modiloader | 2f1689da203281598db1d10818ead7f0e15a1601cecfd225a62fabe8686d93ab

Analysis

max time kernel
0s
max time network
152s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01-11-2024 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

845abed239934629a99688c07f1e23ff_JaffaCakes118.exe
Size

312KB
MD5

845abed239934629a99688c07f1e23ff
SHA1

b84aaf9a8c58876203a382cbb9f35983c661c978
SHA256

2f1689da203281598db1d10818ead7f0e15a1601cecfd225a62fabe8686d93ab
SHA512

05f0e28878d5a58537d1c093dcef8d6f3d085f92abc565c0b7f53aa3dd50a8199b5ecb39638c84948edffc042677bdf9028729dce2df24ad556081a63cf13bb8
SSDEEP

6144:rVF2NOx/6fcDNdvxoJURDrO5HYPGmPQq3szP4P2szYUujGphL/JO+:b2NOxyMNdvaJURDrO5Hbm4q3DxzYzGT3

Score

10^/10

modiloader xtremerat defense_evasion discovery persistence rat spyware trojan upx

Malware Config

Extracted

Family

xtremerat

emchiyeuminhanh.no-ip.org

᠐emchiyeuminhanh.no-ip.org

Signatures

Detect XtremeRAT payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2924-38-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2908-35-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2288-40-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2924-41-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2976-51-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2892-56-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\dongmanhinh.exe	modiloader_stage2
behavioral1/memory/584-55-0x0000000000400000-0x000000000046A000-memory.dmp	modiloader_stage2
behavioral1/memory/584-81-0x0000000000400000-0x000000000046A000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

Processes:

dongmanhinh.exeserver_rat_xtreme.exe

pid process

584 dongmanhinh.exe
2288 server_rat_xtreme.exe

pid	process
584	dongmanhinh.exe
2288	server_rat_xtreme.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

Processes:

dongmanhinh.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	dongmanhinh.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	dongmanhinh.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	dongmanhinh.exe

Loads dropped DLL 3 IoCs

Processes:

845abed239934629a99688c07f1e23ff_JaffaCakes118.exe

pid	process
2560	845abed239934629a99688c07f1e23ff_JaffaCakes118.exe
2560	845abed239934629a99688c07f1e23ff_JaffaCakes118.exe
2560	845abed239934629a99688c07f1e23ff_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

dongmanhinh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\dongmanhinh.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dongmanhinh.exe"	dongmanhinh.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2560-17-0x0000000002400000-0x0000000002416000-memory.dmp	upx
behavioral1/memory/2288-23-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\server_rat_xtreme.exe	upx
behavioral1/memory/2924-38-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2908-35-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2288-40-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2924-41-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2976-47-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2976-51-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2892-56-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

845abed239934629a99688c07f1e23ff_JaffaCakes118.exedongmanhinh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	845abed239934629a99688c07f1e23ff_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dongmanhinh.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

845abed239934629a99688c07f1e23ff_JaffaCakes118.exe

description	pid	process	target process
PID 2560 wrote to memory of 584	2560	845abed239934629a99688c07f1e23ff_JaffaCakes118.exe	dongmanhinh.exe
PID 2560 wrote to memory of 584	2560	845abed239934629a99688c07f1e23ff_JaffaCakes118.exe	dongmanhinh.exe
PID 2560 wrote to memory of 584	2560	845abed239934629a99688c07f1e23ff_JaffaCakes118.exe	dongmanhinh.exe
PID 2560 wrote to memory of 584	2560	845abed239934629a99688c07f1e23ff_JaffaCakes118.exe	dongmanhinh.exe
PID 2560 wrote to memory of 2288	2560	845abed239934629a99688c07f1e23ff_JaffaCakes118.exe	server_rat_xtreme.exe
PID 2560 wrote to memory of 2288	2560	845abed239934629a99688c07f1e23ff_JaffaCakes118.exe	server_rat_xtreme.exe
PID 2560 wrote to memory of 2288	2560	845abed239934629a99688c07f1e23ff_JaffaCakes118.exe	server_rat_xtreme.exe
PID 2560 wrote to memory of 2288	2560	845abed239934629a99688c07f1e23ff_JaffaCakes118.exe	server_rat_xtreme.exe

