modiloader | abd2d026b3745d4b020ac55c1a4c3ea926c4b72c19ddb6efca48c50ac111a941

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26-09-2024 05:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7a20f72594e93e888cf726e87c827f6_JaffaCakes118.exe
Size

264KB
MD5

f7a20f72594e93e888cf726e87c827f6
SHA1

5f917f08cd58f000c9903d6cf213ce5ea9509813
SHA256

abd2d026b3745d4b020ac55c1a4c3ea926c4b72c19ddb6efca48c50ac111a941
SHA512

da5cd6711edf0a62f680cf9cb094dd93840ea797ab16b71d4a98408e753ae107407aa2bbf913af628963b4ccff2d1ba6e7f3c5e2f7220feced13d46d7022b388
SSDEEP

6144:CVjiJLbA6jiuok9+hyhkMblUBj1zial2j7SxzJvwi:eQb12h2kyluiRvSxzhwi

Score

10^/10

modiloader discovery persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2368-9-0x0000000000400000-0x0000000000449000-memory.dmp	modiloader_stage2

Executes dropped EXE 3 IoCs

pid	Process
2956	girl123.exe
2720	server.exe
1720	server.exe

Loads dropped DLL 8 IoCs

pid	Process
2368	f7a20f72594e93e888cf726e87c827f6_JaffaCakes118.exe
2368	f7a20f72594e93e888cf726e87c827f6_JaffaCakes118.exe
2956	girl123.exe
2956	girl123.exe
2956	girl123.exe
2720	server.exe
2720	server.exe
1720	server.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	girl123.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2720 set thread context of 1720	2720	server.exe	31

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000016688-19.dat	upx
behavioral1/memory/2956-27-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2720-41-0x0000000000400000-0x0000000000454000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7a20f72594e93e888cf726e87c827f6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	girl123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1720	server.exe
1720	server.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2720	server.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2956	2368	f7a20f72594e93e888cf726e87c827f6_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2956	2368	f7a20f72594e93e888cf726e87c827f6_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2956	2368	f7a20f72594e93e888cf726e87c827f6_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2956	2368	f7a20f72594e93e888cf726e87c827f6_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2956	2368	f7a20f72594e93e888cf726e87c827f6_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2956	2368	f7a20f72594e93e888cf726e87c827f6_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2956	2368	f7a20f72594e93e888cf726e87c827f6_JaffaCakes118.exe	29
PID 2956 wrote to memory of 2720	2956	girl123.exe	30
PID 2956 wrote to memory of 2720	2956	girl123.exe	30
PID 2956 wrote to memory of 2720	2956	girl123.exe	30
PID 2956 wrote to memory of 2720	2956	girl123.exe	30
PID 2956 wrote to memory of 2720	2956	girl123.exe	30
PID 2956 wrote to memory of 2720	2956	girl123.exe	30
PID 2956 wrote to memory of 2720	2956	girl123.exe	30
PID 2720 wrote to memory of 1720	2720	server.exe	31
PID 2720 wrote to memory of 1720	2720	server.exe	31
PID 2720 wrote to memory of 1720	2720	server.exe	31
PID 2720 wrote to memory of 1720	2720	server.exe	31
PID 2720 wrote to memory of 1720	2720	server.exe	31
PID 2720 wrote to memory of 1720	2720	server.exe	31
PID 2720 wrote to memory of 1720	2720	server.exe	31
PID 2720 wrote to memory of 1720	2720	server.exe	31
PID 2720 wrote to memory of 1720	2720	server.exe	31
PID 2720 wrote to memory of 1720	2720	server.exe	31
PID 2720 wrote to memory of 1720	2720	server.exe	31
PID 1720 wrote to memory of 1404	1720	server.exe	20
PID 1720 wrote to memory of 1404	1720	server.exe	20
PID 1720 wrote to memory of 1404	1720	server.exe	20
PID 1720 wrote to memory of 1404	1720	server.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1404
- C:\Users\Admin\AppData\Local\Temp\f7a20f72594e93e888cf726e87c827f6_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f7a20f72594e93e888cf726e87c827f6_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Users\Admin\AppData\Local\Temp\girl123.exe
    "C:\Users\Admin\AppData\Local\Temp\girl123.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
92KB

MD5
076745fadd0b7dc4a8906c2c2cff1dc0

SHA1
cde3c5e53a3507b3db0cd4421fc604d02b26043d

SHA256
95fcbc874853c171353fde26213bb7c0f7442429a870f7a002663c7c526de9ec

SHA512
d9734fb7c7d5505435bb6b320429970bbf0384b5366ed7764c237062751c738cb3828821cf1d743415855ed4dc45adb01e720c78f1a7cde062d81311e9294c36

Download Submit
\Users\Admin\AppData\Local\Temp\girl123.exe

Filesize
252KB

MD5
969cbe4eed6dc4f0d1416e0e2e051b12

SHA1
e0a47ace284761d6a94a8c0ccd4db4ab5003920f

SHA256
d48e75fe3d73a683c588b2950fa6a70b3530324778ed66bb6eb919aa494652b8

SHA512
0a7be0375e9b8619606505f1ea993c291dedc03c2620d20caea58e6d411cff69c7c8497c0326c8f415b24de3516b65a8269126852cdd2c6db1654458e2938787

Download Submit
memory/1404-50-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1404-47-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1720-35-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1720-59-0x0000000000400000-0x00000000004083A0-memory.dmp

Filesize
32KB

Download
memory/1720-44-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1720-39-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1720-37-0x0000000000400000-0x00000000004083A0-memory.dmp

Filesize
32KB

Download
memory/2368-9-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2720-41-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2720-31-0x0000000000270000-0x00000000002C4000-memory.dmp

Filesize
336KB

Download
memory/2956-12-0x0000000001000000-0x000000000103F000-memory.dmp

Filesize
252KB

Download
memory/2956-28-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2956-21-0x0000000001000000-0x000000000103F000-memory.dmp

Filesize
252KB

Download
memory/2956-27-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2956-46-0x0000000001000000-0x000000000103F000-memory.dmp

Filesize
252KB

Download
memory/2956-18-0x0000000001000000-0x000000000103F000-memory.dmp

Filesize
252KB

Download
memory/2956-14-0x0000000001000000-0x000000000103F000-memory.dmp

Filesize
252KB

Download
memory/2956-15-0x0000000001000000-0x000000000103F000-memory.dmp

Filesize
252KB

Download
memory/2956-13-0x0000000001001000-0x0000000001003000-memory.dmp

Filesize
8KB

Download