modiloader | 23ee628201a6572eef21e88cd3a6b99b016b6b10e61f55c9eb57928f7dde9e14

Analysis

max time kernel
72s
max time network
138s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f094a3b0221453cb41535ce4912377c8_JaffaCakes118.exe
Size

413KB
MD5

f094a3b0221453cb41535ce4912377c8
SHA1

cd2eaf02d63695379d775fef3f3e80e14a6ffdc6
SHA256

23ee628201a6572eef21e88cd3a6b99b016b6b10e61f55c9eb57928f7dde9e14
SHA512

111c25f2b72657f7e38fc28dababb8d275ff169e8a59d68981a64e2f0c3198250b1deaf3dc6e5b6e053debe5d4606639b54560d471012e0af863301d6a0ac503
SSDEEP

6144:e8t57QciskQbmfX0P9rdhdurPHP2OuptvAbfg/RLMmIy8x9qLtsXtdbeDziZlJ8O:vzkfI4ebPk4/Zz8xELtsveDz2lJF4k

Score

10^/10

modiloader discovery trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/3060-5-0x0000000000400000-0x00000000004CC000-memory.dmp	modiloader_stage2

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3060-0-0x0000000000400000-0x00000000004CC000-memory.dmp	upx
behavioral1/memory/2588-3-0x0000000000060000-0x000000000012C000-memory.dmp	upx
behavioral1/memory/3060-5-0x0000000000400000-0x00000000004CC000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3060 set thread context of 2588	3060	f094a3b0221453cb41535ce4912377c8_JaffaCakes118.exe	29

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt	f094a3b0221453cb41535ce4912377c8_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f094a3b0221453cb41535ce4912377c8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{72516771-785A-11EF-9218-EAF933E40231} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433113406"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2588	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2588	IEXPLORE.EXE
2588	IEXPLORE.EXE
2780	IEXPLORE.EXE
2780	IEXPLORE.EXE
2780	IEXPLORE.EXE
2780	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2588	3060	f094a3b0221453cb41535ce4912377c8_JaffaCakes118.exe	29
PID 3060 wrote to memory of 2588	3060	f094a3b0221453cb41535ce4912377c8_JaffaCakes118.exe	29
PID 3060 wrote to memory of 2588	3060	f094a3b0221453cb41535ce4912377c8_JaffaCakes118.exe	29
PID 3060 wrote to memory of 2588	3060	f094a3b0221453cb41535ce4912377c8_JaffaCakes118.exe	29
PID 3060 wrote to memory of 2588	3060	f094a3b0221453cb41535ce4912377c8_JaffaCakes118.exe	29
PID 2588 wrote to memory of 2780	2588	IEXPLORE.EXE	30
PID 2588 wrote to memory of 2780	2588	IEXPLORE.EXE	30
PID 2588 wrote to memory of 2780	2588	IEXPLORE.EXE	30
PID 2588 wrote to memory of 2780	2588	IEXPLORE.EXE	30

C:\Users\Admin\AppData\Local\Temp\f094a3b0221453cb41535ce4912377c8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f094a3b0221453cb41535ce4912377c8_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060
- C:\program files\internet explorer\IEXPLORE.EXE
  "C:\program files\internet explorer\IEXPLORE.EXE"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ef240d05c00d76ae587e850730e1cbb

SHA1
ae442e0064845042b89114ef81373564ce1e0db7

SHA256
4140e306f9c8a8ca70241874d933e4531a3912ae1fb707fc89353d74c6ff75c9

SHA512
8dd5a0c699851220706871ea43e69775297ad049c518201cf4d2b5fcfdeabca1b99d569bcd2f55663c20b52356e755bcf7ca1c7557582ee918565a99bdcd04c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6d158ddea3d53ab26e121f169ffd9df

SHA1
6e2248b97971575513b21f3eac3dd7b0d95a01e5

SHA256
4c503e74a995c5b49c18ecfce91671ac72f6a1119fc89d3d2e7abea05efadfdd

SHA512
37f97016fe932edabd703799ba80ecc7ec2988b8ef20326b9d5c8d29ea48a53b64bbb35b6cd3c93d14e6cc7373820b4ca3577747c9fe6f4ac920e69a0c904228

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8593eece53e45c629b34d4bfcbfc7b90

SHA1
453d909bafe6fcfa347b88e2b31e81efa553b91b

SHA256
e6de09918b1b92e59a5b3159e79bed83245ef4b4d2525b9ad67f6dada7b5a9dd

SHA512
97e992365308d56a97a7acfb8627889cc5ec8a2c6aa49cf1ef43e64df7d6d295ab830a6fab2005352fdd77b928b5daceea5fd6139cd33e82c864b6a771b670aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d3abe95e828e4d8e5ab30f2da20a86e

SHA1
b5e5ffeab060f947cf00a5ead2f5530ece25252d

SHA256
d23fb39f669c7679a70bb9e577e0ab35ad1a841dd1e6cea142866c3ed6e7e9c3

SHA512
1b5c06bae58d5cd8730e413db0076b25a31ca7ffbae8eb0db778740db2c1eb264dcd9ebe8383d7e589553ebb9f80ac70de98525304b8cfd84867aec76e62b733

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9dc022737a0921cc9cdcd0d906989a7

