modiloader | a7a33c015a028e65236c76169c581cd8a51765f3aca01d3f31598fb67046caa8

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f09751f5aff4b509476b97a70f872515_JaffaCakes118.exe
Size

640KB
MD5

f09751f5aff4b509476b97a70f872515
SHA1

a087d7de74c14b84b90ea5db68dcf7f3b081e202
SHA256

a7a33c015a028e65236c76169c581cd8a51765f3aca01d3f31598fb67046caa8
SHA512

3e1f4e817a2f4405c1eb75aebe7012a1843d07539fc745f5876456fb7e88af0dac993f03e4a1bd6966ec389df835879052e29665c9ad3183efe895797163b87f
SSDEEP

12288:MlkFac1YRwc5VmpmI+8+J/wNbc5GuVw+mzlliF3Z4mxx4oEtlK+kt9T2MY0:mcWEy8A/+hv+2iQmXRGT0

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral2/memory/4864-56-0x0000000000400000-0x0000000000514000-memory.dmp	modiloader_stage2
behavioral2/memory/4864-72-0x0000000000400000-0x0000000000514000-memory.dmp	modiloader_stage2
behavioral2/memory/3620-68-0x0000000000400000-0x0000000000514000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
3620	nlss.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\nlss.exe	f09751f5aff4b509476b97a70f872515_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\nlss.exe	f09751f5aff4b509476b97a70f872515_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\nlss.exe	nlss.exe
File created	C:\Windows\SysWOW64\Delet.bat	f09751f5aff4b509476b97a70f872515_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f09751f5aff4b509476b97a70f872515_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nlss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 3620	4864	f09751f5aff4b509476b97a70f872515_JaffaCakes118.exe	82
PID 4864 wrote to memory of 3620	4864	f09751f5aff4b509476b97a70f872515_JaffaCakes118.exe	82
PID 4864 wrote to memory of 3620	4864	f09751f5aff4b509476b97a70f872515_JaffaCakes118.exe	82
PID 4864 wrote to memory of 4336	4864	f09751f5aff4b509476b97a70f872515_JaffaCakes118.exe	83
PID 4864 wrote to memory of 4336	4864	f09751f5aff4b509476b97a70f872515_JaffaCakes118.exe	83
PID 4864 wrote to memory of 4336	4864	f09751f5aff4b509476b97a70f872515_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\f09751f5aff4b509476b97a70f872515_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f09751f5aff4b509476b97a70f872515_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Windows\SysWOW64\nlss.exe
  C:\Windows\system32\nlss.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:3620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\Delet.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Delet.bat

Filesize
212B

MD5
ce3809d36ba7c3db303d166fea6be78e

SHA1
7f650b550fa9ca3c2b32b058fa5cb0209836acec

SHA256
c4efad7419e2e5a079092da6f5aac513b7d45cb3050094a52265327ff8630c53

SHA512
6d9ba38c646bf7f1569e099cb24685c3d4308d3ae906d3c8b3ad98d2f39915237ad8f9c6a736484ca1399193c8e13209ed2c07bb52358ad9fafc10550dd1f205

Download Submit
C:\Windows\SysWOW64\nlss.exe

Filesize
640KB

MD5
f09751f5aff4b509476b97a70f872515

SHA1
a087d7de74c14b84b90ea5db68dcf7f3b081e202

SHA256
a7a33c015a028e65236c76169c581cd8a51765f3aca01d3f31598fb67046caa8

SHA512
3e1f4e817a2f4405c1eb75aebe7012a1843d07539fc745f5876456fb7e88af0dac993f03e4a1bd6966ec389df835879052e29665c9ad3183efe895797163b87f

Download Submit
memory/3620-64-0x0000000002230000-0x0000000002284000-memory.dmp

Filesize
336KB

Download
memory/3620-69-0x0000000002230000-0x0000000002284000-memory.dmp

Filesize
336KB

Download
memory/3620-68-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4864-23-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/4864-62-0x00000000022E0000-0x0000000002334000-memory.dmp

Filesize
336KB

Download
memory/4864-41-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/4864-44-0x00000000034C0000-0x00000000034C3000-memory.dmp

Filesize
12KB

Download
memory/4864-53-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/4864-52-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/4864-51-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/4864-20-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/4864-49-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/4864-48-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4864-46-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/4864-45-0x00000000034B0000-0x00000000034B3000-memory.dmp

Filesize
12KB

Download
memory/4864-43-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/4864-42-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/4864-40-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/4864-39-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/4864-38-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/4864-37-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/4864-35-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/4864-34-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/4864-32-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/4864-29-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/4864-28-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/4864-27-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/4864-26-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/4864-25-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/4864-24-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/4864-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4864-22-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/4864-21-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/4864-18-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/4864-1-0x00000000022E0000-0x0000000002334000-memory.dmp

Filesize
336KB

Download
memory/4864-50-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/4864-17-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/4864-16-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/4864-15-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/4864-14-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/4864-13-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/4864-12-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/4864-10-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/4864-8-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/4864-7-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4864-6-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/4864-47-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/4864-36-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/4864-33-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/4864-31-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/4864-30-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/4864-11-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/4864-9-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/4864-5-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/4864-4-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/4864-3-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/4864-2-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/4864-56-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4864-58-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/4864-57-0x0000000003550000-0x0000000003551000-memory.dmp

Filesize
4KB

Download
memory/4864-63-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/4864-19-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/4864-72-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4864-71-0x00000000022E0000-0x0000000002334000-memory.dmp

Filesize
336KB

Download