modiloader | f77aae4d6816430c41624cda854243b7785391d85bcf6f7845184a7c66817ba1

Analysis

max time kernel
131s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 05:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb8e00c30c4d4b6101109dde261042b2_JaffaCakes118.exe
Size

113KB
MD5

fb8e00c30c4d4b6101109dde261042b2
SHA1

7f8c2e441f8602f8f8f59c184501c97752d6ee11
SHA256

f77aae4d6816430c41624cda854243b7785391d85bcf6f7845184a7c66817ba1
SHA512

a7c1f6af4164af01e9bf62493588251aaa23f2b6e77bc48667b959b60bcb89fa97955f601eecae01d7dc6be6e6238b7f136732b0cce5b776d16a6fd9f27f0cbd
SSDEEP

3072:fuyrHX1EedcfeO4iwQCxkhBzEpdVWNL/GgGlmldy:fuyrHX1XdpOTW3VWFGgZy

Score

10^/10

modiloader discovery evasion trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 5 IoCs

resource	yara_rule
behavioral2/memory/3532-3-0x0000000000400000-0x0000000000464310-memory.dmp	modiloader_stage2
behavioral2/memory/3532-5-0x0000000000400000-0x0000000000464310-memory.dmp	modiloader_stage2
behavioral2/memory/3532-4-0x0000000000400000-0x0000000000464310-memory.dmp	modiloader_stage2
behavioral2/memory/3532-13-0x0000000000400000-0x0000000000464310-memory.dmp	modiloader_stage2
behavioral2/memory/3532-14-0x0000000000401000-0x0000000000444000-memory.dmp	modiloader_stage2

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0008000000023625-7.dat	acprotect

Loads dropped DLL 2 IoCs

pid	Process
3532	fb8e00c30c4d4b6101109dde261042b2_JaffaCakes118.exe
3532	fb8e00c30c4d4b6101109dde261042b2_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fb8e00c30c4d4b6101109dde261042b2_JaffaCakes118.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2484	3532	WerFault.exe	88
4408	3532	WerFault.exe	88
2620	3532	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb8e00c30c4d4b6101109dde261042b2_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3532	fb8e00c30c4d4b6101109dde261042b2_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fb8e00c30c4d4b6101109dde261042b2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb8e00c30c4d4b6101109dde261042b2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3532
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 636
  2⤵
  - Program crash
  PID:2484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 644
  2⤵
  - Program crash
  PID:4408
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 656
  2⤵
  - Program crash
  PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3532 -ip 3532
1⤵
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3532 -ip 3532
1⤵
PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3532 -ip 3532
1⤵
PID:1508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4396,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=4356 /prefetch:8
1⤵
PID:3996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ntdtcstp.dll

Filesize
8KB

MD5
f0f833f5a631f3e727b7429ed93f10e5

SHA1
6ea8371a2cd9e65a18db108c6c528be62338233a

SHA256
267abdaa888872516c6c3ccc72cf00a9b2006acf210b8b6e5b04860f93833681

SHA512
76c0a4e6d229a6a8c57e86592964a75519d234f85e29536456e00e041e3ceae2fa74d108230ce9b8b3e14e2b8ef674c2a4ee917e2738dbefc96b253a3d2c8b02

Download Submit
memory/3532-0-0x0000000000400000-0x0000000000464310-memory.dmp

Filesize
400KB

Download
memory/3532-1-0x0000000000400000-0x0000000000464310-memory.dmp

Filesize
400KB

Download
memory/3532-2-0x0000000000401000-0x0000000000444000-memory.dmp

Filesize
268KB

Download
memory/3532-3-0x0000000000400000-0x0000000000464310-memory.dmp

Filesize
400KB

Download
memory/3532-5-0x0000000000400000-0x0000000000464310-memory.dmp

Filesize
400KB

Download
memory/3532-4-0x0000000000400000-0x0000000000464310-memory.dmp

Filesize
400KB

Download
memory/3532-12-0x00000000022B0000-0x00000000022C0000-memory.dmp

Filesize
64KB

Download
memory/3532-13-0x0000000000400000-0x0000000000464310-memory.dmp

Filesize
400KB

Download
memory/3532-14-0x0000000000401000-0x0000000000444000-memory.dmp

Filesize
268KB

Download
memory/3532-15-0x00000000022B0000-0x00000000022C0000-memory.dmp

Filesize
64KB

Download