SHA1
646d974318c5be004d4a7b282cc5bf142765a2a3

SHA256
3a597210bc4fcf7f10117790e003e7db427380d1419577b42b4cc07cb2f80994

SHA512
77171ceecc9b2534685faf92e1cf9e35a1748860c6813d061246ea989aca69af7c6b5cabf0b9d617f70f6391e9ae66648acb9ad07f95ce649b7bebeff49a9d0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38016987e820ce0b24434783e946d35f

SHA1
de1c0eac1c962e55912325501f375cce6f3df85b

SHA256
e1841d373f46c8565dc069286c9dc286950df3546fb448612fd93d0f99fed187

SHA512
e22cb5ff801b6a12d9feb462c1d972b34b4b3bf25b657afdea49ca4749b5a57440ec897db24a3c80033b800818256389c4d42a0e977714c7d40689ba40a289a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99e519f866118a26fcbe20c6216926f3

SHA1
6614cccb45c4983ad15304783d55baa2736f412d

SHA256
315fdd525675a8668513564ab1a30d0ca60c4c6424107fea4f5e88fc8d8cb0b3

SHA512
6dc3a1d9946782bb64db859ef1475873e7417877f1b455796a4d21937d2d8a396096bdd483cc13d5a92c28f9fe35837994284a0d081b96a6e0295fd9d5605bc1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b18fc843f17e2472e979c2fdc81ca61b

SHA1
0fae90eaa5f985c8015aa83c3741e88a4f434ae3

SHA256
af6db255ff5201b410079d3002dfc3948f89903435307f26e776c5abc0ce7b02

SHA512
43d7a8a59a6d0f5ff6da9a40be67ffb566ed0074901a12c17409b3ec70da2ac47e2e0b6974fc8851877250819bacdb3f92aa639829b0723df4620d4b73603017

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
782ebbed3c7da16f36a11443a1af375e

SHA1
2e74df0fcb41dde5d522a02d141786653b2aa216

SHA256
6ecad2fcaa9c9f665ed6b8b090c0a0b4ed7a572b01afb192bd71746eecc2b843

SHA512
7f56b905ed87c5a960c884048f0ee9d1676d2891c823568c02128a53330228b402e75a90a5f40f32a2230b2b4016d9b705f1746496d4eadd6d4a4c9b3edbdf9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6831e2f9ae56ed9849761d4cfb500c4c

SHA1
4f904348eff615435c1a8158d4a123b8856b7a89

SHA256
860b237d09bbd0debed191d98adebcfd7e2b6ba461fa5692c4d74c8c43e0017a

SHA512
56839d5c82ec1b9155614630722100f13f90858c664a7ee51f2e4306ec08565e7e90c8baf74e5362bcfcdbbb7c392d5cebc3afcfccd4508adb9da012c548a066

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f917ff17391f1270c5f627499ada955b

SHA1
cd9eb805aecf5bf31563a64e1b44525d11f33f2f

SHA256
fea749b96326954646e9ebd2410823998d11ddab6f3d1c4dbd5da349cb1a24d0

SHA512
e9ced2de01363df314f9609541a4901f9bf01cbc3a9f9ff104b125c246fc54359d752f3bda787777e9d1e1b15d8ea81f6e170ed5c72154e3cf63006ac05240b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4848f6fda5c628f8925ab8e3986e908

SHA1
5ac804b5302993fda14e9f5891f9a927de6a46f6

SHA256
d7de09038802752b298b30725ef9c627714a6ee18d0ef0c85b48aacb57dafcf0

SHA512
09911c05f4afbed7b17a591cceb9b04461002edc01773bd8126939a82ed88cc639826f75b977e7c5b8e8a81dcc8c555f0dd5b07ad7994741ae84279411d318c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e38d06cecc9ba82b70c65f7703e0d7d7

SHA1
23cfb9c9495d35a4c40fc77224df08a975fcb549

SHA256
56e74fcb43db5b41b41afa437d686713570b047b36d977f089de2c7524a9996d

SHA512
0be8844c89fb732441e3cb96727025d28fd7c02b65e9929701204e67dc8e9c11258693626652eb12ef35a3598f595c414838e37be33fface550aac7371b5a887

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2cdefc0b44bb4005c48d4c7fb9ea1cf

SHA1
9c67b891f887da7ad03262a4e3823581a17f0c0a

SHA256
3c2360502e61cd94e38aab032f43561b5a6b450da136be28b34a045e60112d2d

SHA512
cc4527cc9fc1c14281746a473b4d44a0cd8350c769cf3d441a985bdd2aa89801e6fb6f26f4aaaca14b710535a2c33cf13760e4c9d79e1ba6db610030288d0658

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
475b002e51cdee6175df3f6b1e586882

SHA1
f8b4987be0bf341b0e709910a363ececbe4618b7

SHA256
92352151743ced2df2b81b77190a7ee04d871d66a2a3769983a83aa1c94438cf

SHA512
ec6071d706759843dd45518d9cb48193246e6879ec35d0b29919902f53ad1f4966a6c0cd30fbbf53b9259e45bf1c1807c6c0f89938be95683f1933a4c248af92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1401.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1452.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2588-3-0x0000000000060000-0x000000000012C000-memory.dmp

Filesize
816KB

Download
memory/3060-5-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3060-1-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3060-0-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download