modiloader | a1e1bf019e1473c81f1794c7d6efe2fa44f73d8dd41579181d599ed9adce695a

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-11-2024 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c90a826384c633546592424bb3730d7_JaffaCakes118.exe
Size

276KB
MD5

8c90a826384c633546592424bb3730d7
SHA1

9db30d21d36a4eb034bed2f1ba5ab2897ccb9e1a
SHA256

a1e1bf019e1473c81f1794c7d6efe2fa44f73d8dd41579181d599ed9adce695a
SHA512

939208b9c49fc0c1e388fe13437817567efb673c69f5cdcd4435acf96d9e8f8ede9770df7bdd3cae12b8f7a5cc2c42fc1c3fde28c6ba9656bca844b752864fd5
SSDEEP

3072:8oLx4aa/VAJixnr4GBa/Gez2BlZUfqZUACA7y1:Jhz2B/UfqZZCA7

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3020-2-0x0000000000400000-0x0000000000415000-memory.dmp	modiloader_stage2
behavioral1/memory/3020-6-0x0000000000400000-0x0000000000415000-memory.dmp	modiloader_stage2
behavioral1/memory/3020-4-0x0000000000400000-0x0000000000415000-memory.dmp	modiloader_stage2
behavioral1/memory/3020-3-0x0000000000400000-0x0000000000415000-memory.dmp	modiloader_stage2
behavioral1/memory/3020-22-0x0000000000400000-0x0000000000415000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

server.exe

pid	Process
2364	server.exe

Loads dropped DLL 2 IoCs

Processes:

8c90a826384c633546592424bb3730d7_JaffaCakes118.exe

pid	Process
3020	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe
3020	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

8c90a826384c633546592424bb3730d7_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2212 set thread context of 3020	2212	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	30
PID 2212 set thread context of 0	2212	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

8c90a826384c633546592424bb3730d7_JaffaCakes118.exe8c90a826384c633546592424bb3730d7_JaffaCakes118.exeserver.exeDllHost.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

server.exe

pid	Process
2364	server.exe
2364	server.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid	Process
2760	DllHost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

8c90a826384c633546592424bb3730d7_JaffaCakes118.exeDllHost.exe

pid	Process
2212	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe
2760	DllHost.exe
2760	DllHost.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

8c90a826384c633546592424bb3730d7_JaffaCakes118.exe8c90a826384c633546592424bb3730d7_JaffaCakes118.exeserver.exe

description	pid	Process	procid_target
PID 2212 wrote to memory of 3020	2212	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	30
PID 2212 wrote to memory of 3020	2212	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	30
PID 2212 wrote to memory of 3020	2212	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	30
PID 2212 wrote to memory of 3020	2212	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	30
PID 2212 wrote to memory of 3020	2212	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	30
PID 2212 wrote to memory of 3020	2212	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	30
PID 2212 wrote to memory of 3020	2212	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	30
PID 2212 wrote to memory of 3020	2212	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	30
PID 2212 wrote to memory of 3020	2212	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	30
PID 2212 wrote to memory of 3020	2212	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	30
PID 2212 wrote to memory of 3020	2212	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	30
PID 2212 wrote to memory of 3020	2212	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	30
PID 2212 wrote to memory of 3020	2212	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	30
PID 2212 wrote to memory of 3020	2212	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	30
PID 2212 wrote to memory of 0	2212	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe
PID 2212 wrote to memory of 0	2212	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe
PID 2212 wrote to memory of 0	2212	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe
PID 2212 wrote to memory of 0	2212	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe
PID 2212 wrote to memory of 0	2212	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe
PID 2212 wrote to memory of 0	2212	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe
PID 2212 wrote to memory of 0	2212	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe
PID 2212 wrote to memory of 0	2212	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe
PID 2212 wrote to memory of 0	2212	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe
PID 2212 wrote to memory of 0	2212	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe
PID 3020 wrote to memory of 2364	3020	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	31
PID 3020 wrote to memory of 2364	3020	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	31
PID 3020 wrote to memory of 2364	3020	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	31
PID 3020 wrote to memory of 2364	3020	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	31
PID 2364 wrote to memory of 1232	2364	server.exe	21
PID 2364 wrote to memory of 1232	2364	server.exe	21
PID 2364 wrote to memory of 1232	2364	server.exe	21
PID 2364 wrote to memory of 1232	2364	server.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232
- C:\Users\Admin\AppData\Local\Temp\8c90a826384c633546592424bb3730d7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\8c90a826384c633546592424bb3730d7_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Users\Admin\AppData\Local\Temp\8c90a826384c633546592424bb3730d7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8c90a826384c633546592424bb3730d7_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2364

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\810629824jpg.jpg

Filesize
14KB

MD5
bd5a78860f20f493ee03ba0013191196

SHA1
8af5fc36231a8a18d273ac4d490e2087f3d8292e

SHA256
a987e47e78f6d112889fc3d07ac96bfd49dda8c186bf79e2ee77238f5068c219

SHA512
ca62298aa81454dba54313fbc0834638a872b82be538fc30fa7835afb2a82490c09e7ffbbb84433ef7e23fb6350e9c114b828eb56fbd63f0830faa4d33936fd0

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
31KB

MD5
678b28948b01007ff850a98c0d95c6a5

SHA1
475ebca185653405567870a79dfc0f456037cd6b

SHA256
8526bb1ee1aa499cb80f324854b6524749435eeb699b635f4ba054bfd959579d

SHA512
b400449e383cfbc8963964bcb8a3254265aef0f46cbe2baae25d2bd32338f2d8fa7d3efcf372480d178cb330d702ea075a8a7a18c3d71a4bb90be3d46f75784e

Download Submit
memory/1232-28-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1232-25-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/2364-37-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2760-19-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/3020-16-0x0000000000870000-0x0000000000879000-memory.dmp

Filesize
36KB

Download
memory/3020-2-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3020-18-0x00000000021D0000-0x00000000021D2000-memory.dmp

Filesize
8KB

Download
memory/3020-22-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3020-9-0x0000000000870000-0x0000000000879000-memory.dmp

Filesize
36KB

Download
memory/3020-3-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3020-4-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3020-6-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download