modiloader | 00b2a6d50cf5342a2a1ed88e369cfe093b8b082bb2c9d770710556e7494f2d50

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f008c7582930b0cfe31b423560177429_JaffaCakes118.exe
Size

638KB
MD5

f008c7582930b0cfe31b423560177429
SHA1

561d33f6c20a560ec943eedf661709e01beb4d43
SHA256

00b2a6d50cf5342a2a1ed88e369cfe093b8b082bb2c9d770710556e7494f2d50
SHA512

e7c1c94fc80b9fd891c6f4617bdc8e4e34e15052d3c7b24fddb042ea98ca6b784099fa2428112277d34f9a4b646db325fb45136701f3b6f11fc956fd595e452f
SSDEEP

12288:9Q8tUfibfnhgUHKfDgAnJGrgkw1c2obY7517iQq/ORXe:yfmfNwGrgkCocd1mh/ORXe

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 5 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016688-57.dat	modiloader_stage2
behavioral1/memory/2604-61-0x0000000000400000-0x00000000004CB200-memory.dmp	modiloader_stage2
behavioral1/memory/3052-60-0x0000000002E10000-0x0000000002EDC000-memory.dmp	modiloader_stage2
behavioral1/memory/2224-90-0x0000000000400000-0x00000000004CB200-memory.dmp	modiloader_stage2
behavioral1/memory/2604-92-0x0000000000400000-0x00000000004CB200-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2604	4.exe
2224	Windous_system

Loads dropped DLL 4 IoCs

pid	Process
3052	f008c7582930b0cfe31b423560177429_JaffaCakes118.exe
3052	f008c7582930b0cfe31b423560177429_JaffaCakes118.exe
2604	4.exe
2604	4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f008c7582930b0cfe31b423560177429_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	4.exe
File opened (read-only)	\??\R:	4.exe
File opened (read-only)	\??\B:	4.exe
File opened (read-only)	\??\H:	4.exe
File opened (read-only)	\??\S:	4.exe
File opened (read-only)	\??\T:	4.exe
File opened (read-only)	\??\X:	4.exe
File opened (read-only)	\??\A:	4.exe
File opened (read-only)	\??\Q:	4.exe
File opened (read-only)	\??\V:	4.exe
File opened (read-only)	\??\Z:	4.exe
File opened (read-only)	\??\O:	4.exe
File opened (read-only)	\??\P:	4.exe
File opened (read-only)	\??\I:	4.exe
File opened (read-only)	\??\J:	4.exe
File opened (read-only)	\??\K:	4.exe
File opened (read-only)	\??\L:	4.exe
File opened (read-only)	\??\N:	4.exe
File opened (read-only)	\??\U:	4.exe
File opened (read-only)	\??\E:	4.exe
File opened (read-only)	\??\G:	4.exe
File opened (read-only)	\??\W:	4.exe
File opened (read-only)	\??\Y:	4.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\AutoRun.inf	4.exe
File opened for modification	C:\AutoRun.inf	4.exe
File created	F:\AutoRun.inf	4.exe
File opened for modification	F:\AutoRun.inf	4.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Windous_system	4.exe
File opened for modification	C:\Windows\SysWOW64\Windous_system	4.exe
File opened for modification	C:\Windows\SysWOW64\Windous_system	Windous_system
File created	C:\Windows\SysWOW64\SgotoDel.bat	4.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f008c7582930b0cfe31b423560177429_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windous_system
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2604	3052	f008c7582930b0cfe31b423560177429_JaffaCakes118.exe	30
PID 3052 wrote to memory of 2604	3052	f008c7582930b0cfe31b423560177429_JaffaCakes118.exe	30
PID 3052 wrote to memory of 2604	3052	f008c7582930b0cfe31b423560177429_JaffaCakes118.exe	30
PID 3052 wrote to memory of 2604	3052	f008c7582930b0cfe31b423560177429_JaffaCakes118.exe	30
PID 2604 wrote to memory of 2224	2604	4.exe	31
PID 2604 wrote to memory of 2224	2604	4.exe	31
PID 2604 wrote to memory of 2224	2604	4.exe	31
PID 2604 wrote to memory of 2224	2604	4.exe	31
PID 2604 wrote to memory of 1692	2604	4.exe	32
PID 2604 wrote to memory of 1692	2604	4.exe	32
PID 2604 wrote to memory of 1692	2604	4.exe	32
PID 2604 wrote to memory of 1692	2604	4.exe	32

C:\Users\Admin\AppData\Local\Temp\f008c7582930b0cfe31b423560177429_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f008c7582930b0cfe31b423560177429_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\Windous_system
    C:\Windows\system32\Windous_system
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\SgotoDel.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
775KB

MD5
3cc599cbdea82619149a2b62e866b14c

SHA1
0a0722ea4164c87a4453c1ce1389d8d591182852

SHA256
41a3304e344cb143e79a690219d5f7c8ab54cc26e8acd43445fcbe78859c35b6

SHA512
db2e7647126273896d38928168d31e51714093b52f55abf691629fbaef14a1a831a0e59b339e8aacbe401e96032d355137450fecfe57d86413d8d5a39dcb3fe4

Download Submit
C:\Windows\SysWOW64\SgotoDel.bat

Filesize
144B

MD5
8ae64039d826b5cd7b18f19cd02448fc

SHA1
9fbbc25be9a768acc0f028a24aa8733f6ab4c80b

SHA256
ff89096af7bf23fbabfdf635f6f5707fae6ce937326ba951bdc44abd89b0d175

SHA512
f01616a7efb2a2a93430eb72bda046064150f9f8416d421c4f78fa947a2ac75a00ff01097336b53e605d7747a84f1b024381717ccfa5acdfd5bb47b7aaf1bb09

Download Submit
memory/2224-90-0x0000000000400000-0x00000000004CB200-memory.dmp

Filesize
812KB

Download
memory/2604-61-0x0000000000400000-0x00000000004CB200-memory.dmp

Filesize
812KB

Download
memory/2604-80-0x00000000020D0000-0x000000000219C000-memory.dmp

Filesize
816KB

Download
memory/2604-92-0x0000000000400000-0x00000000004CB200-memory.dmp

Filesize
812KB

Download
memory/3052-28-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3052-60-0x0000000002E10000-0x0000000002EDC000-memory.dmp

Filesize
816KB

Download
memory/3052-50-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3052-49-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3052-48-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3052-47-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3052-46-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3052-45-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3052-44-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3052-43-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3052-42-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3052-41-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3052-40-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3052-39-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3052-38-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3052-37-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3052-36-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3052-35-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3052-34-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3052-33-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3052-32-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3052-31-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3052-26-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3052-29-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3052-1-0x0000000000260000-0x00000000002B0000-memory.dmp

Filesize
320KB

Download
memory/3052-27-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3052-30-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3052-20-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3052-14-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/3052-23-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3052-22-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3052-21-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3052-19-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/3052-18-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/3052-17-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/3052-16-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/3052-15-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/3052-24-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3052-13-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/3052-12-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/3052-11-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/3052-10-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3052-9-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/3052-8-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/3052-7-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/3052-6-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/3052-5-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/3052-4-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/3052-3-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/3052-0-0x0000000001000000-0x0000000001106000-memory.dmp

Filesize
1.0MB

Download
memory/3052-2-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/3052-62-0x0000000002E10000-0x0000000002EDC000-memory.dmp

Filesize
816KB

Download
memory/3052-25-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3052-95-0x0000000000260000-0x00000000002B0000-memory.dmp

Filesize
320KB

Download
memory/3052-94-0x0000000001000000-0x0000000001106000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads