modiloader | 0d6303dc56d98efe45ad279ddd2677a6fd5d3a64ff680008d1bc4f9e6489d643

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecdd848248f8e5480691877512d60ecc_JaffaCakes118.exe
Size

386KB
MD5

ecdd848248f8e5480691877512d60ecc
SHA1

af03c0af0555bb67644e2949f1f64105367f006f
SHA256

0d6303dc56d98efe45ad279ddd2677a6fd5d3a64ff680008d1bc4f9e6489d643
SHA512

b742d3b41a85fe98d13c18fcbd4f4515dc10c922244c3030472275a294e993e2a9b85105ec71edb6213c93a9dded4ea9ae8a7cc27d0702e895633f7e6ff62964
SSDEEP

12288:V913uxLr7rF3Z4mxx5suV8OlyXfkVBQlHc:JWQmXSuVl08VCW

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/memory/3784-62-0x00000000005A0000-0x00000000005C4000-memory.dmp	modiloader_stage2
behavioral2/memory/3784-66-0x00000000005A0000-0x00000000005C4000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
3784	SERVER~2.EXE

Loads dropped DLL 2 IoCs

pid	Process
3784	SERVER~2.EXE
3784	SERVER~2.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ecdd848248f8e5480691877512d60ecc_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\atmQQ2.dll	SERVER~2.EXE

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdd848248f8e5480691877512d60ecc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER~2.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3784	SERVER~2.EXE
3784	SERVER~2.EXE
3784	SERVER~2.EXE
3784	SERVER~2.EXE
3784	SERVER~2.EXE
3784	SERVER~2.EXE
3784	SERVER~2.EXE
3784	SERVER~2.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3784	SERVER~2.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 3784	4552	ecdd848248f8e5480691877512d60ecc_JaffaCakes118.exe	86
PID 4552 wrote to memory of 3784	4552	ecdd848248f8e5480691877512d60ecc_JaffaCakes118.exe	86
PID 4552 wrote to memory of 3784	4552	ecdd848248f8e5480691877512d60ecc_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\ecdd848248f8e5480691877512d60ecc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ecdd848248f8e5480691877512d60ecc_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~2.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~2.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\MSInfo\atmQQ2.dll

Filesize
20KB

MD5
90c8d9b88b4ffd895b7c14975087048f

SHA1
0f020375b376c33aca51a86624f73d82118686da

SHA256
36a18d99df14db60a74f529c82fa9cadcf93055e78195b6a21c9054bb8c4dd93

SHA512
ed76f3ae17ded2aac599d5bc7c8a6a25720eb5c880691662a1b01c0057ffb902f67d088d8ec3a74aab6493072fd9b0c9524cf947a89f50c2c2f26655cfdcd8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~2.EXE

Filesize
36KB

MD5
69f933f8efb2d2807abd0df27ce4b045

SHA1
258a0dc89dc034ee594e6533f9ee683a8d44ad1f

SHA256
3567e4fcd0bb855b0920d31908b259b8340d07e1f376c301567620199320d835

SHA512
01d30c933a20e114112b92ccc99710aa18dc56ffe8d996289372a6b072d6514de3c3452f3722ab345fb93566f29cd001f18d148a0633388a0b0c6ff1d4caf38e

Download Submit
memory/3784-52-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3784-54-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3784-61-0x00000000005A0000-0x00000000005C4000-memory.dmp

Filesize
144KB

Download
memory/3784-66-0x00000000005A0000-0x00000000005C4000-memory.dmp

Filesize
144KB

Download
memory/3784-65-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3784-62-0x00000000005A0000-0x00000000005C4000-memory.dmp

Filesize
144KB

Download
memory/4552-33-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/4552-28-0x00000000030F0000-0x00000000030F1000-memory.dmp

Filesize
4KB

Download
memory/4552-8-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/4552-7-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/4552-17-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/4552-16-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/4552-47-0x00000000030F0000-0x00000000030F1000-memory.dmp

Filesize
4KB

Download
memory/4552-46-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/4552-45-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/4552-44-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/4552-43-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4552-42-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/4552-41-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/4552-40-0x00000000030F0000-0x00000000030F1000-memory.dmp

Filesize
4KB

Download
memory/4552-39-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/4552-38-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/4552-37-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/4552-36-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/4552-35-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/4552-34-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/4552-11-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/4552-32-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/4552-31-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/4552-30-0x00000000030F0000-0x00000000030F1000-memory.dmp

Filesize
4KB

Download
memory/4552-29-0x00000000030F0000-0x00000000030F1000-memory.dmp

Filesize
4KB

Download
memory/4552-9-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/4552-27-0x00000000030F0000-0x00000000030F1000-memory.dmp

Filesize
4KB

Download
memory/4552-26-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/4552-25-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/4552-24-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/4552-23-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/4552-22-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/4552-18-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/4552-20-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/4552-19-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/4552-15-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/4552-21-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/4552-13-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/4552-14-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/4552-12-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/4552-10-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/4552-6-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/4552-5-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/4552-4-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/4552-3-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/4552-2-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/4552-63-0x0000000001000000-0x000000000107F000-memory.dmp

Filesize
508KB

Download
memory/4552-64-0x00000000005F0000-0x0000000000644000-memory.dmp

Filesize
336KB

Download
memory/4552-1-0x00000000005F0000-0x0000000000644000-memory.dmp

Filesize
336KB

Download
memory/4552-0-0x0000000001000000-0x000000000107F000-memory.dmp

Filesize
508KB

Download