdpnu:YeUuUmeTfGgfBTFX1Xu

Score

10^/10

modiloader discovery themida trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 7 IoCs

resource	yara_rule
behavioral1/memory/2224-28-0x0000000000400000-0x0000000000523000-memory.dmp	modiloader_stage2
behavioral1/memory/2224-42-0x0000000000400000-0x0000000000523000-memory.dmp	modiloader_stage2
behavioral1/memory/2224-61-0x00000000041A0000-0x00000000042C3000-memory.dmp	modiloader_stage2
behavioral1/memory/2704-65-0x0000000000400000-0x0000000000523000-memory.dmp	modiloader_stage2
behavioral1/memory/2224-67-0x0000000000400000-0x0000000000523000-memory.dmp	modiloader_stage2
behavioral1/memory/2704-73-0x0000000000400000-0x0000000000523000-memory.dmp	modiloader_stage2
behavioral1/memory/2224-87-0x0000000000400000-0x0000000000523000-memory.dmp	modiloader_stage2

Executes dropped EXE 3 IoCs

pid	Process
2224	yes.exe
2668	×îÐÂ¼ÛÖµ800ÔªµÄvipÍøÂí.exe
2704	fucke.exe

Loads dropped DLL 6 IoCs

pid	Process
2180	ebceb7f190b577c1f70dd6bc1b8733a8_JaffaCakes118.exe
2180	ebceb7f190b577c1f70dd6bc1b8733a8_JaffaCakes118.exe
2180	ebceb7f190b577c1f70dd6bc1b8733a8_JaffaCakes118.exe
2180	ebceb7f190b577c1f70dd6bc1b8733a8_JaffaCakes118.exe
2224	yes.exe
2224	yes.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0007000000018b4d-34.dat	themida
behavioral1/memory/2668-52-0x0000000000400000-0x0000000000BD3994-memory.dmp	themida

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\fucke.exe	yes.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\fucke.exe	yes.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat	yes.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2580	2704	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	×îÐÂ¼ÛÖµ800ÔªµÄvipÍøÂí.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fucke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebceb7f190b577c1f70dd6bc1b8733a8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yes.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2668	×îÐÂ¼ÛÖµ800ÔªµÄvipÍøÂí.exe
2668	×îÐÂ¼ÛÖµ800ÔªµÄvipÍøÂí.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2224	2180	ebceb7f190b577c1f70dd6bc1b8733a8_JaffaCakes118.exe	29
PID 2180 wrote to memory of 2224	2180	ebceb7f190b577c1f70dd6bc1b8733a8_JaffaCakes118.exe	29
PID 2180 wrote to memory of 2224	2180	ebceb7f190b577c1f70dd6bc1b8733a8_JaffaCakes118.exe	29
PID 2180 wrote to memory of 2224	2180	ebceb7f190b577c1f70dd6bc1b8733a8_JaffaCakes118.exe	29
PID 2180 wrote to memory of 2668	2180	ebceb7f190b577c1f70dd6bc1b8733a8_JaffaCakes118.exe	30
PID 2180 wrote to memory of 2668	2180	ebceb7f190b577c1f70dd6bc1b8733a8_JaffaCakes118.exe	30
PID 2180 wrote to memory of 2668	2180	ebceb7f190b577c1f70dd6bc1b8733a8_JaffaCakes118.exe	30
PID 2180 wrote to memory of 2668	2180	ebceb7f190b577c1f70dd6bc1b8733a8_JaffaCakes118.exe	30
PID 2224 wrote to memory of 2704	2224	yes.exe	31
PID 2224 wrote to memory of 2704	2224	yes.exe	31
PID 2224 wrote to memory of 2704	2224	yes.exe	31
PID 2224 wrote to memory of 2704	2224	yes.exe	31
PID 2704 wrote to memory of 2556	2704	fucke.exe	32
PID 2704 wrote to memory of 2556	2704	fucke.exe	32
PID 2704 wrote to memory of 2556	2704	fucke.exe	32
PID 2704 wrote to memory of 2556	2704	fucke.exe	32
PID 2704 wrote to memory of 2580	2704	fucke.exe	33
PID 2704 wrote to memory of 2580	2704	fucke.exe	33
PID 2704 wrote to memory of 2580	2704	fucke.exe	33
PID 2704 wrote to memory of 2580	2704	fucke.exe	33
PID 2224 wrote to memory of 644	2224	yes.exe	34
PID 2224 wrote to memory of 644	2224	yes.exe	34
PID 2224 wrote to memory of 644	2224	yes.exe	34
PID 2224 wrote to memory of 644	2224	yes.exe	34

