modiloader | e1a9f7fad02dc673f6c02f5b1ec82266dc85426941c403750d3c46289feec30c

Resubmissions

25-09-2024 17:02

240925-vj61tswglq 10

24-09-2024 10:56

240924-m1nltavhma 10

24-09-2024 10:31

240924-mkb8va1ejk 10

Analysis

max time kernel
1s
max time network
0s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-09-2024 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe
Size

623KB
MD5

f37083d35c4d2e785a6fb84875cb8331
SHA1

fc93143795ae3fb1b81947961d571b1e00fdb4b5
SHA256

e1a9f7fad02dc673f6c02f5b1ec82266dc85426941c403750d3c46289feec30c
SHA512

5d85335c80d532a22203076f5730ec8518b221f0a1ad89a14e7575a9d8d9b88d414afb72a5ea72a3bec728673d3db0b24cb597bb0da64ce4e03d6140bd602f51
SSDEEP

6144:zcP+pnEzMXdO4Qq6Iyh1G6J9bJuYK6wGWZRgdg18LIg7mG58Lxzj2z8ZkiGn1umM:zlnE/zJ9HKIww5AyviGumKuCN

Score

10^/10

modiloader bootkit defense_evasion discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016d6d-40.dat	modiloader_stage2
behavioral1/memory/2476-56-0x00000000001E0000-0x0000000000220000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-64-0x0000000000400000-0x0000000000427000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
2648	cmd.exe

Executes dropped EXE 5 IoCs

pid	Process
2268	KBzrJe4WanwyAG0z4x.exe
2812	lob.exe
2744	loc.exe
2580	loe.exe
3020	loe.exe

Loads dropped DLL 13 IoCs

pid	Process
2876	f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe
2876	f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe
2876	f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe
2876	f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe
2876	f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe
2876	f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe
2876	f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe
2876	f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2580	loe.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xhunenimiqayoqan = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\KBDaxts.dll\",Startup"	rundll32.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\physicaldrive0	lob.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process
PID 2580 set thread context of 0	2580	loe.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KBzrJe4WanwyAG0z4x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2268	KBzrJe4WanwyAG0z4x.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2812	lob.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2268	KBzrJe4WanwyAG0z4x.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2268	2876	f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe	30
PID 2876 wrote to memory of 2268	2876	f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe	30
PID 2876 wrote to memory of 2268	2876	f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe	30
PID 2876 wrote to memory of 2268	2876	f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe	30
PID 2876 wrote to memory of 2812	2876	f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe	31
PID 2876 wrote to memory of 2812	2876	f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe	31
PID 2876 wrote to memory of 2812	2876	f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe	31
PID 2876 wrote to memory of 2812	2876	f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe	31
PID 2876 wrote to memory of 2744	2876	f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe	32
PID 2876 wrote to memory of 2744	2876	f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe	32
PID 2876 wrote to memory of 2744	2876	f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe	32
PID 2876 wrote to memory of 2744	2876	f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe	32
PID 2876 wrote to memory of 2580	2876	f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe	33
PID 2876 wrote to memory of 2580	2876	f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe	33
PID 2876 wrote to memory of 2580	2876	f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe	33
PID 2876 wrote to memory of 2580	2876	f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe	33
PID 2876 wrote to memory of 2648	2876	f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe	34
PID 2876 wrote to memory of 2648	2876	f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe	34
PID 2876 wrote to memory of 2648	2876	f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe	34
PID 2876 wrote to memory of 2648	2876	f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe	34
PID 2744 wrote to memory of 2476	2744	loc.exe	36
PID 2744 wrote to memory of 2476	2744	loc.exe	36
PID 2744 wrote to memory of 2476	2744	loc.exe	36
PID 2744 wrote to memory of 2476	2744	loc.exe	36
PID 2744 wrote to memory of 2476	2744	loc.exe	36
PID 2744 wrote to memory of 2476	2744	loc.exe	36
PID 2744 wrote to memory of 2476	2744	loc.exe	36

C:\Users\Admin\AppData\Local\Temp\f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\KBzrJe4WanwyAG0z4x.exe
  KBzrJe4WanwyAG0z4x.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2268
- C:\Users\Admin\lob.exe
  lob.exe
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of AdjustPrivilegeToken
  PID:2812
- C:\Users\Admin\loc.exe
  loc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\KBDaxts.dll",Startup
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2476
- C:\Users\Admin\loe.exe
  loe.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  PID:2580
- - C:\Users\Admin\loe.exe
    loe.exe
    3⤵
    - Executes dropped EXE
    PID:3020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del f37083d35c4d2e785a6fb84875cb8331_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\KBDaxts.dll

Filesize
105KB

MD5
46eec9904342db94f51c0dfa0e3a10d9

SHA1
846759eaf3aa75bc91317c9364f4f5f1384cd96f

SHA256
125e143157269947d2834d27f02488fc9dc796811c230f8c33f1985e19932153

SHA512
a736a8ce1a5bebaba126f768f5109fe4d09a6bac9be840658b72de6cdff3f532db3c5e496871ba1d5c5eebcc58b3b4415798b7cde1bbbcfb5b7230358354c2a4

Download Submit
C:\Users\Admin\lob.exe

Filesize
178KB

MD5
e0a8e618405e52a6cf77476f18938364

SHA1
bd8f7d8c5d097cec9d71ebc909bbbbc29040c4c5

SHA256
fce212d1951fc71c0663fe94f79142463e99eafd6f93667ccc9ef71f21399fb1

SHA512
cccfd7ee58469678dc8cfc731c8b24bfa0cafc5e7f4fbff23bf175b8dec1c9c3c261c5da5ea455829bb612974af077f382e90b6afe4874f8fbd3fe8d223f028c

Download Submit
C:\Users\Admin\loe.exe

Filesize
143KB

MD5
cfca1423ddb4863c1d288e70252f8b63

SHA1
e5bb623d2a15ca203379f390a15622648f2d9adb

SHA256
8c977a316988b3e945ff4a9badadd2f68cbcd176c7e1eba5d44d40e404f090a4

SHA512
e5e1eea62ad86cf71d1a346254e9f1af66e82e1589401b395e925561f996a9acabac5a36dcd79bfe80725846d9aaf7e69d3cc6c081a76adc7a3606aee298ce7f

Download Submit
\Users\Admin\KBzrJe4WanwyAG0z4x.exe

Filesize
156KB

MD5
0985e2a405cf8989d20f5e126f752c95

SHA1
1df3f3f6b95b5f6c7ec29b5cdcc0e4e4d837dafd

SHA256
807c1ab2f96b44d9a6380e36f61356aa810cbd8bea85f4339ec5f8c0a3458cbd

SHA512
ace7323c9662eb57daab10830af30d67c2cc9ef7df78f245b5252f229ea9ac91e96ca2a0fbf17b222d856ddc38bde25385d6cb3e6f96e357e56dd7378e98e5e8

Download Submit
\Users\Admin\loc.exe

Filesize
105KB

MD5
b1c6e87de3686ba109bc6079221470d7

SHA1
2b669e09a587612a7e21f433968cfddf70ef7de7

SHA256
03c579ef791d5a7855e135d2f5392ff533edb6dd5e1b59bfc8085ee2e8f76aa3

SHA512
5522f5829b988f05a9ec44c036e9ee291f3cd1ab493ea290cfb37f02613be53c86e886c6361448777efe46d62faa4b23458b3eecd6abaf33793c28c7d0676c5f

Download Submit
memory/2476-55-0x00000000001E0000-0x0000000000220000-memory.dmp

Filesize
256KB

Download
memory/2476-56-0x00000000001E0000-0x0000000000220000-memory.dmp

Filesize
256KB

Download
memory/2476-54-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2580-64-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2744-45-0x0000000001D70000-0x0000000001DB0000-memory.dmp

Filesize
256KB

Download
memory/2744-43-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2744-58-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2812-42-0x0000000000403000-0x0000000000404000-memory.dmp

Filesize
4KB

Download
memory/2812-44-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2812-57-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2812-59-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2812-26-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2876-23-0x00000000002F0000-0x0000000000348000-memory.dmp

Filesize
352KB

Download
memory/2876-22-0x00000000002F0000-0x0000000000348000-memory.dmp

Filesize
352KB

Download