modiloader | a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ede5bbc69594ab35cd44eead5dc73752_JaffaCakes118.exe
Size

853KB
MD5

ede5bbc69594ab35cd44eead5dc73752
SHA1

32734225f02f0fd4a375313183b692900ee5eeea
SHA256

a76dbe766b8e6f8953fecc6f20c2f1b54892c0d1b416c3817dfef983902ee183
SHA512

22b24fba0d320be89765d6fd9bde2226c2e928c4ef6e9476b69b1ee426c59072949c045c834b357ec747a679b2f613750d3058c46d89a1ec47bfa7622b0a543c
SSDEEP

12288:Bki1msuXRKKAajizsFAiQHFQOsA+5UVK85Fe1qujMWWL0Uz/ELi2iwkDAPw:BfY3RKKAajpFApWNA+SVNe1/hqIiH6

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader First Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2268-3-0x0000000000400000-0x00000000004DF000-memory.dmp	modiloader_stage1

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

19 drive.google.com
21 drive.google.com
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

ede5bbc69594ab35cd44eead5dc73752_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ede5bbc69594ab35cd44eead5dc73752_JaffaCakes118.exe

flow	ioc
19	drive.google.com
21	drive.google.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ede5bbc69594ab35cd44eead5dc73752_JaffaCakes118.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	21	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	23	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ede5bbc69594ab35cd44eead5dc73752_JaffaCakes118.exe

description	pid	process	target process
PID 2268 wrote to memory of 1448	2268	ede5bbc69594ab35cd44eead5dc73752_JaffaCakes118.exe	ieinstal.exe
PID 2268 wrote to memory of 1448	2268	ede5bbc69594ab35cd44eead5dc73752_JaffaCakes118.exe	ieinstal.exe
PID 2268 wrote to memory of 1448	2268	ede5bbc69594ab35cd44eead5dc73752_JaffaCakes118.exe	ieinstal.exe

C:\Users\Admin\AppData\Local\Temp\ede5bbc69594ab35cd44eead5dc73752_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ede5bbc69594ab35cd44eead5dc73752_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
2⤵
PID:1448

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x31c 0x428
1⤵
PID:4304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2268-0-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/2268-1-0x0000000004680000-0x0000000004681000-memory.dmp

Filesize
4KB

Download
memory/2268-2-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/2268-3-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2268-4-0x0000000004680000-0x0000000004681000-memory.dmp

Filesize
4KB

Download