modiloader | e94c633dfef4c87ea0c64c4f3b81d5b7739935fc0cddfd0ac48f0160681250e7

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2024 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

020aa06fa39560ab6ff24b0e179021cf_JaffaCakes118.exe
Size

383KB
MD5

020aa06fa39560ab6ff24b0e179021cf
SHA1

01cc1e3fda6a0bdd2b3dfc8f18be336d2a575f1c
SHA256

e94c633dfef4c87ea0c64c4f3b81d5b7739935fc0cddfd0ac48f0160681250e7
SHA512

4893055ad0841ddfb067bfa5c6478682a3476e4423167d285e0c49eb025c060580f7b247fc328618daba740ec6e062eb5f4703bb967e07587ebc823f507d1b96
SSDEEP

6144:uBDhoPaFoVGmJK0H9cIRYcoF2NciEjEx4TuSYKCruhr+IorNAYWxoUILLlt0E:uBDuPq4GqKWWGFoFEciEjExsuWhaIorx

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 4 IoCs

resource	yara_rule
behavioral2/memory/4916-0-0x0000000000400000-0x00000000004CAABC-memory.dmp	modiloader_stage2
behavioral2/memory/4916-2-0x0000000000400000-0x00000000004CAABC-memory.dmp	modiloader_stage2
behavioral2/memory/4176-8-0x0000000000400000-0x00000000004CAABC-memory.dmp	modiloader_stage2
behavioral2/memory/4916-11-0x0000000000400000-0x00000000004CAABC-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
4176	time.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe	020aa06fa39560ab6ff24b0e179021cf_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe	020aa06fa39560ab6ff24b0e179021cf_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat	020aa06fa39560ab6ff24b0e179021cf_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	020aa06fa39560ab6ff24b0e179021cf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	time.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 4176	4916	020aa06fa39560ab6ff24b0e179021cf_JaffaCakes118.exe	83
PID 4916 wrote to memory of 4176	4916	020aa06fa39560ab6ff24b0e179021cf_JaffaCakes118.exe	83
PID 4916 wrote to memory of 4176	4916	020aa06fa39560ab6ff24b0e179021cf_JaffaCakes118.exe	83
PID 4176 wrote to memory of 4984	4176	time.exe	84
PID 4176 wrote to memory of 4984	4176	time.exe	84
PID 4916 wrote to memory of 3020	4916	020aa06fa39560ab6ff24b0e179021cf_JaffaCakes118.exe	85
PID 4916 wrote to memory of 3020	4916	020aa06fa39560ab6ff24b0e179021cf_JaffaCakes118.exe	85
PID 4916 wrote to memory of 3020	4916	020aa06fa39560ab6ff24b0e179021cf_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\020aa06fa39560ab6ff24b0e179021cf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\020aa06fa39560ab6ff24b0e179021cf_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4176
- - C:\program files\internet explorer\IEXPLORE.EXE
    "C:\program files\internet explorer\IEXPLORE.EXE"
    3⤵
    PID:4984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat

Filesize
212B

MD5
1939d33d03be356b5c63a1eecd2d59e0

SHA1
1fb298e673a710271cb6645d6c9fdf91e23e2a66

SHA256
9a8cce897a9af563508e47c33cb2c625dd4801e3fad712386e2516ef40ec55ef

SHA512
55d6e8f206eef58e20ca9dfc403a9a4387c1aef95f57c517d499a11ab59a0f0077b9d377edfd61a912c77644cf9292c40f8434b3059b2922860e8904a78b6c1d

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\time.exe

Filesize
383KB

MD5
020aa06fa39560ab6ff24b0e179021cf

SHA1
01cc1e3fda6a0bdd2b3dfc8f18be336d2a575f1c

SHA256
e94c633dfef4c87ea0c64c4f3b81d5b7739935fc0cddfd0ac48f0160681250e7

SHA512
4893055ad0841ddfb067bfa5c6478682a3476e4423167d285e0c49eb025c060580f7b247fc328618daba740ec6e062eb5f4703bb967e07587ebc823f507d1b96

Download Submit
memory/4176-8-0x0000000000400000-0x00000000004CAABC-memory.dmp

Filesize
810KB

Download
memory/4916-0-0x0000000000400000-0x00000000004CAABC-memory.dmp

Filesize
810KB

Download
memory/4916-1-0x00000000004BB000-0x00000000004BE000-memory.dmp

Filesize
12KB

Download
memory/4916-2-0x0000000000400000-0x00000000004CAABC-memory.dmp

Filesize
810KB

Download
memory/4916-11-0x0000000000400000-0x00000000004CAABC-memory.dmp

Filesize
810KB

Download