modiloader | 1366ed9d181a80404b5f8524833dfebc17f8b00ee2071764c50bd4d21fde4b75

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed119e92ac5b9b0efcba54ae2976fff5_JaffaCakes118.exe
Size

224KB
MD5

ed119e92ac5b9b0efcba54ae2976fff5
SHA1

1652eecb7c54a0ea121f1205c0ab880cf770fa93
SHA256

1366ed9d181a80404b5f8524833dfebc17f8b00ee2071764c50bd4d21fde4b75
SHA512

37c143c48bafa2e6afad1b9556f27167400f58a35238927cb65a2e224905c5f0d07403578dba2458d6bd2369b6771bc1b7eb3d29481c7e21596815645ed6c29e
SSDEEP

6144:p8jZ7rS2SdkT37by4pZ2+oSnrceAEab4wAIAHq3:pe0lA3C4pZNoSrcVE9fK

Score

10^/10

modiloader discovery trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/1236-13-0x0000000000400000-0x0000000000473000-memory.dmp	modiloader_stage2

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1236-0-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/1236-13-0x0000000000400000-0x0000000000473000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2468	1236	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed119e92ac5b9b0efcba54ae2976fff5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 2468	1236	ed119e92ac5b9b0efcba54ae2976fff5_JaffaCakes118.exe	30
PID 1236 wrote to memory of 2468	1236	ed119e92ac5b9b0efcba54ae2976fff5_JaffaCakes118.exe	30
PID 1236 wrote to memory of 2468	1236	ed119e92ac5b9b0efcba54ae2976fff5_JaffaCakes118.exe	30
PID 1236 wrote to memory of 2468	1236	ed119e92ac5b9b0efcba54ae2976fff5_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\ed119e92ac5b9b0efcba54ae2976fff5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ed119e92ac5b9b0efcba54ae2976fff5_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 296
  2⤵
  - Program crash
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jI82l\PCGWIN32.LI5

Filesize
2KB

MD5
6ae7702c733353cae51c25d835f316a4

SHA1
afae5c9836ea2160ed7fb997f50b731c09d77093

SHA256
19bf461a212b6b4be2fc29b27b77b46dcaac0ac5cf64c0989bda4c38d5de116a

SHA512
45cbcb140ac1f3c9084df4da0c51af8082183e1852d2c71840a2d5765a447d8fee5b2ff37cbc46a75c4ec7f33f862e5862fc502bc35956adc859b34da593fd90

Download Submit
memory/1236-0-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1236-13-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download