modiloader | 0642f454221c8cba47f2e98596482b7e90bb68170125d7ac815fb35fe4bfbd1f

Analysis

max time kernel
93s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2024, 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe
Size

1.1MB
MD5

add88bacbdf9b9b1fdbc530d6e84c396
SHA1

43ae19b4572b43f9e5251c94897f4310cdea00e2
SHA256

0642f454221c8cba47f2e98596482b7e90bb68170125d7ac815fb35fe4bfbd1f
SHA512

dce8d413a02fad8df522fd92382ab285a9e973c00f479b3ad9c5b0a20cae9eb763877394f1eea721c7520c98a4f1eb52ddd244abb8d7e10cbe189a05ab438c55
SSDEEP

24576:S4naDy52IKEA1KO3ppDEHimPjs30VyWT02M4xvr:ZnaB1KZh7s32fT02MC

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 5 IoCs

resource	yara_rule
behavioral2/memory/4044-0-0x0000000000400000-0x000000000050E000-memory.dmp	modiloader_stage2
behavioral2/files/0x000100000000002b-10.dat	modiloader_stage2
behavioral2/memory/1616-20-0x00000000000A0000-0x00000000001AE000-memory.dmp	modiloader_stage2
behavioral2/memory/4044-24-0x0000000000400000-0x000000000050E000-memory.dmp	modiloader_stage2
behavioral2/memory/2032-23-0x0000000000400000-0x000000000050E000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
2032	1sass.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe
File opened (read-only)	\??\U:	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe
File opened (read-only)	\??\Y:	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe
File opened (read-only)	\??\Z:	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe
File opened (read-only)	\??\B:	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe
File opened (read-only)	\??\E:	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe
File opened (read-only)	\??\R:	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe
File opened (read-only)	\??\J:	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe
File opened (read-only)	\??\K:	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe
File opened (read-only)	\??\L:	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe
File opened (read-only)	\??\M:	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe
File opened (read-only)	\??\X:	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe
File opened (read-only)	\??\A:	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe
File opened (read-only)	\??\H:	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe
File opened (read-only)	\??\I:	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe
File opened (read-only)	\??\O:	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe
File opened (read-only)	\??\W:	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe
File opened (read-only)	\??\Q:	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe
File opened (read-only)	\??\T:	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe
File opened (read-only)	\??\V:	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe
File opened (read-only)	\??\G:	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe
File opened (read-only)	\??\N:	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe
File opened (read-only)	\??\P:	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\AutoRun.inf	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe
File opened for modification	C:\AutoRun.inf	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe
File created	F:\AutoRun.inf	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe
File opened for modification	F:\AutoRun.inf	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_1sass.exe	1sass.exe
File opened for modification	C:\Windows\SysWOW64\_1sass.exe	1sass.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2032 set thread context of 2992	2032	1sass.exe	84
PID 2032 set thread context of 1616	2032	1sass.exe	86

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\1sass.exe	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\1sass.exe	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\DelSvel.bat	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1312	2992	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1sass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1791277743"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439599814"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1787996418"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31146473"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{962DE3EF-ADDC-11EF-91C3-FA89EA07D49F} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31146473"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31146473"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1787996418"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1616	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1616	IEXPLORE.EXE
1616	IEXPLORE.EXE
4824	IEXPLORE.EXE
4824	IEXPLORE.EXE
4824	IEXPLORE.EXE
4824	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 2032	4044	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe	83
PID 4044 wrote to memory of 2032	4044	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe	83
PID 4044 wrote to memory of 2032	4044	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe	83
PID 2032 wrote to memory of 2992	2032	1sass.exe	84
PID 2032 wrote to memory of 2992	2032	1sass.exe	84
PID 2032 wrote to memory of 2992	2032	1sass.exe	84
PID 2032 wrote to memory of 2992	2032	1sass.exe	84
PID 2032 wrote to memory of 2992	2032	1sass.exe	84
PID 2032 wrote to memory of 1616	2032	1sass.exe	86
PID 2032 wrote to memory of 1616	2032	1sass.exe	86
PID 2032 wrote to memory of 1616	2032	1sass.exe	86
PID 2032 wrote to memory of 1616	2032	1sass.exe	86
PID 4044 wrote to memory of 5060	4044	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe	87
PID 4044 wrote to memory of 5060	4044	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe	87
PID 4044 wrote to memory of 5060	4044	add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe	87
PID 1616 wrote to memory of 4824	1616	IEXPLORE.EXE	90
PID 1616 wrote to memory of 4824	1616	IEXPLORE.EXE	90
PID 1616 wrote to memory of 4824	1616	IEXPLORE.EXE	90

C:\Users\Admin\AppData\Local\Temp\add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\add88bacbdf9b9b1fdbc530d6e84c396_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\1sass.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\1sass.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\system32\calc.exe"
    3⤵
    PID:2992
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 12
      4⤵
      Program crash
      PID:1312
- - C:\program files\internet explorer\IEXPLORE.EXE
    "C:\program files\internet explorer\IEXPLORE.EXE"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1616 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:4824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\DelSvel.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2992 -ip 2992
1⤵
PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\DelSvel.bat

Filesize
212B

MD5
40c264bfe9543c13c682e9e64a0c3690

SHA1
18ff15a31e404202c78a5155f6dc0f84bb44543d

SHA256
1c2cb0675e7cbba39ee8c5e9e0b66fd99573d67734a1a81a6ef6c2276c5fc18b

SHA512
6582c7cce6f592e61507c53434c04698dd63e1f0a5f996d48c351aaa41f54474292269b40ca0e30fd6759ea229b34a1565e20996cfdb1875b280e8017143c6cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
d496c3cf4507a41e4bb8947614b37f89

SHA1
f58a2e035c8bec002e1bf4e3dee7af5d74b9673e

SHA256
c3e6a8d04ae617fd6814ba00e72f33ef1b81b63836e4f655c00042f2b64329e1

SHA512
b1a7850866759f8437a6a3f0016f0ae926c10874b365a250ca0e6fe0084847ba5fdce4dd92a84b2baf9b6bf52bc7eeb2d8931929ff2bdd7f4b9bd851e8352417

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
d9ad16aa670f74bbc08f3cf5fc5e841a

SHA1
393cc8b80cf88c910faef6aee00fafb8b7b48add

SHA256
cbaa9372ad73e00db7fd9893764078cdb072f51d9567024a01a77f397cbd2c4c

SHA512
70417b42823aa243dbc8674d4fd8b0051924b7cfca3dd9c5481d1f8aabfddbf147375346147ab4b2054c016badd8c7700cdbdd1973ce2664ae055547d42ac3c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XH3Z2ZON\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
F:\1sass.exe

Filesize
1.1MB

MD5
add88bacbdf9b9b1fdbc530d6e84c396

SHA1
43ae19b4572b43f9e5251c94897f4310cdea00e2

SHA256
0642f454221c8cba47f2e98596482b7e90bb68170125d7ac815fb35fe4bfbd1f

SHA512
dce8d413a02fad8df522fd92382ab285a9e973c00f479b3ad9c5b0a20cae9eb763877394f1eea721c7520c98a4f1eb52ddd244abb8d7e10cbe189a05ab438c55

Download Submit
memory/1616-20-0x00000000000A0000-0x00000000001AE000-memory.dmp

Filesize
1.1MB

Download
memory/2032-15-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/2032-23-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4044-0-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4044-1-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/4044-24-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads