modiloader | d6e7ba59b0f52c1231921bc7cfe0eafbe9906a4ab840b26e0a444ce0bc3a3763

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-09-2024 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9b344756d34e07cc5762b1afe39b892_JaffaCakes118.exe
Size

355KB
MD5

f9b344756d34e07cc5762b1afe39b892
SHA1

86c564c699cf8356b1c37e7450de39820e3e4d84
SHA256

d6e7ba59b0f52c1231921bc7cfe0eafbe9906a4ab840b26e0a444ce0bc3a3763
SHA512

b317962edf45e211d8b0297196ba8c8f1839c8d7254698b9a79b6772d8a84bf57821b7643545174cd866df4f8018b8a68a840620d5d2e145a0e48b3c768aa02e
SSDEEP

6144:7viXbZg3PqE1ECiTApFCN0okG1xcY6HIyhEfc6pN2GiPHMhm6r5F+kIJ2+0U:7vmZg/qE1ukCN0M1xV6HIyhm1N2em6lo

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/memory/2756-6-0x0000000000400000-0x00000000005CE000-memory.dmp	modiloader_stage2
behavioral1/memory/2756-5-0x0000000000400000-0x00000000005CE000-memory.dmp	modiloader_stage2
behavioral1/memory/2756-7-0x0000000000401000-0x0000000000573000-memory.dmp	modiloader_stage2

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupWay.txt	f9b344756d34e07cc5762b1afe39b892_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9b344756d34e07cc5762b1afe39b892_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2840	2756	f9b344756d34e07cc5762b1afe39b892_JaffaCakes118.exe	30
PID 2756 wrote to memory of 2840	2756	f9b344756d34e07cc5762b1afe39b892_JaffaCakes118.exe	30
PID 2756 wrote to memory of 2840	2756	f9b344756d34e07cc5762b1afe39b892_JaffaCakes118.exe	30
PID 2756 wrote to memory of 2840	2756	f9b344756d34e07cc5762b1afe39b892_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\f9b344756d34e07cc5762b1afe39b892_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f9b344756d34e07cc5762b1afe39b892_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756
- C:\program files\internet explorer\IEXPLORE.EXE
  "C:\program files\internet explorer\IEXPLORE.EXE"
  2⤵
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2756-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2756-0-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2756-2-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2756-3-0x0000000000401000-0x0000000000573000-memory.dmp

Filesize
1.4MB

Download
memory/2756-6-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2756-5-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2756-7-0x0000000000401000-0x0000000000573000-memory.dmp

Filesize
1.4MB

Download