C:\Users\Admin\AppData\Local\Temp\ebceb7f190b577c1f70dd6bc1b8733a8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ebceb7f190b577c1f70dd6bc1b8733a8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\yes.exe
  "C:\Users\Admin\AppData\Local\Temp\yes.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Program Files\Common Files\Microsoft Shared\MSINFO\fucke.exe
    "C:\Program Files\Common Files\Microsoft Shared\MSINFO\fucke.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\program files\internet explorer\IEXPLORE.EXE
      "C:\program files\internet explorer\IEXPLORE.EXE"
      4⤵
      PID:2556
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 316
      4⤵
      Program crash
      PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:644
- C:\Users\Admin\AppData\Local\Temp\×îÐÂ¼ÛÖµ800ÔªµÄvipÍøÂí.exe
  "C:\Users\Admin\AppData\Local\Temp\×îÐÂ¼ÛÖµ800ÔªµÄvipÍøÂí.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\SgotoDel.bat

Filesize
126B

MD5
1a19b66d8c59eec1d0ae07917d9a1656

SHA1
699cc9d5e9172c30087ef49e7d26cb0661f749b5

SHA256
b7afea92c7e76f356807b7abe5245fff095dc4b1ff1ccf68a46766ede463ef5b

SHA512
17a041378423cf0b4fc8f4159da32d5f445a8e25eeed8a8a75f258c668601050f5b7d6ef4a2d9b2ae6bf70c84c7fc09b64b8001ee5aea2c7190326b6506b61af

Download Submit
C:\Users\Admin\AppData\Local\Temp\yes.exe

Filesize
614KB

MD5
063a93e89748df2b0ecd06db45d872ad

SHA1
c4af0bb94e9b0e2aeaf06e2f6f5c94a6b4b2fb3d

SHA256
b2a70b166799b0718c025313c7b493d7848fc389610912b8f6d5c07d5cdb59c7

SHA512
d07d596001243f22b9002ef0a389c71b3e82d4112374ef02afd0332f5e4a78f8b67c86a8b062c79e5b8f935d552e4de6740d06c6074bd5d03de2e9e6d66d43d9

Download Submit
\Users\Admin\AppData\Local\Temp\×îÐÂ¼ÛÖµ800ÔªµÄvipÍøÂí.exe

Filesize
846KB

MD5
dbf8fcead59524b9b685c03e0adf84a2

SHA1
45bb0a95d571ed76a731d77e6ff045151a465702

SHA256
e51478dceda2da5066fbfb7203dbbe55f8f0f717ecc2eaa7d1a9e38decdf1dc9

SHA512
d0cd741c208dda40f68d7bd9dfc6eca68a41e9d01e429fe10cf2110da1d292c94bd9f776a55e8f2ab6442be698d22b1cc910ae017b4f4e4ec2717ad74c26516f

Download Submit
memory/2180-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2180-13-0x0000000003130000-0x0000000003253000-memory.dmp

Filesize
1.1MB

Download
memory/2180-12-0x0000000003130000-0x0000000003253000-memory.dmp

Filesize
1.1MB

Download
memory/2180-41-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2224-17-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2224-61-0x00000000041A0000-0x00000000042C3000-memory.dmp

Filesize
1.1MB

Download
memory/2224-28-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2224-27-0x0000000003240000-0x0000000003242000-memory.dmp

Filesize
8KB

Download
memory/2224-26-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/2224-25-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/2224-24-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download
memory/2224-23-0x0000000001D90000-0x0000000001D91000-memory.dmp

Filesize
4KB

Download
memory/2224-22-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

Filesize
4KB

Download
memory/2224-21-0x0000000001D30000-0x0000000001D31000-memory.dmp

Filesize
4KB

Download
memory/2224-20-0x0000000001D40000-0x0000000001D41000-memory.dmp

Filesize
4KB

Download
memory/2224-19-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

Filesize
4KB

Download
memory/2224-18-0x0000000001D60000-0x0000000001D61000-memory.dmp

Filesize
4KB

Download
memory/2224-30-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/2224-36-0x00000000004C5000-0x00000000004C8000-memory.dmp

Filesize
12KB

Download
memory/2224-31-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2224-42-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2224-87-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2224-32-0x00000000032B0000-0x00000000032B1000-memory.dmp

Filesize
4KB

Download
memory/2224-16-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2224-15-0x0000000001CC0000-0x0000000001D14000-memory.dmp

Filesize
336KB

Download
memory/2224-14-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2224-33-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/2224-71-0x00000000041A0000-0x00000000042C3000-memory.dmp

Filesize
1.1MB

Download
memory/2224-62-0x00000000041A0000-0x00000000042C3000-memory.dmp

Filesize
1.1MB

Download
memory/2224-29-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/2224-67-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2224-68-0x0000000001CC0000-0x0000000001D14000-memory.dmp

Filesize
336KB

Download
memory/2668-69-0x0000000000400000-0x0000000000BD3994-memory.dmp

Filesize
7.8MB

Download
memory/2668-52-0x0000000000400000-0x0000000000BD3994-memory.dmp

Filesize
7.8MB

Download
memory/2668-48-0x0000000000400000-0x0000000000BD3994-memory.dmp

Filesize
7.8MB

Download
memory/2704-65-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2704-64-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2704-63-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2704-73-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download