modiloader | db35aa1417f0091d67fe4613af5d7b72c315f5ba8d0a239fd26890d5eef69c89

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2024, 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
Size

591KB
MD5

a41452404631c973176d912d6cbf7681
SHA1

02997ce62466199829a90a4540940886b783e20d
SHA256

db35aa1417f0091d67fe4613af5d7b72c315f5ba8d0a239fd26890d5eef69c89
SHA512

7aed608a28fe5b9f4a355ea0a59d802ac066bd4a84c62453fc888788c3f83843d2654c1bb88e0f3d69325973d5511070e03d25b81a15ae6b06146bf0cfdaa73a
SSDEEP

12288:0YgOMDy+NI4RvqTIMwrVWIbhMorKF3Z4mxx0oEtlK+kt9T2MM:tgL+atRvlMwr4bQmXNGp

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 4 IoCs

resource	yara_rule
behavioral2/memory/4028-63-0x0000000000400000-0x0000000000557000-memory.dmp	modiloader_stage2
behavioral2/memory/3896-87-0x0000000000400000-0x0000000000557000-memory.dmp	modiloader_stage2
behavioral2/memory/4028-95-0x0000000000400000-0x0000000000557000-memory.dmp	modiloader_stage2
behavioral2/memory/3896-98-0x0000000000400000-0x0000000000557000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
3896	rejoice81.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\X:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\B:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\J:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\P:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\R:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\T:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\U:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\Y:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\A:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\G:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\I:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\Z:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\K:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\M:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\N:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\W:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\E:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\H:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\L:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\O:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\Q:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened (read-only)	\??\S:	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AutoRun.inf	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened for modification	F:\AutoRun.inf	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_rejoice81.exe	rejoice81.exe
File opened for modification	C:\Windows\SysWOW64\_rejoice81.exe	rejoice81.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3896 set thread context of 2004	3896	rejoice81.exe	86

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
100	3896	WerFault.exe	85
5092	2004	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rejoice81.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 3896	4028	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe	85
PID 4028 wrote to memory of 3896	4028	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe	85
PID 4028 wrote to memory of 3896	4028	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe	85
PID 3896 wrote to memory of 2004	3896	rejoice81.exe	86
PID 3896 wrote to memory of 2004	3896	rejoice81.exe	86
PID 3896 wrote to memory of 2004	3896	rejoice81.exe	86
PID 3896 wrote to memory of 2004	3896	rejoice81.exe	86
PID 3896 wrote to memory of 2004	3896	rejoice81.exe	86
PID 3896 wrote to memory of 1932	3896	rejoice81.exe	87
PID 3896 wrote to memory of 1932	3896	rejoice81.exe	87
PID 4028 wrote to memory of 4072	4028	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe	94
PID 4028 wrote to memory of 4072	4028	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe	94
PID 4028 wrote to memory of 4072	4028	a41452404631c973176d912d6cbf7681_JaffaCakes118.exe	94

C:\Users\Admin\AppData\Local\Temp\a41452404631c973176d912d6cbf7681_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a41452404631c973176d912d6cbf7681_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice81.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\system32\calc.exe"
    3⤵
    PID:2004
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 12
      4⤵
      Program crash
      PID:5092
- - C:\program files\internet explorer\IEXPLORE.EXE
    "C:\program files\internet explorer\IEXPLORE.EXE"
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 688
    3⤵
    - Program crash
    PID:100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 2004 -ip 2004
1⤵
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3896 -ip 3896
1⤵
PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AutoRun.inf

Filesize
175B

MD5
ec717a148c0c1573ad6a89a66095c8a0

SHA1
2677e5c816b191a5941be928f014ec201e7de18f

SHA256
d9c1af73c937692718c241a501d6213fac7803ab2f8504a845a540baf047c218

SHA512
1a925338fbdbb79bb8e38064b092d5a2dbd47095751ac9e88490f255db050598f209aa97da0d8a9984e173059cb13019d2f187d0efc9777afc6fcf82fb763797

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat

Filesize
212B

MD5
5fe82b9f4a9e2280c494b0ff4f017746

SHA1
6f0fe930869f11bc981e6ed320568d892f22c9f5

SHA256
e8f519343fd0b3149d64a061b9668b4e3ab9d4be24416f1e8084c6b1c950103d

SHA512
b8358711ce02f94b677da240d13d49b5ed271f24b079318dd139e8bcc45fb38021569e695fd13d272b693584bb9722d743da063f08271ae176d57e649f801dc0

Download Submit
F:\rejoice81.exe

Filesize
591KB

MD5
a41452404631c973176d912d6cbf7681

SHA1
02997ce62466199829a90a4540940886b783e20d

SHA256
db35aa1417f0091d67fe4613af5d7b72c315f5ba8d0a239fd26890d5eef69c89

SHA512
7aed608a28fe5b9f4a355ea0a59d802ac066bd4a84c62453fc888788c3f83843d2654c1bb88e0f3d69325973d5511070e03d25b81a15ae6b06146bf0cfdaa73a

Download Submit
memory/2004-90-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/3896-87-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/3896-98-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/4028-34-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-30-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-32-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-62-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-61-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-60-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-59-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-58-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-57-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-56-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-55-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-54-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-52-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-51-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-50-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-49-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-48-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-47-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-46-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-45-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-44-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-43-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-42-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-41-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-40-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-39-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-38-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-37-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-36-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-35-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-1-0x0000000002370000-0x00000000023C4000-memory.dmp

Filesize
336KB

Download
memory/4028-33-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-53-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-7-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/4028-23-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-29-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-28-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-27-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-26-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-25-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-24-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-31-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-22-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-21-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-20-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-19-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-18-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-17-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-16-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4028-15-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/4028-14-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/4028-13-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/4028-12-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/4028-11-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/4028-10-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/4028-9-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/4028-8-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/4028-3-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4028-6-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/4028-5-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/4028-4-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/4028-2-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/4028-63-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/4028-95-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/4028-0-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/4028-96-0x0000000002370000-0x00000000023C4000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads