modiloader | a1e1bf019e1473c81f1794c7d6efe2fa44f73d8dd41579181d599ed9adce695a

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2024 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c90a826384c633546592424bb3730d7_JaffaCakes118.exe
Size

276KB
MD5

8c90a826384c633546592424bb3730d7
SHA1

9db30d21d36a4eb034bed2f1ba5ab2897ccb9e1a
SHA256

a1e1bf019e1473c81f1794c7d6efe2fa44f73d8dd41579181d599ed9adce695a
SHA512

939208b9c49fc0c1e388fe13437817567efb673c69f5cdcd4435acf96d9e8f8ede9770df7bdd3cae12b8f7a5cc2c42fc1c3fde28c6ba9656bca844b752864fd5
SSDEEP

3072:8oLx4aa/VAJixnr4GBa/Gez2BlZUfqZUACA7y1:Jhz2B/UfqZZCA7

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1888-3-0x0000000000400000-0x0000000000415000-memory.dmp	modiloader_stage2
behavioral2/memory/1888-2-0x0000000000400000-0x0000000000415000-memory.dmp	modiloader_stage2
behavioral2/memory/1888-4-0x0000000000400000-0x0000000000415000-memory.dmp	modiloader_stage2
behavioral2/memory/1888-5-0x0000000000400000-0x0000000000415000-memory.dmp	modiloader_stage2
behavioral2/memory/1888-16-0x0000000000400000-0x0000000000415000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8c90a826384c633546592424bb3730d7_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

server.exe

pid	Process
3492	server.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

8c90a826384c633546592424bb3730d7_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2292 set thread context of 1888	2292	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	86
PID 2292 set thread context of 0	2292	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

8c90a826384c633546592424bb3730d7_JaffaCakes118.exe8c90a826384c633546592424bb3730d7_JaffaCakes118.exeserver.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

server.exe

pid	Process
3492	server.exe
3492	server.exe
3492	server.exe
3492	server.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

8c90a826384c633546592424bb3730d7_JaffaCakes118.exe

pid	Process
2292	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

8c90a826384c633546592424bb3730d7_JaffaCakes118.exe8c90a826384c633546592424bb3730d7_JaffaCakes118.exeserver.exe

description	pid	Process	procid_target
PID 2292 wrote to memory of 1888	2292	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	86
PID 2292 wrote to memory of 1888	2292	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	86
PID 2292 wrote to memory of 1888	2292	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	86
PID 2292 wrote to memory of 1888	2292	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	86
PID 2292 wrote to memory of 1888	2292	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	86
PID 2292 wrote to memory of 1888	2292	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	86
PID 2292 wrote to memory of 1888	2292	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	86
PID 2292 wrote to memory of 1888	2292	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	86
PID 2292 wrote to memory of 1888	2292	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	86
PID 2292 wrote to memory of 1888	2292	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	86
PID 2292 wrote to memory of 1888	2292	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	86
PID 2292 wrote to memory of 1888	2292	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	86
PID 2292 wrote to memory of 1888	2292	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	86
PID 2292 wrote to memory of 0	2292	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe
PID 2292 wrote to memory of 0	2292	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe
PID 2292 wrote to memory of 0	2292	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe
PID 2292 wrote to memory of 0	2292	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe
PID 2292 wrote to memory of 0	2292	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe
PID 2292 wrote to memory of 0	2292	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe
PID 2292 wrote to memory of 0	2292	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe
PID 2292 wrote to memory of 0	2292	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe
PID 2292 wrote to memory of 0	2292	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe
PID 2292 wrote to memory of 0	2292	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe
PID 1888 wrote to memory of 3492	1888	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	88
PID 1888 wrote to memory of 3492	1888	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	88
PID 1888 wrote to memory of 3492	1888	8c90a826384c633546592424bb3730d7_JaffaCakes118.exe	88
PID 3492 wrote to memory of 3392	3492	server.exe	56
PID 3492 wrote to memory of 3392	3492	server.exe	56
PID 3492 wrote to memory of 3392	3492	server.exe	56
PID 3492 wrote to memory of 3392	3492	server.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3392
- C:\Users\Admin\AppData\Local\Temp\8c90a826384c633546592424bb3730d7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\8c90a826384c633546592424bb3730d7_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Users\Admin\AppData\Local\Temp\8c90a826384c633546592424bb3730d7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8c90a826384c633546592424bb3730d7_JaffaCakes118.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
31KB

MD5
678b28948b01007ff850a98c0d95c6a5

SHA1
475ebca185653405567870a79dfc0f456037cd6b

SHA256
8526bb1ee1aa499cb80f324854b6524749435eeb699b635f4ba054bfd959579d

SHA512
b400449e383cfbc8963964bcb8a3254265aef0f46cbe2baae25d2bd32338f2d8fa7d3efcf372480d178cb330d702ea075a8a7a18c3d71a4bb90be3d46f75784e

Download Submit
memory/1888-3-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1888-2-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1888-4-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1888-5-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1888-16-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3392-19-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/3392-20-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download
memory/3492-14-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3492-18-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download