modiloader | fc05cc57a8de5b04ab4e329a8d42010461ef51a275fe5b0159de5210876d730d

Analysis

max time kernel
120s
max time network
129s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ecb49e4b3c9f1e4469ed0237d505b52_JaffaCakes118.exe
Size

1.8MB
MD5

8ecb49e4b3c9f1e4469ed0237d505b52
SHA1

6482f37a3568bfd0584881e678411534785bdce7
SHA256

fc05cc57a8de5b04ab4e329a8d42010461ef51a275fe5b0159de5210876d730d
SHA512

a35dab6f3f992c796ef58a9fa1e3d17eb3cd1c72cc769cfc056b953426d3787fe95fac84e3a927f3260371be661330af636c1be59d2da74583b4f2a879bfe8cf
SSDEEP

49152:X1dlZolYt6L163lEYZwIB6HL0zQIaZp+4faO:X1dl2lYt6Ls1EcAroQj+7O

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2720-28-0x0000000020001000-0x0000000020004000-memory.dmp	modiloader_stage2
behavioral1/memory/2720-50-0x0000000020001000-0x0000000020004000-memory.dmp	modiloader_stage2
behavioral1/memory/2720-43-0x0000000020000000-0x0000000020037000-memory.dmp	modiloader_stage2
behavioral1/memory/2720-46-0x0000000020000000-0x0000000020037000-memory.dmp	modiloader_stage2

Executes dropped EXE 4 IoCs

Processes:

server2.exeserver2.exeDriver Vibracion mandos Play.exeDriver Vibracion mandos Play.exe

pid	Process
2720	server2.exe
2500	server2.exe
592	Driver Vibracion mandos Play.exe
1688	Driver Vibracion mandos Play.exe

Loads dropped DLL 6 IoCs

Processes:

Driver Vibracion mandos Play.exe

pid	Process
1688	Driver Vibracion mandos Play.exe
1688	Driver Vibracion mandos Play.exe
1688	Driver Vibracion mandos Play.exe
1688	Driver Vibracion mandos Play.exe
1688	Driver Vibracion mandos Play.exe
1688	Driver Vibracion mandos Play.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

Processes:

server2.exe

description	pid	Process	procid_target
PID 2720 set thread context of 2500	2720	server2.exe	31

Drops file in Program Files directory 6 IoCs

Processes:

Driver Vibracion mandos Play.exe

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKeA175.tmp	Driver Vibracion mandos Play.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKeA175.tmp	Driver Vibracion mandos Play.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\set9FDB.tmp	Driver Vibracion mandos Play.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\isp9FCA.tmp\temp.000	Driver Vibracion mandos Play.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ispA05A.tmp\temp.000	Driver Vibracion mandos Play.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ispA05A.tmp\iGdi.dll	Driver Vibracion mandos Play.exe

Drops file in Windows directory 3 IoCs

Processes:

8ecb49e4b3c9f1e4469ed0237d505b52_JaffaCakes118.exe

description	ioc	Process
File created	C:\Windows\Driver Vibracion mandos Play.exe	8ecb49e4b3c9f1e4469ed0237d505b52_JaffaCakes118.exe
File created	C:\Windows\server2.exe	8ecb49e4b3c9f1e4469ed0237d505b52_JaffaCakes118.exe
File opened for modification	C:\Windows\‰‚<ŠÞ'÷¯qp¥Ñ6ñ6”Å,7ÞÕ‘FqÀÐJ[ƒOO'É¶R RÍÙ•AW SAð ¹ á8=ØxÜž1oûX”'ŒÇË‹C¸h–âÖ ¶ËÆh ¸àp™’<ûrwƒøF™Ä• 5m¬¼wa\|pº†¹\-¯ðÉ‡^0º	8ecb49e4b3c9f1e4469ed0237d505b52_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

8ecb49e4b3c9f1e4469ed0237d505b52_JaffaCakes118.exeserver2.exeDriver Vibracion mandos Play.exeDriver Vibracion mandos Play.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ecb49e4b3c9f1e4469ed0237d505b52_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Driver Vibracion mandos Play.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Driver Vibracion mandos Play.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

server2.exe

pid	Process
2720	server2.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

8ecb49e4b3c9f1e4469ed0237d505b52_JaffaCakes118.exeserver2.exeDriver Vibracion mandos Play.exe

description	pid	Process	procid_target
PID 2848 wrote to memory of 2720	2848	8ecb49e4b3c9f1e4469ed0237d505b52_JaffaCakes118.exe	30
PID 2848 wrote to memory of 2720	2848	8ecb49e4b3c9f1e4469ed0237d505b52_JaffaCakes118.exe	30
PID 2848 wrote to memory of 2720	2848	8ecb49e4b3c9f1e4469ed0237d505b52_JaffaCakes118.exe	30
PID 2848 wrote to memory of 2720	2848	8ecb49e4b3c9f1e4469ed0237d505b52_JaffaCakes118.exe	30
PID 2720 wrote to memory of 2500	2720	server2.exe	31
PID 2720 wrote to memory of 2500	2720	server2.exe	31
PID 2720 wrote to memory of 2500	2720	server2.exe	31
PID 2720 wrote to memory of 2500	2720	server2.exe	31
PID 2720 wrote to memory of 2500	2720	server2.exe	31
PID 2720 wrote to memory of 2500	2720	server2.exe	31
PID 2848 wrote to memory of 592	2848	8ecb49e4b3c9f1e4469ed0237d505b52_JaffaCakes118.exe	32
PID 2848 wrote to memory of 592	2848	8ecb49e4b3c9f1e4469ed0237d505b52_JaffaCakes118.exe	32
PID 2848 wrote to memory of 592	2848	8ecb49e4b3c9f1e4469ed0237d505b52_JaffaCakes118.exe	32
PID 2848 wrote to memory of 592	2848	8ecb49e4b3c9f1e4469ed0237d505b52_JaffaCakes118.exe	32
PID 2848 wrote to memory of 592	2848	8ecb49e4b3c9f1e4469ed0237d505b52_JaffaCakes118.exe	32
PID 2848 wrote to memory of 592	2848	8ecb49e4b3c9f1e4469ed0237d505b52_JaffaCakes118.exe	32
PID 2848 wrote to memory of 592	2848	8ecb49e4b3c9f1e4469ed0237d505b52_JaffaCakes118.exe	32
PID 592 wrote to memory of 1688	592	Driver Vibracion mandos Play.exe	33
PID 592 wrote to memory of 1688	592	Driver Vibracion mandos Play.exe	33
PID 592 wrote to memory of 1688	592	Driver Vibracion mandos Play.exe	33
PID 592 wrote to memory of 1688	592	Driver Vibracion mandos Play.exe	33
PID 592 wrote to memory of 1688	592	Driver Vibracion mandos Play.exe	33
PID 592 wrote to memory of 1688	592	Driver Vibracion mandos Play.exe	33
PID 592 wrote to memory of 1688	592	Driver Vibracion mandos Play.exe	33

C:\Users\Admin\AppData\Local\Temp\8ecb49e4b3c9f1e4469ed0237d505b52_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8ecb49e4b3c9f1e4469ed0237d505b52_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\server2.exe
  "C:\Windows\server2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\server2.exe
    C:\Windows\server2.exe
    3⤵
    - Executes dropped EXE
    PID:2500
- C:\Windows\Driver Vibracion mandos Play.exe
  "C:\Windows\Driver Vibracion mandos Play.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:592
- - C:\Windows\Driver Vibracion mandos Play.exe
    "C:\Windows\Driver Vibracion mandos Play.exe" -deleter
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ISPackFiles.ini

Filesize
750B

MD5
6a5a7998b617118c9e26bb3af5c1fc47

SHA1
5e49420b6326aad8ff961cbbfeac38b421a92b72

SHA256
0e198b4c4efc4bd8e0f60e8594f4a1417080c76e50bf69c2b93bc8f74e3450cb

SHA512
bdc5feab1b73c9d0e05bae75aaebb06bdd232aa912e2527f13ae280f5f58c66f8143b0f5af72ba19ca39074bbfb86ea769aab71e193818447c1bf516378d093c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_isdelet.ini

Filesize
155B

MD5
dfacb78bd3277779e18b6302262e2915

SHA1
d5fbddd75a16cb67c8eaa863912c10da07240faa

SHA256
bc226c7aa5d36461d903635feb823740b7e9367c81e96e658915e4e8445b3410

SHA512
c97626b69e8ce7942bb7cafd619d84243614f231bdcebfba06ac1db2674877d21b82e894c0a542e33b56414a9662355236819999242b1e4d1455fc27cd20adbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\bye9E42.tmp\Disk1\setup.ibt

Filesize
386KB

MD5
9402376c4dce39be1021b5f7ee2a6a80

SHA1
2e3a387969b92a47b64fc606a12a680b6b026c79

SHA256
e5908cd7a47f15dc7ac16b81ccb151576771e68594275dccff5119711afb6c0b

SHA512
59af674c92733e9a068cc8df38a59d3867f167acd8c1b3317330d59244c4090b3e8caac08a62341a42678dd8914c07ded6041f8815f92664ab36e49ab5ceaeb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iss9E72.tmp\setup.ini

Filesize
426B

MD5
ca1a1301364b46a88b557f920b0f15f9

SHA1
28cf00545bc21163255b6a4afb6379db103f4b4c

SHA256
96e71796e327a59711b6f85da1a45d37af1d7c5c61d892a2510c21340c6de724

SHA512
09396cfc5362c771e7caa2576d18882918581bbcf6f2fc1d84c0bbe7f05027cfeafd7a3d567692c930902e52ac52ef67fbcde81ba8577b5fcb83d30f77fed929

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfx.ini

Filesize
232B

MD5
6815d3baab99961d11518e0298e03ceb

SHA1
52aa7841e6d5ae2ab8daf321b3df68f747d7e584

SHA256
0e75c83b830678c435c1935f2067844e29c1b5e731f574981b936d956b86913a

SHA512
ac2a50330c8dd2d9686a18590dab31c60e0374a756450dee5f0f385683198f66358ee086f952692e5280a17884c16d08a5fdac04563ebb264e583afc0db27565

Download Submit
C:\Windows\Driver Vibracion mandos Play.exe

Filesize
1.7MB

MD5
dae70bdab236221f0cbe52be9935373d

SHA1
cce4fc25b917d607da94615b58581d97e36cab4b

SHA256
4c59a8205e48dd8147cf9ebbd4b2e92957b383ca2d511d7a1ee569ad1bbabe5e

SHA512
400be583af95897cfee0c09e1386a07198c5333fc942048e6c7efd7ccb1f5491258ca7bd7a472a68ccf288e9797494eceebccd83a7b289ae70e20c8b1b944d1b

Download Submit
C:\Windows\server2.exe

Filesize
170KB

MD5
01d596d6eb627b47aecf33fc544b6581

SHA1
388b67952e8761eadedb68e8874aba01c422a5da

SHA256
754f0ecbd3cc9dc6da574ac0b612ce2901c7d84610654fe56d7feade25b62a45

SHA512
61a672959634e907ea4f64495acdeb9849efd0022970f7a5fb9e670f1b22fcd1d04d02f795d61d1dbbbe19c56c4f146ed7430f71c5404185e300a87b9d01c315

Download Submit
\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKeA175.tmp

Filesize
736KB

MD5
594678e8fc20d430eb7bd2de53f8f307

SHA1
0fa3e19b6444847f840b53786d92f2847c07959d

SHA256
8f137730eb7330b72ade6b67d6c4b3d6793280423a4e29c53973662a95fa24ba

SHA512
f2a336d69ed17c3beb7ccbcfdae6a74a19a0faa9a9cc342a072aee5257d5ab2c2bf7cd69bab429f6c44449cbbd1763bdb72bcd50dd82b5df3e4276fdae406b84

Download Submit
\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ispA05A.tmp\IGdi.dll

Filesize
196KB

MD5
cd37457a02ebb8cc8596ec1ec4805959

SHA1
b280ab56de15b2ba67bef5152f1489c04da02bbd

SHA256
07ced62e7f3611fb56840480778b3cce83ee02913de95bcd67f52dcb9fb0b0ed

SHA512
b35fb4006d1290a56d60c04e10d87ea6768c88a83ac26b36b29b1fdc583b17f48461a6afce12a58f036980467a8859f8258b6c9dcaf8066a89f62613e67bdd84

Download Submit
\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll

Filesize
324KB

MD5
5b5182aa2d922801cbf083b2a69b1a46

SHA1
6dd0c36b874374b9c16c77ed8cd95c8c405358b4

SHA256
83412e1ed4caf8043a731b8cd86d739d85c831d01ccacc28c440343bbbca7a80

SHA512
c81005b53b495f69170530ee0f48f6772f7083e1fe2959cc78020a595d27498e0242ccaa3845a9cedfb52eee227726b084ce882b2fc3528efb32d895738dff63

Download Submit
\Users\Admin\AppData\Local\Temp\ispA059.tmp\_Setup.dll

Filesize
156KB

MD5
2656cb75c1f6b71cde6b7e7b3645e1d9

SHA1
7d20db395762e7ce19bf43c4e57820ac37d04db3

SHA256
12440426c955f9cadf425222da0a592c7e16ed9c4486225f4dc53378b59ab7b0

SHA512
bc1f6d579863a3435c4532b2dbeb3fb4258e9f0d0a85062b33709a28f3449197e86608d91e6ed5826291cde8328bc2238b1c7e4302e9f25bef4c7f50a1726af6

Download Submit
memory/1688-150-0x00000000022C0000-0x00000000022F3000-memory.dmp

Filesize
204KB

Download
memory/2500-48-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2500-41-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2500-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2500-37-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2720-28-0x0000000020001000-0x0000000020004000-memory.dmp

Filesize
12KB

Download
memory/2720-46-0x0000000020000000-0x0000000020037000-memory.dmp

Filesize
220KB

Download
memory/2720-43-0x0000000020000000-0x0000000020037000-memory.dmp

Filesize
220KB

Download
memory/2720-49-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/2720-50-0x0000000020001000-0x0000000020004000-memory.dmp

Filesize
12KB

Download
memory/2720-29-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2720-27-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/2720-26-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/2848-51-0x0000000020000000-0x0000000020037000-memory.dmp

Filesize
220KB

Download
memory/2848-20-0x0000000020000000-0x0000000020037000-memory.dmp

Filesize
220KB

Download