C:\Users\Admin\AppData\Local\Temp\845abed239934629a99688c07f1e23ff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\845abed239934629a99688c07f1e23ff_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Users\Admin\AppData\Local\Temp\dongmanhinh.exe
  "C:\Users\Admin\AppData\Local\Temp\dongmanhinh.exe"
  2⤵
  - Executes dropped EXE
  - Impair Defenses: Safe Mode Boot
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:584
- C:\Users\Admin\AppData\Local\Temp\server_rat_xtreme.exe
  "C:\Users\Admin\AppData\Local\Temp\server_rat_xtreme.exe"
  2⤵
  - Executes dropped EXE
  PID:2288
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2908

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
PID:2820

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1084
- C:\Windows\InstallDir\Server.exe
  "C:\Windows\InstallDir\Server.exe" restart
  2⤵
  PID:2976
- - C:\Windows\InstallDir\Server.exe
    "C:\Windows\InstallDir\Server.exe"
    3⤵
    PID:2892
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3048
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2984
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:904
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2856
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2904
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2692
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3036
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2868
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:316
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2812
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:372
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:376
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:860
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2440
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2024
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:388
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:336
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:1700
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2476
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2488
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2456
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2268
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2500
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2368
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2244
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:1612
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1744
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2080
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2296
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dongmanhinh.exe

Filesize
397KB

MD5
7803b78247fc0932623028e2b98f7ff8

SHA1
fac630d1315fdd8936ead20ada409cc34d2908bd

SHA256
a19cbbea5a788f492e5cf2d55abfea57bf7623e4661db85d2756d5767e8a2972

SHA512
56a6ab10595ec12a81698a17bc7fb9577853911e8215027773452488c2a8e95fd95f69d26ee59a49f0bab4055732cf74027f5c9241a64533226721a7e2f14704

Download Submit
C:\Users\Admin\AppData\Local\Temp\images.jpg

Filesize
7KB

MD5
28543f78036b0487b0dd668492a43595

SHA1
471797918267ac22b95c6a142ddc7a3897de691f

SHA256
fab447bb6f9599c08d9e0590a549ba6c2519590254b15e519e51a4ca22184192

SHA512
e33d9673d63f35a24fa93cc2f5197f99b12bb564bfb4eb04c79885051c9fb0a88c667b1e793b080f79d902a83ed385413c1721ea5ac6bd2ebdf0588a8a5dcdad

Download Submit
C:\Users\Admin\AppData\Local\Temp\server_rat_xtreme.exe

Filesize
21KB

MD5
30d63fed34cd5640da16d9dac7168c30

SHA1
aa83d65b22bee084dd6af3db970240d3c816ccd9

SHA256
138db630d4f5dc56baa454eab4edd9835d6cbf6076049df85546abd07b1cc991

SHA512
76dac8b7eb54e7ca6c19de4dad6cb1d77a532a538d6bacd46aea3eb8fe97cf9c382fd70b7e88bf76457c4b5906a3c980fa54449220911f91b3a116025138823e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
73ddcfdc9c7c2f1c2619cd42ee121a7e

SHA1
b8ee76540fe387bb00960901b42120d626a5f0b7

SHA256
0e0e81b789652bf0789a9947c26d6d2948a298f3cbfb7b9b5c91c3dcb8e61ad7

SHA512
e087789dabd24ff04ba6087be60fc6d283985bb2aed2a1f6bde85fd06bf3ee202aaf752e766376454ff9dd4bfacf1d925624db42b384f97a294d62a57f820e66

Download Submit
memory/584-49-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/584-55-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/584-81-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/584-10-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2288-40-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2288-23-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2560-24-0x0000000002550000-0x0000000002552000-memory.dmp

Filesize
8KB

Download
memory/2560-20-0x0000000002400000-0x0000000002416000-memory.dmp

Filesize
88KB

Download
memory/2560-17-0x0000000002400000-0x0000000002416000-memory.dmp

Filesize
88KB

Download
memory/2820-25-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2892-56-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2908-33-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2908-35-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2924-38-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2924-41-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2976-51-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2976-47-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download