modiloader | 22b66c1abab1e0f7a30db72426404815300c715bc1bc49f3d0b1edb4b4cb3e27

Analysis

max time kernel
141s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-09-2024 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7a097ec7811f82c11296085e9cd539d_JaffaCakes118.exe
Size

1.9MB
MD5

f7a097ec7811f82c11296085e9cd539d
SHA1

b40d0447a9d5ba906d56551b78311f2c39ec9838
SHA256

22b66c1abab1e0f7a30db72426404815300c715bc1bc49f3d0b1edb4b4cb3e27
SHA512

a9373f0239b42b061b8784018893824531ca44cb8f1098c1b7043253ad659fc2acade29066edbcc2a2181e2db1e1f209d958139fb1b0dacf60fd1afedd93f83a
SSDEEP

49152:aSwf/YI9og/xeRK9jj18c8GuwhkRIjx1apgubKe3:aS0Q2o+xkK5j1lSwhkix1DQR

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/1848-10-0x0000000000400000-0x00000000005EB000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
3028	win.exe
3036	win.exe

Loads dropped DLL 3 IoCs

pid	Process
1848	f7a097ec7811f82c11296085e9cd539d_JaffaCakes118.exe
1848	f7a097ec7811f82c11296085e9cd539d_JaffaCakes118.exe
3028	win.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3028 set thread context of 3036	3028	win.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7a097ec7811f82c11296085e9cd539d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2064	vlc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3036	win.exe
3036	win.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2064	vlc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2064	vlc.exe
Token: SeIncBasePriorityPrivilege	2064	vlc.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2064	vlc.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 3028	1848	f7a097ec7811f82c11296085e9cd539d_JaffaCakes118.exe	30
PID 1848 wrote to memory of 3028	1848	f7a097ec7811f82c11296085e9cd539d_JaffaCakes118.exe	30
PID 1848 wrote to memory of 3028	1848	f7a097ec7811f82c11296085e9cd539d_JaffaCakes118.exe	30
PID 1848 wrote to memory of 3028	1848	f7a097ec7811f82c11296085e9cd539d_JaffaCakes118.exe	30
PID 1848 wrote to memory of 2064	1848	f7a097ec7811f82c11296085e9cd539d_JaffaCakes118.exe	31
PID 1848 wrote to memory of 2064	1848	f7a097ec7811f82c11296085e9cd539d_JaffaCakes118.exe	31
PID 1848 wrote to memory of 2064	1848	f7a097ec7811f82c11296085e9cd539d_JaffaCakes118.exe	31
PID 1848 wrote to memory of 2064	1848	f7a097ec7811f82c11296085e9cd539d_JaffaCakes118.exe	31
PID 3028 wrote to memory of 3036	3028	win.exe	32
PID 3028 wrote to memory of 3036	3028	win.exe	32
PID 3028 wrote to memory of 3036	3028	win.exe	32
PID 3028 wrote to memory of 3036	3028	win.exe	32
PID 3028 wrote to memory of 3036	3028	win.exe	32
PID 3028 wrote to memory of 3036	3028	win.exe	32
PID 3028 wrote to memory of 3036	3028	win.exe	32
PID 3028 wrote to memory of 3036	3028	win.exe	32
PID 3036 wrote to memory of 1188	3036	win.exe	21
PID 3036 wrote to memory of 1188	3036	win.exe	21
PID 3036 wrote to memory of 1188	3036	win.exe	21
PID 3036 wrote to memory of 1188	3036	win.exe	21
PID 3036 wrote to memory of 1188	3036	win.exe	21
PID 3036 wrote to memory of 1188	3036	win.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\f7a097ec7811f82c11296085e9cd539d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f7a097ec7811f82c11296085e9cd539d_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Users\Admin\AppData\Local\Temp\win.exe
    "C:\Users\Admin\AppData\Local\Temp\win.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Users\Admin\AppData\Local\Temp\win.exe
      R
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3036
- - C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Exclusive Girls beautiful show ass Get Fucked(1).scr.mpg"
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Exclusive Girls beautiful show ass Get Fucked(1).scr.mpg

Filesize
1.8MB

MD5
bb4bac0f1b7a2babc942346fef8a097a

SHA1
883f7aa12ce70671b15b6a9d687c05228b85b605

SHA256
c8f9ae95042b57e8a42dbf9037563db42a2c3e4a571d0178c0deb27ccdaaf5a2

SHA512
bf037b13ac8d416a0b09443903934c1625b6b7e788c2010ce369d2d8e9659b3d424e39ea56a8d0ff8e883e379e7d7b58813cf637e9b0bc2bdb10e898c3627fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\win.exe

