modiloader | 471b57e0717b74ca681b07b7a1c3db861950dde91095f81d03935e6a0c11dc84

Analysis

max time kernel
141s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26-09-2024 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
Size

417KB
MD5

f76c87de4f88f5e997d205add85666c2
SHA1

f5fe7df9f8fb4c5cd7e515956d013bf7401c031b
SHA256

471b57e0717b74ca681b07b7a1c3db861950dde91095f81d03935e6a0c11dc84
SHA512

99bb6a6650ef7380ee396e0a924449c98473b336014e544940a703c6f45ebae2ede5ed67c0ec293d755b04a3321805d84315408d84c4a112438c0c889076308c
SSDEEP

6144:XsbF2fi5VSEQubmxcuxBMqvJiyd0YmQu2uOtys4KP1e2XKueAdpJtsb4TF5W:oIqyxcMOqv3LCSP1e2XwILW

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 9 IoCs

resource	yara_rule
behavioral1/memory/2748-6-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2
behavioral1/memory/2748-4-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2
behavioral1/memory/2748-7-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2
behavioral1/memory/2748-8-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2
behavioral1/memory/2748-9-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2
behavioral1/memory/2768-51-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2
behavioral1/memory/2748-50-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2
behavioral1/memory/2768-45-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2
behavioral1/memory/2768-62-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
1968	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2780	joice.exe
2768	joice.exe

Loads dropped DLL 6 IoCs

pid	Process
2748	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
2748	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
2780	joice.exe
572	WerFault.exe
572	WerFault.exe
572	WerFault.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
File opened (read-only)	\??\T:	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
File opened (read-only)	\??\Y:	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
File opened (read-only)	\??\B:	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
File opened (read-only)	\??\H:	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
File opened (read-only)	\??\I:	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
File opened (read-only)	\??\J:	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
File opened (read-only)	\??\K:	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
File opened (read-only)	\??\S:	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
File opened (read-only)	\??\Q:	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
File opened (read-only)	\??\A:	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
File opened (read-only)	\??\E:	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
File opened (read-only)	\??\G:	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
File opened (read-only)	\??\M:	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
File opened (read-only)	\??\N:	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
File opened (read-only)	\??\P:	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
File opened (read-only)	\??\Z:	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
File opened (read-only)	\??\O:	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
File opened (read-only)	\??\R:	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
File opened (read-only)	\??\U:	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
File opened (read-only)	\??\V:	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
File opened (read-only)	\??\W:	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
File opened (read-only)	\??\X:	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\AutoRun.inf	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
File opened for modification	C:\AutoRun.inf	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
File created	F:\AutoRun.inf	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
File opened for modification	F:\AutoRun.inf	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2904 set thread context of 2748	2904	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe	30
PID 2780 set thread context of 2768	2780	joice.exe	32
PID 2768 set thread context of 1976	2768	joice.exe	34

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\joice.exe	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\_joice.exe	joice.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\_joice.exe	joice.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\joice.exe	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
572	2768	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	joice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	joice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2748	2904	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe	30
PID 2904 wrote to memory of 2748	2904	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe	30
PID 2904 wrote to memory of 2748	2904	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe	30
PID 2904 wrote to memory of 2748	2904	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe	30
PID 2904 wrote to memory of 2748	2904	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe	30
PID 2904 wrote to memory of 2748	2904	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe	30
PID 2748 wrote to memory of 2780	2748	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe	31
PID 2748 wrote to memory of 2780	2748	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe	31
PID 2748 wrote to memory of 2780	2748	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe	31
PID 2748 wrote to memory of 2780	2748	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe	31
PID 2780 wrote to memory of 2768	2780	joice.exe	32
PID 2780 wrote to memory of 2768	2780	joice.exe	32
PID 2780 wrote to memory of 2768	2780	joice.exe	32
PID 2780 wrote to memory of 2768	2780	joice.exe	32
PID 2780 wrote to memory of 2768	2780	joice.exe	32
PID 2780 wrote to memory of 2768	2780	joice.exe	32
PID 2748 wrote to memory of 1968	2748	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe	33
PID 2748 wrote to memory of 1968	2748	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe	33
PID 2748 wrote to memory of 1968	2748	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe	33
PID 2748 wrote to memory of 1968	2748	f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe	33
PID 2768 wrote to memory of 1976	2768	joice.exe	34
PID 2768 wrote to memory of 1976	2768	joice.exe	34
PID 2768 wrote to memory of 1976	2768	joice.exe	34
PID 2768 wrote to memory of 1976	2768	joice.exe	34
PID 2768 wrote to memory of 1976	2768	joice.exe	34
PID 2768 wrote to memory of 1976	2768	joice.exe	34
PID 2768 wrote to memory of 572	2768	joice.exe	36
PID 2768 wrote to memory of 572	2768	joice.exe	36
PID 2768 wrote to memory of 572	2768	joice.exe	36
PID 2768 wrote to memory of 572	2768	joice.exe	36

C:\Users\Admin\AppData\Local\Temp\f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f76c87de4f88f5e997d205add85666c2_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Program Files\Common Files\Microsoft Shared\MSINFO\joice.exe
    "C:\Program Files\Common Files\Microsoft Shared\MSINFO\joice.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Program Files\Common Files\Microsoft Shared\MSINFO\joice.exe
      "C:\Program Files\Common Files\Microsoft Shared\MSINFO\joice.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\SysWOW64\calc.exe
        
        "C:\Windows\system32\calc.exe"
        5⤵
        
        PID:1976
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 280
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:572
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat""
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\SgotoDel.bat

Filesize
212B

MD5
0e3fe3478c5b7bd2a9fe8683ff7d9935

SHA1
f53569fb25b189b36627f3a705ae3f5c1715570c

SHA256
ae1822cffc6d780d18d045bffdf29726cf36ff2397349fc4f5a3973ab11ec3a7

SHA512
b5f3d0fb856f136536476ed35fc7abca1488e5cc4a6555cfba955b9cd6b4773804ec5f6f062a14096267acd2ea0d5780692504582a03dccc4948b0e91d56b235

Download Submit
F:\joice.exe

Filesize
417KB

MD5
f76c87de4f88f5e997d205add85666c2

SHA1
f5fe7df9f8fb4c5cd7e515956d013bf7401c031b

SHA256
471b57e0717b74ca681b07b7a1c3db861950dde91095f81d03935e6a0c11dc84

SHA512
99bb6a6650ef7380ee396e0a924449c98473b336014e544940a703c6f45ebae2ede5ed67c0ec293d755b04a3321805d84315408d84c4a112438c0c889076308c

Download Submit
memory/1976-52-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1976-54-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1976-56-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2748-4-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2748-8-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2748-7-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2748-9-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2748-2-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2748-0-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2748-6-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2748-50-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2768-51-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2768-45-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2768-62-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2780-35-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2904-5-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads