modiloader | 1ec5f3602547475192ddbab52e0b307c263477a04389de082b61f2057fc82b49

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
27/11/2024, 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7d03bacb5e4add586615998c76a9846_JaffaCakes118.exe
Size

140KB
MD5

a7d03bacb5e4add586615998c76a9846
SHA1

ecfee0ce76a29a88b0b76efc1d89685ad2485adb
SHA256

1ec5f3602547475192ddbab52e0b307c263477a04389de082b61f2057fc82b49
SHA512

3aecfe5dccbdaa7cf0848040e7ffa222ee25171ed15695d800c8aaf26925f983b497c96bfa5004805629949f11434bbae7e3c032cade5d8e54c92a44a21e84c5
SSDEEP

3072:HuepxZYYYYYYYYYYYUNHCtFQUdSo3cWmyYYHLZyESW/4697G:9pPYYYYYYYYYYYUNSyESJdyqESQJ

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2756-12-0x0000000000400000-0x000000000042A000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
2832	Tafali.exe

Loads dropped DLL 2 IoCs

pid	Process
2756	a7d03bacb5e4add586615998c76a9846_JaffaCakes118.exe
2756	a7d03bacb5e4add586615998c76a9846_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a7d03bacb5e4add586615998c76a9846_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2844	DllHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2844	DllHost.exe
2844	DllHost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2832	2756	a7d03bacb5e4add586615998c76a9846_JaffaCakes118.exe	30
PID 2756 wrote to memory of 2832	2756	a7d03bacb5e4add586615998c76a9846_JaffaCakes118.exe	30
PID 2756 wrote to memory of 2832	2756	a7d03bacb5e4add586615998c76a9846_JaffaCakes118.exe	30
PID 2756 wrote to memory of 2832	2756	a7d03bacb5e4add586615998c76a9846_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\a7d03bacb5e4add586615998c76a9846_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a7d03bacb5e4add586615998c76a9846_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\Tafali.exe
  "C:\Users\Admin\AppData\Local\Temp\Tafali.exe"
  2⤵
  - Executes dropped EXE
  PID:2832

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ãßáå ÌãÇá ÇáÚÇáã 2009.jpg

Filesize
51KB

MD5
4d70d48d1024767cc6dabb6bc57589f9

SHA1
2bb5bb08c343ed7d44aef9fe7dacebe6955c6b20

SHA256
ad4d0277c221e434014d74ad7ba7742e674aa175123afeed7ad8a9ad1aea494d

SHA512
54996d347ea2941d1d5683a4166ad3292a8c222c242783139e2cff82bc7b1b50e3449a28652fa8991a71485621ad3a5a2b6715fa5fa35404f20f11614c0e597a

Download Submit
\Users\Admin\AppData\Local\Temp\Tafali.exe

Filesize
76KB

MD5
997e0aeef6e13254333e3d4168c50549

SHA1
bc791977e962077794ec179ad4a74bca2990d0b0

SHA256
436ae508a4c9eb67139b150de6f035946ef8b30117e0b82390c2018db9b7deea

SHA512
cc0cd6f665299c8671cfd5efdf24ea46931bc004196c168d82643165a95da23a54909d7c68981967bff453a206caa06bbd98150cd0ede17aba546a10035b6fff

Download Submit
memory/2756-10-0x00000000025A0000-0x00000000025A2000-memory.dmp

Filesize
8KB

Download
memory/2756-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2844-11-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download