modiloader | 0990366ee10b0506d180d07d9277a0ffce5516077a6987462d0ab7dab81c9c54

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/11/2024, 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8af083564e8b5ae625812744cfc3750_JaffaCakes118.exe
Size

383KB
MD5

a8af083564e8b5ae625812744cfc3750
SHA1

7dc45d40ecbba487ffe122d0c47b33b11ca43f5e
SHA256

0990366ee10b0506d180d07d9277a0ffce5516077a6987462d0ab7dab81c9c54
SHA512

5c64c4c1b02f96075901a6793876ebbe8d0bb7f27743af6856af26aa9cfdf97cc3e17b9ef63690de26f40fc07f55b88eff00a7a22ad47491f193f297a4bdef05
SSDEEP

6144:ccIIrR1D3aGc34y6OSPOaRZFE2eZfbSZ+apJq5LVTCSgT0:i61DJCXHS2aRZFExRbS8Iq5LVTC+

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 4 IoCs

resource	yara_rule
behavioral1/memory/2792-26-0x0000000000400000-0x00000000004C8000-memory.dmp	modiloader_stage2
behavioral1/memory/2792-36-0x0000000000400000-0x00000000004C8000-memory.dmp	modiloader_stage2
behavioral1/memory/2712-38-0x0000000000400000-0x00000000004C8000-memory.dmp	modiloader_stage2
behavioral1/memory/2712-40-0x0000000000400000-0x00000000004C8000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
2700	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2712	Windows_Update.exe

Loads dropped DLL 7 IoCs

pid	Process
2792	a8af083564e8b5ae625812744cfc3750_JaffaCakes118.exe
2712	Windows_Update.exe
2712	Windows_Update.exe
2712	Windows_Update.exe
2604	WerFault.exe
2604	WerFault.exe
2604	WerFault.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_Windows_Update.exe	Windows_Update.exe
File opened for modification	C:\Windows\SysWOW64\_Windows_Update.exe	Windows_Update.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2712 set thread context of 2088	2712	Windows_Update.exe	31

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Windows_Update.exe	a8af083564e8b5ae625812744cfc3750_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Windows_Update.exe	a8af083564e8b5ae625812744cfc3750_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\DelSvel.bat	a8af083564e8b5ae625812744cfc3750_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2604	2712	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8af083564e8b5ae625812744cfc3750_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows_Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2712	2792	a8af083564e8b5ae625812744cfc3750_JaffaCakes118.exe	30
PID 2792 wrote to memory of 2712	2792	a8af083564e8b5ae625812744cfc3750_JaffaCakes118.exe	30
PID 2792 wrote to memory of 2712	2792	a8af083564e8b5ae625812744cfc3750_JaffaCakes118.exe	30
PID 2792 wrote to memory of 2712	2792	a8af083564e8b5ae625812744cfc3750_JaffaCakes118.exe	30
PID 2792 wrote to memory of 2712	2792	a8af083564e8b5ae625812744cfc3750_JaffaCakes118.exe	30
PID 2792 wrote to memory of 2712	2792	a8af083564e8b5ae625812744cfc3750_JaffaCakes118.exe	30
PID 2792 wrote to memory of 2712	2792	a8af083564e8b5ae625812744cfc3750_JaffaCakes118.exe	30
PID 2712 wrote to memory of 2088	2712	Windows_Update.exe	31
PID 2712 wrote to memory of 2088	2712	Windows_Update.exe	31
PID 2712 wrote to memory of 2088	2712	Windows_Update.exe	31
PID 2712 wrote to memory of 2088	2712	Windows_Update.exe	31
PID 2712 wrote to memory of 2088	2712	Windows_Update.exe	31
PID 2712 wrote to memory of 2088	2712	Windows_Update.exe	31
PID 2712 wrote to memory of 2088	2712	Windows_Update.exe	31
PID 2712 wrote to memory of 2088	2712	Windows_Update.exe	31
PID 2712 wrote to memory of 2088	2712	Windows_Update.exe	31
PID 2712 wrote to memory of 2604	2712	Windows_Update.exe	32
PID 2712 wrote to memory of 2604	2712	Windows_Update.exe	32
PID 2712 wrote to memory of 2604	2712	Windows_Update.exe	32
PID 2712 wrote to memory of 2604	2712	Windows_Update.exe	32
PID 2712 wrote to memory of 2604	2712	Windows_Update.exe	32
PID 2712 wrote to memory of 2604	2712	Windows_Update.exe	32
PID 2712 wrote to memory of 2604	2712	Windows_Update.exe	32
PID 2792 wrote to memory of 2700	2792	a8af083564e8b5ae625812744cfc3750_JaffaCakes118.exe	33
PID 2792 wrote to memory of 2700	2792	a8af083564e8b5ae625812744cfc3750_JaffaCakes118.exe	33
PID 2792 wrote to memory of 2700	2792	a8af083564e8b5ae625812744cfc3750_JaffaCakes118.exe	33
PID 2792 wrote to memory of 2700	2792	a8af083564e8b5ae625812744cfc3750_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\a8af083564e8b5ae625812744cfc3750_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a8af083564e8b5ae625812744cfc3750_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\Windows_Update.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\Windows_Update.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\system32\notepad.exe"
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 328
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\DelSvel.bat""
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\DelSvel.bat

Filesize
212B

MD5
739689d6cfa8812c76cc9f16b50acdb8

SHA1
8f65a84519edba2e4fe42559b4b52f852c8bc0a5

SHA256
17ad0e1267f5c8c0ed4befab12ac9a75b4db4cbea67791c746f0171c284ab82c

SHA512
4fe96775b118ac31ec7fdc25f2b3e9a380b94c35640fa234bbb7a6da2e2eea0c5be88467a21412f6b5bc336f20d12c00c3b877524767664c43094dfe3787714c

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\Windows_Update.exe

Filesize
383KB

MD5
a8af083564e8b5ae625812744cfc3750

SHA1
7dc45d40ecbba487ffe122d0c47b33b11ca43f5e

SHA256
0990366ee10b0506d180d07d9277a0ffce5516077a6987462d0ab7dab81c9c54

SHA512
5c64c4c1b02f96075901a6793876ebbe8d0bb7f27743af6856af26aa9cfdf97cc3e17b9ef63690de26f40fc07f55b88eff00a7a22ad47491f193f297a4bdef05

Download Submit
memory/2088-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2088-19-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2712-14-0x00000000004D0000-0x0000000000598000-memory.dmp

Filesize
800KB

Download
memory/2712-38-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2712-40-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2792-2-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2792-7-0x00000000030F0000-0x00000000031B8000-memory.dmp

Filesize
800KB

Download
memory/2792-0-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2792-26-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2792-27-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2792-1-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2792-36-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download