Filesize
82KB

MD5
70d8b66d2dc979835ec43fb0afe8fee4

SHA1
a5c047bd5af8c4660227ab21a535dd6fdbc6f332

SHA256
e3cb606532867110847f0b992b5731b75cc3c8be153293a818c2996de33cc7ed

SHA512
e18c856da156caad49c3cabaf49e486c0973780ecbf90597f4e786d9c8eead653f4bf67fdd747545eba2b99fbc9cc81fe59a32ef5ba9553f6d063e2085cd5d33

Download Submit
memory/1188-30-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/1188-36-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

Filesize
24KB

Download
memory/1848-10-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/2064-55-0x000007FEF8450000-0x000007FEF8461000-memory.dmp

Filesize
68KB

Download
memory/2064-65-0x000007FEF73B0000-0x000007FEF73C1000-memory.dmp

Filesize
68KB

Download
memory/2064-75-0x000007FEF5850000-0x000007FEF58A7000-memory.dmp

Filesize
348KB

Download
memory/2064-60-0x000007FEF5BB0000-0x000007FEF6C60000-memory.dmp

Filesize
16.7MB

Download
memory/2064-76-0x000007FEF7290000-0x000007FEF72B8000-memory.dmp

Filesize
160KB

Download
memory/2064-77-0x000007FEF5820000-0x000007FEF5844000-memory.dmp

Filesize
144KB

Download
memory/2064-78-0x000007FEF5800000-0x000007FEF5818000-memory.dmp

Filesize
96KB

Download
memory/2064-79-0x000007FEF57D0000-0x000007FEF57F3000-memory.dmp

Filesize
140KB

Download
memory/2064-51-0x000007FEF8470000-0x000007FEF84A4000-memory.dmp

Filesize
208KB

Download
memory/2064-50-0x000000013FFF0000-0x00000001400E8000-memory.dmp

Filesize
992KB

Download
memory/2064-53-0x000007FEFBA60000-0x000007FEFBA78000-memory.dmp

Filesize
96KB

Download
memory/2064-54-0x000007FEFB760000-0x000007FEFB777000-memory.dmp

Filesize
92KB

Download
memory/2064-57-0x000007FEF7A40000-0x000007FEF7A51000-memory.dmp

Filesize
68KB

Download
memory/2064-59-0x000007FEF7840000-0x000007FEF7851000-memory.dmp

Filesize
68KB

Download
memory/2064-58-0x000007FEF7860000-0x000007FEF787D000-memory.dmp

Filesize
116KB

Download
memory/2064-56-0x000007FEF8430000-0x000007FEF8447000-memory.dmp

Filesize
92KB

Download
memory/2064-52-0x000007FEF6C60000-0x000007FEF6F16000-memory.dmp

Filesize
2.7MB

Download
memory/2064-80-0x000007FEF57B0000-0x000007FEF57C1000-memory.dmp

Filesize
68KB

Download
memory/2064-62-0x000007FEF73F0000-0x000007FEF7431000-memory.dmp

Filesize
260KB

Download
memory/2064-63-0x000007FEF7810000-0x000007FEF7831000-memory.dmp

Filesize
132KB

Download
memory/2064-64-0x000007FEF73D0000-0x000007FEF73E8000-memory.dmp

Filesize
96KB

Download
memory/2064-81-0x000007FEF5790000-0x000007FEF57A2000-memory.dmp

Filesize
72KB

Download
memory/2064-66-0x000007FEF7390000-0x000007FEF73A1000-memory.dmp

Filesize
68KB

Download
memory/2064-70-0x000007FEF7310000-0x000007FEF7328000-memory.dmp

Filesize
96KB

Download
memory/2064-69-0x000007FEF7330000-0x000007FEF7341000-memory.dmp

Filesize
68KB

Download
memory/2064-71-0x000007FEF72E0000-0x000007FEF7310000-memory.dmp

Filesize
192KB

Download
memory/2064-72-0x000007FEF5930000-0x000007FEF5997000-memory.dmp

Filesize
412KB

Download
memory/2064-74-0x000007FEF72C0000-0x000007FEF72D1000-memory.dmp

Filesize
68KB

Download
memory/2064-61-0x000007FEF59A0000-0x000007FEF5BAB000-memory.dmp

Filesize
2.0MB

Download
memory/2064-73-0x000007FEF58B0000-0x000007FEF592C000-memory.dmp

Filesize
496KB

Download
memory/2064-68-0x000007FEF7350000-0x000007FEF736B000-memory.dmp

Filesize
108KB

Download
memory/2064-67-0x000007FEF7370000-0x000007FEF7381000-memory.dmp

Filesize
68KB

Download
memory/2064-83-0x000007FEF48B0000-0x000007FEF4907000-memory.dmp

Filesize
348KB

Download
memory/2064-82-0x000007FEF4910000-0x000007FEF4921000-memory.dmp

Filesize
68KB

Download
memory/3028-26-0x0000000000400000-0x00000000004151F0-memory.dmp

Filesize
84KB

Download
memory/3036-21-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3036-23-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3036-48-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3036-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3036-19-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3036-20-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3036-28-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download