modiloader | e1d125a6e187bacf3adc84b474d0d965e0bdcb37ef13b3788af39142ff5334b6

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/11/2024, 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a656b19b2e923982424eda0fe0289cfb_JaffaCakes118.exe
Size

227KB
MD5

a656b19b2e923982424eda0fe0289cfb
SHA1

f883568eef51affe0b1a1cef1fbfd1f85d0d4430
SHA256

e1d125a6e187bacf3adc84b474d0d965e0bdcb37ef13b3788af39142ff5334b6
SHA512

847c2214ddf14dafd87207a5fa448be8afe31d9bd5ec1995190fa63a36d98c759d0b37c17fef27d5fd36bfd185a4e384d1f5c431819a0146580688295ff98f66
SSDEEP

3072:K7JdIwnHT+Lmfe0a5gCF1EYAfrwqFqMvFrNgZfYXD3NgLtgP5r7QJzEaTZB3Nf6:pEHTCu85gCFEbFqDZwT9gL+P9izxB9C

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/memory/1152-9-0x0000000000400000-0x0000000000440000-memory.dmp	modiloader_stage2
behavioral1/memory/1608-22-0x0000000000400000-0x000000000043D000-memory.dmp	modiloader_stage2
behavioral1/files/0x000d000000015ceb-8.dat	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
1608	team.exe
2388	V4-TEAM.exe

Loads dropped DLL 4 IoCs

pid	Process
1152	a656b19b2e923982424eda0fe0289cfb_JaffaCakes118.exe
1152	a656b19b2e923982424eda0fe0289cfb_JaffaCakes118.exe
1608	team.exe
1608	team.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a656b19b2e923982424eda0fe0289cfb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	team.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	V4-TEAM.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2388	V4-TEAM.exe
2388	V4-TEAM.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 1608	1152	a656b19b2e923982424eda0fe0289cfb_JaffaCakes118.exe	31
PID 1152 wrote to memory of 1608	1152	a656b19b2e923982424eda0fe0289cfb_JaffaCakes118.exe	31
PID 1152 wrote to memory of 1608	1152	a656b19b2e923982424eda0fe0289cfb_JaffaCakes118.exe	31
PID 1152 wrote to memory of 1608	1152	a656b19b2e923982424eda0fe0289cfb_JaffaCakes118.exe	31
PID 1608 wrote to memory of 2388	1608	team.exe	32
PID 1608 wrote to memory of 2388	1608	team.exe	32
PID 1608 wrote to memory of 2388	1608	team.exe	32
PID 1608 wrote to memory of 2388	1608	team.exe	32

C:\Users\Admin\AppData\Local\Temp\a656b19b2e923982424eda0fe0289cfb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a656b19b2e923982424eda0fe0289cfb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Users\Admin\AppData\Local\Temp\team.exe
  "C:\Users\Admin\AppData\Local\Temp\team.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Users\Admin\AppData\Local\Temp\V4-TEAM.exe
    "C:\Users\Admin\AppData\Local\Temp\V4-TEAM.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\V4-TEAM.exe

Filesize
116KB

MD5
7b9e920b460f4644478e09c56968b303

SHA1
54c79bf60b19150caf21f98c6853c428e5ee6b84

SHA256
315be9da2824ade9b734422d048edb544472585abfd5ae1ea7766fe551024e2f

SHA512
86c21ec8d06a8dd10cef3d115356fc4397be7a4da4a6f10f18aa494c12800c2e95dfd4f2936e968555fb3da9eb57d215702899e878332ff38a587c4382eadc6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\team.exe

Filesize
215KB

MD5
66c6cba24f86c4a8342ff2ee062c21a2

SHA1
702e7d914e8aed1e359e2bff49bd5965c52d1426

SHA256
3800c889aeb9208dfffa6e30cef9a6042ec5f4398ad10dcfcc423d6d21d2df46

SHA512
c2c46b4f895d015a073159906e7b4fd7590ddbe5ea4b6680062171ec2a81b0d77f1b35efeedd10c16cab46585d2b47242a17bc023309be5dfa04ef492a7e2377

Download Submit
memory/1152-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1608-22-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download