modiloader | db35aa1417f0091d67fe4613af5d7b72c315f5ba8d0a239fd26890d5eef69c89

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26/11/2024, 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
Size

591KB
MD5

a41452404631c973176d912d6cbf7681
SHA1

02997ce62466199829a90a4540940886b783e20d
SHA256

db35aa1417f0091d67fe4613af5d7b72c315f5ba8d0a239fd26890d5eef69c89
SHA512

7aed608a28fe5b9f4a355ea0a59d802ac066bd4a84c62453fc888788c3f83843d2654c1bb88e0f3d69325973d5511070e03d25b81a15ae6b06146bf0cfdaa73a
SSDEEP

12288:0YgOMDy+NI4RvqTIMwrVWIbhMorKF3Z4mxx0oEtlK+kt9T2MM:tgL+atRvlMwr4bQmXNGp

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 5 IoCs

resource	yara_rule
behavioral1/memory/1884-46-0x0000000000400000-0x0000000000557000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-89-0x0000000000400000-0x0000000000557000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-105-0x0000000000400000-0x0000000000557000-memory.dmp	modiloader_stage2
behavioral1/memory/3036-107-0x0000000000400000-0x0000000000557000-memory.dmp	modiloader_stage2
behavioral1/memory/3036-108-0x0000000000400000-0x0000000000557000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
1112	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3036	rejoice81.exe

Loads dropped DLL 5 IoCs

pid	Process
1884	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
1884	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
2988	WerFault.exe
2988	WerFault.exe
2988	WerFault.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\V:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\X:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\Q:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\S:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\U:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\W:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\H:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\K:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\M:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\B:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\G:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\T:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\J:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\N:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\O:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\P:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\R:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\A:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\E:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\I:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\Y:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\Z:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AutoRun.inf	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened for modification	F:\AutoRun.inf	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_rejoice81.exe	rejoice81.exe
File opened for modification	C:\Windows\SysWOW64\_rejoice81.exe	rejoice81.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3036 set thread context of 2772	3036	rejoice81.exe	31

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2988	3036	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rejoice81.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 3036	1884	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe	30
PID 1884 wrote to memory of 3036	1884	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe	30
PID 1884 wrote to memory of 3036	1884	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe	30
PID 1884 wrote to memory of 3036	1884	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe	30
PID 3036 wrote to memory of 2772	3036	rejoice81.exe	31
PID 3036 wrote to memory of 2772	3036	rejoice81.exe	31
PID 3036 wrote to memory of 2772	3036	rejoice81.exe	31
PID 3036 wrote to memory of 2772	3036	rejoice81.exe	31
PID 3036 wrote to memory of 2772	3036	rejoice81.exe	31
PID 3036 wrote to memory of 2772	3036	rejoice81.exe	31
PID 3036 wrote to memory of 2988	3036	rejoice81.exe	32
PID 3036 wrote to memory of 2988	3036	rejoice81.exe	32
PID 3036 wrote to memory of 2988	3036	rejoice81.exe	32
PID 3036 wrote to memory of 2988	3036	rejoice81.exe	32
PID 1884 wrote to memory of 1112	1884	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe	33
PID 1884 wrote to memory of 1112	1884	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe	33
PID 1884 wrote to memory of 1112	1884	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe	33
PID 1884 wrote to memory of 1112	1884	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a41452404631c973176d912d6cbf7681_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\system32\calc.exe"
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 300
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat""
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AutoRun.inf

Filesize
175B

MD5
ec717a148c0c1573ad6a89a66095c8a0

SHA1
2677e5c816b191a5941be928f014ec201e7de18f

SHA256
d9c1af73c937692718c241a501d6213fac7803ab2f8504a845a540baf047c218

SHA512
1a925338fbdbb79bb8e38064b092d5a2dbd47095751ac9e88490f255db050598f209aa97da0d8a9984e173059cb13019d2f187d0efc9777afc6fcf82fb763797

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\ReDelBat.bat

Filesize
212B

MD5
5fe82b9f4a9e2280c494b0ff4f017746

SHA1
6f0fe930869f11bc981e6ed320568d892f22c9f5

SHA256
e8f519343fd0b3149d64a061b9668b4e3ab9d4be24416f1e8084c6b1c950103d

SHA512
b8358711ce02f94b677da240d13d49b5ed271f24b079318dd139e8bcc45fb38021569e695fd13d272b693584bb9722d743da063f08271ae176d57e649f801dc0

Download Submit
F:\rejoice81.exe

Filesize
591KB

MD5
a41452404631c973176d912d6cbf7681

SHA1
02997ce62466199829a90a4540940886b783e20d

SHA256
db35aa1417f0091d67fe4613af5d7b72c315f5ba8d0a239fd26890d5eef69c89

SHA512
7aed608a28fe5b9f4a355ea0a59d802ac066bd4a84c62453fc888788c3f83843d2654c1bb88e0f3d69325973d5511070e03d25b81a15ae6b06146bf0cfdaa73a

Download Submit
memory/1884-16-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1884-36-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1884-5-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

Filesize
4KB

Download
memory/1884-6-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1884-7-0x0000000001F50000-0x0000000001F51000-memory.dmp

Filesize
4KB

Download
memory/1884-8-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download
memory/1884-9-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/1884-10-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/1884-11-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1884-12-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1884-13-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1884-14-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1884-15-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1884-0-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1884-17-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1884-18-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1884-19-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1884-20-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1884-21-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1884-22-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1884-23-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1884-24-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1884-25-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1884-26-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1884-27-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1884-28-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1884-29-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1884-30-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1884-31-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1884-32-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1884-4-0x0000000001F60000-0x0000000001F61000-memory.dmp

Filesize
4KB

Download
memory/1884-33-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1884-45-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1884-34-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1884-37-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1884-38-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1884-39-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1884-40-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1884-41-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1884-42-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1884-35-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1884-44-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1884-43-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1884-46-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1884-3-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/1884-2-0x0000000001F30000-0x0000000001F31000-memory.dmp

Filesize
4KB

Download
memory/1884-74-0x0000000004350000-0x00000000044A7000-memory.dmp

Filesize
1.3MB

Download
memory/1884-105-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1884-73-0x0000000004350000-0x00000000044A7000-memory.dmp

Filesize
1.3MB

Download
memory/1884-1-0x0000000001E90000-0x0000000001EE4000-memory.dmp

Filesize
336KB

Download
memory/1884-91-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1884-89-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1884-90-0x0000000001E90000-0x0000000001EE4000-memory.dmp

Filesize
336KB

Download
memory/1884-92-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1884-97-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1884-96-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1884-95-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1884-94-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1884-93-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/2772-84-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2772-81-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3036-76-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/3036-107-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/3036-108-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads