modiloader | 6592a1c278b3c65f61c2f05022aa8a7d3ddba1db39f2716f7f145a17325b59ff

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25/11/2024, 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9deb78430bb2da07d021066aeefb6803_JaffaCakes118.exe
Size

1.0MB
MD5

9deb78430bb2da07d021066aeefb6803
SHA1

a73a3a89b4d3eba148eec98e8aa707eb0001b6eb
SHA256

6592a1c278b3c65f61c2f05022aa8a7d3ddba1db39f2716f7f145a17325b59ff
SHA512

c8c4b1a88d440ffc23e0da1eb9209401191dd10251fbe4089e0eabde97d00a02e11e5c4a770792b6757ea22f7abd67335e0ab5391302497e93f8058eda96f580
SSDEEP

24576:/eDQmXATejKj58fH7+VO5DFzdHL8GOAKOq1WQW2pwnipa7K:20mwejamH7+gJzV8nWQWbi07K

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016d3f-60.dat	modiloader_stage2
behavioral1/memory/2836-80-0x0000000000400000-0x00000000004C2000-memory.dmp	modiloader_stage2

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\Beep.sys	9deb78430bb2da07d021066aeefb6803_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Beep.sys	9deb78430bb2da07d021066aeefb6803_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
1264	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2836	2009_serve.exe

Loads dropped DLL 2 IoCs

pid	Process
2060	9deb78430bb2da07d021066aeefb6803_JaffaCakes118.exe
2060	9deb78430bb2da07d021066aeefb6803_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SetupWay.txt	2009_serve.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9deb78430bb2da07d021066aeefb6803_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2009_serve.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2060	9deb78430bb2da07d021066aeefb6803_JaffaCakes118.exe
2060	9deb78430bb2da07d021066aeefb6803_JaffaCakes118.exe
2060	9deb78430bb2da07d021066aeefb6803_JaffaCakes118.exe
2060	9deb78430bb2da07d021066aeefb6803_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
468	Process not Found
468	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2060	9deb78430bb2da07d021066aeefb6803_JaffaCakes118.exe
Token: SeDebugPrivilege	2060	9deb78430bb2da07d021066aeefb6803_JaffaCakes118.exe
Token: SeDebugPrivilege	2060	9deb78430bb2da07d021066aeefb6803_JaffaCakes118.exe
Token: SeDebugPrivilege	2060	9deb78430bb2da07d021066aeefb6803_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2836	2060	9deb78430bb2da07d021066aeefb6803_JaffaCakes118.exe	30
PID 2060 wrote to memory of 2836	2060	9deb78430bb2da07d021066aeefb6803_JaffaCakes118.exe	30
PID 2060 wrote to memory of 2836	2060	9deb78430bb2da07d021066aeefb6803_JaffaCakes118.exe	30
PID 2060 wrote to memory of 2836	2060	9deb78430bb2da07d021066aeefb6803_JaffaCakes118.exe	30
PID 2060 wrote to memory of 1264	2060	9deb78430bb2da07d021066aeefb6803_JaffaCakes118.exe	31
PID 2060 wrote to memory of 1264	2060	9deb78430bb2da07d021066aeefb6803_JaffaCakes118.exe	31
PID 2060 wrote to memory of 1264	2060	9deb78430bb2da07d021066aeefb6803_JaffaCakes118.exe	31
PID 2060 wrote to memory of 1264	2060	9deb78430bb2da07d021066aeefb6803_JaffaCakes118.exe	31
PID 2836 wrote to memory of 1528	2836	2009_serve.exe	33
PID 2836 wrote to memory of 1528	2836	2009_serve.exe	33
PID 2836 wrote to memory of 1528	2836	2009_serve.exe	33
PID 2836 wrote to memory of 1528	2836	2009_serve.exe	33

C:\Users\Admin\AppData\Local\Temp\9deb78430bb2da07d021066aeefb6803_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9deb78430bb2da07d021066aeefb6803_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\2009_serve.exe
  "C:\Users\Admin\AppData\Local\Temp\2009_serve.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\program files\internet explorer\IEXPLORE.EXE
    "C:\program files\internet explorer\IEXPLORE.EXE"
    3⤵
    PID:1528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DeL!.bAt
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~DeL!.bAt

Filesize
218B

MD5
ce1402564de6eb57095e3cc7b3797750

SHA1
083a63416190f201fb6376f90d1366c622e4a8b3

SHA256
f5fbf0083716beaafda77975903f11a153768dd0a99a03481172bd5fc3a8983c

SHA512
e8822e4228d6d3fb578741cbea0fbc0f91be1d73e33049836c208ba51e4e2ad685f323ed9ca3e0768eb3909a15cfda0bd074b62cc8e613642820da63a0fe28c3

Download Submit
\Users\Admin\AppData\Local\Temp\2009_serve.exe

Filesize
690KB

MD5
39d64a4ca5f4d22a18f7162b5fa1a880

SHA1
2b92ccb227d3f609f32e25a8e05d6be0a71ec841

SHA256
978bf2e843b84089ded0b43cf35ab180ee8c4e7690dd25681e43aa57bf2295c2

SHA512
41cda2c8108b906233c45ffe8adcc673279bdba7597b4f00aed749dcf456b3a3b19021970f03bfb4e4522ec9fda6891ee78ca702f2e35a451bb3ec045dc0d82e

Download Submit
memory/2060-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2060-1-0x0000000000310000-0x0000000000364000-memory.dmp

Filesize
336KB

Download
memory/2060-22-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2060-21-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2060-20-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2060-18-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2060-17-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2060-16-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2060-15-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2060-19-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2060-14-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2060-13-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2060-12-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2060-11-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2060-10-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2060-9-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2060-8-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2060-7-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2060-6-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2060-5-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2060-4-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2060-3-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2060-2-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2060-23-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/2060-28-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2060-33-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/2060-46-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/2060-53-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2060-54-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2060-52-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2060-51-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/2060-50-0x0000000003180000-0x0000000003182000-memory.dmp

Filesize
8KB

Download
memory/2060-49-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/2060-48-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/2060-47-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/2060-45-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/2060-44-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2060-43-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2060-42-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2060-41-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2060-40-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2060-39-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

Filesize
4KB

Download
memory/2060-38-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/2060-37-0x0000000001E20000-0x0000000001E21000-memory.dmp

Filesize
4KB

Download
memory/2060-36-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/2060-35-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/2060-34-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download
memory/2060-32-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/2060-31-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2060-30-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/2060-29-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/2060-27-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2060-26-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/2060-25-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2060-24-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/2060-77-0x0000000000310000-0x0000000000364000-memory.dmp

Filesize
336KB

Download
memory/2060-76-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2836-80-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download