modiloader | 309c8f05992c32298ed13b202ed7a05789533aac1f704d47b5dceaed9a1dcdf0

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2024, 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afa773db708158750c0eec36bb4288bc_JaffaCakes118.exe
Size

899KB
MD5

afa773db708158750c0eec36bb4288bc
SHA1

8552a3eaf2aed99fa916f14b060e60130be3592d
SHA256

309c8f05992c32298ed13b202ed7a05789533aac1f704d47b5dceaed9a1dcdf0
SHA512

72617b77f14bc000c87bb92b4a0f7584c98abba513453f271d3f220c4d2f62fe9659cb8e7e408dcef535bf00f842f0726e8552cb1c7c9ba3033a58557f0da6c1
SSDEEP

24576:d1Lr92Gn1YB7ZneZeeUk5CWchUJI0Dl+E7JGaOC:dNDn1Y9rR8CWo8IalUap

Score

10^/10

modiloader discovery persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader First Stage 2 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b73-62.dat	modiloader_stage1
behavioral2/files/0x0008000000023bb2-87.dat	modiloader_stage1

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	afa773db708158750c0eec36bb4288bc_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	rinst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	isw2.exe

Executes dropped EXE 4 IoCs

pid	Process
2548	rinst.exe
1440	Gmail.exe
1220	mitolunoki.exe
3432	isw2.exe

Loads dropped DLL 5 IoCs

pid	Process
1220	mitolunoki.exe
1440	Gmail.exe
3432	isw2.exe
4616	afa773db708158750c0eec36bb4288bc_JaffaCakes118.exe
4396	NOTEPAD.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mitolunoki = "C:\\Windows\\SysWOW64\\mitolunoki.exe"	mitolunoki.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mitolunoki.exe	rinst.exe
File created	C:\Windows\SysWOW64\mitolunokihk.dll	rinst.exe
File created	C:\Windows\SysWOW64\rinst.exe	rinst.exe
File created	C:\Windows\SysWOW64\is-16NQ3.tmp	isw2.exe
File opened for modification	C:\Windows\SysWOW64\borlndmm.dll	isw2.exe
File opened for modification	C:\Windows\SysWOW64\bpk.dat	mitolunoki.exe
File created	C:\Windows\SysWOW64\pk.bin	rinst.exe
File created	C:\Windows\SysWOW64\inst.dat	rinst.exe
File opened for modification	C:\Windows\SysWOW64\pk.bin	mitolunoki.exe
File created	C:\Windows\SysWOW64\is-E4TP7.tmp	isw2.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023b74-20.dat	upx
behavioral2/memory/1440-30-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1440-58-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1440-106-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Startup Inspector for Windows\images\is-VT665.tmp	isw2.exe
File created	C:\Program Files (x86)\Startup Inspector for Windows\is-J9H00.tmp	isw2.exe
File opened for modification	C:\Program Files (x86)\Startup Inspector for Windows\unins000.dat	isw2.exe
File created	C:\Program Files (x86)\Startup Inspector for Windows\is-ORMNA.tmp	isw2.exe
File created	C:\Program Files (x86)\Startup Inspector for Windows\images\is-2E36J.tmp	isw2.exe
File created	C:\Program Files (x86)\Startup Inspector for Windows\images\is-M6C6L.tmp	isw2.exe
File created	C:\Program Files (x86)\Startup Inspector for Windows\is-BEREG.tmp	isw2.exe
File opened for modification	C:\Program Files (x86)\Startup Inspector for Windows\Visit Startup Inspector for Windows Homepage.url	isw2.exe
File created	C:\Program Files (x86)\Startup Inspector for Windows\unins000.dat	isw2.exe
File created	C:\Program Files (x86)\Startup Inspector for Windows\is-NAPII.tmp	isw2.exe
File created	C:\Program Files (x86)\Startup Inspector for Windows\is-2LBR1.tmp	isw2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmail.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mitolunoki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	isw2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afa773db708158750c0eec36bb4288bc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rinst.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	isw2.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1220	mitolunoki.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1220	mitolunoki.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe
1220	mitolunoki.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 2548	4616	afa773db708158750c0eec36bb4288bc_JaffaCakes118.exe	83
PID 4616 wrote to memory of 2548	4616	afa773db708158750c0eec36bb4288bc_JaffaCakes118.exe	83
PID 4616 wrote to memory of 2548	4616	afa773db708158750c0eec36bb4288bc_JaffaCakes118.exe	83
PID 2548 wrote to memory of 1440	2548	rinst.exe	85
PID 2548 wrote to memory of 1440	2548	rinst.exe	85
PID 2548 wrote to memory of 1440	2548	rinst.exe	85
PID 2548 wrote to memory of 1220	2548	rinst.exe	86
PID 2548 wrote to memory of 1220	2548	rinst.exe	86
PID 2548 wrote to memory of 1220	2548	rinst.exe	86
PID 1440 wrote to memory of 3432	1440	Gmail.exe	87
PID 1440 wrote to memory of 3432	1440	Gmail.exe	87
PID 1440 wrote to memory of 3432	1440	Gmail.exe	87
PID 3432 wrote to memory of 4396	3432	isw2.exe	104
PID 3432 wrote to memory of 4396	3432	isw2.exe	104
PID 3432 wrote to memory of 4396	3432	isw2.exe	104

C:\Users\Admin\AppData\Local\Temp\afa773db708158750c0eec36bb4288bc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\afa773db708158750c0eec36bb4288bc_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Gmail.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Gmail.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Users\Admin\AppData\Local\Temp\7zS8220.tmp\isw2.exe
      .\isw2.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3432
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\Startup Inspector for Windows\Readme.txt
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4396
- - C:\Windows\SysWOW64\mitolunoki.exe
    C:\Windows\system32\mitolunoki.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Startup Inspector for Windows\Readme.txt

Filesize
3KB

MD5
4a7fab5c16f4ee2e78b90545c885ddb9

SHA1
922936d244e96f5f5db3a7deefdd87db86bee871

SHA256
e8ea39858bfee1987c6517c9fc1deb4187c7a4760b7dcb59163834de1c57a82b

SHA512
7c10d83058e1ae3da079449d4ccead1d7b84f7e7f0e860915964e9d5877be6834db031f069fdef56ad0bc5c009b2f07b30f43e86a8da139f0492f188ce73b91c

Download Submit
C:\Program Files (x86)\Startup Inspector for Windows\wsInspector.exe

Filesize
976KB

MD5
0bf61d7613274d66fcff6aa8e952d9da

SHA1
947027b8a68a24937f9aa8a6bf129dde58d4b573

SHA256
c91ddad381be12bcaaf314555e3ce4c98e07792d2d4838a4d2dbdf1672f24163

SHA512
81f61419c034778b434b540f7ab47bdd86b1d1eaa58b60e84b691cc077ffa68a6ba8a7518376748a94ceff37108f450536318290e2c42e1a889764ad6d64729d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8220.tmp\SETUP.0

Filesize
6KB

MD5
1f75534a5ef833182e612311503038ff

SHA1
5260e7810613a0b1261cc80d40089c34f16dd76b

SHA256
b2bec4cabf5f6667bfc9ce526fc441949cb2f2a4bce7586a09981524ba812ead

SHA512
432e0a0cf593cea4e92aa7f789d592a8cf928e15748db57db96e3c09773882d7d56526ba76bfacc07e86fe3c444df293134e52a975576cf36a07bf12e86985dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8220.tmp\isw2-1.bin

Filesize
1.3MB

MD5
00a7619eb18dd6e19bbf1bf3c40be31f

SHA1
498ca0a4819be340bfc2878fe16d3ca3494ea285

SHA256
30b848e52d044f89c9cc8f7ac45c2b2c80d2ff79d56646d79d2f56213d0e5d45

SHA512
7b5a7552532cdeb10fbc483ef00b8f33c670a83f7c5a24308af3d80e1e8130ab9cb32a425e0aaedcc7d4d8908c86c5221107662b554365ca6ddcb983fa4ef561

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8220.tmp\isw2.exe

Filesize
550KB

MD5
48253758692b9ae0f764a6e8308b27d3

SHA1
a83c98ad6c06be7ee4f9a2c94e16eb3d26cad548

SHA256
f05568b083000781cac228c0e5b4de779a3b502d7a9517acf821e2ca47afbe05

SHA512
92e5f3bd2c4c91e139a209066a3deb0dbffa9df0f093b8988845dc0b2fbe0bb6ce59bf14b1e9d8e3eb2e8ac3a6df976f17e02db9dce9b2e580be3ace74f90ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Gmail.exe

Filesize
669KB

MD5
945e5be02981e7ed11a3d6f7983f36af

SHA1
f73b09b2ed13e9152a93c85ae989d25a8ed1f565

SHA256
fbede8ecda93a864b28657da5fb4b1e16dadd81938c4d9538f3fd7e516dd35f9

SHA512
5d29ef8d9456a6f176546966d44b591eb235d4aa9af2d4d3b155c8ffa74593634fda1561a4e7f90b48b99b94b76ba46c3634da0809e9ef221ac78186032c5717

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

Filesize
996B

MD5
886e192932cb8318fa5635265ec6a079

SHA1
70e8861cc6acfaed568d4e7c529d393269072fff

SHA256
351db0d8d738eb791c59a402f6f2ae72ae59bb151d4d0540593a84b21abaf86e

SHA512
76e17f129d44f2102719c9ab1f3df14a56d86a27859aaad4d6a8de49bad7c716c1858c3363dcba5d5d6ca518c146b7cebadc3435ada3b7266eaf15da0ad7af9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mitolunoki.exe

Filesize
424KB

MD5
f4ff10f42273d6454a85a28391eaa804

SHA1
ed2117b2127b67da0e2db5ce0cce9548345d88a8

SHA256
b2b188a4ce619ef1a27bed42504150c210a9014d87fb040471539bb37ed3ac85

SHA512
3cca81fbf9da8909e0c311c8dc0347df0885172c48bee2b3d3f29df456aca9c234a7f711edf487bc30e5138e0ced162f574930532fe72829ba201fa1e054aeb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mitolunokihk.dll

Filesize
24KB

MD5
a57ea02d3de21331035aaec87fe63ff6

SHA1
e2ead17aee7543817563b8243b4c4eff98a72133

SHA256
58e39e86689eb08e058653683c1496a348f03f49952cb6792d11a4f67ad80152

SHA512
494d79f6ce0c006ee52991f584bc0dcc9fe1612d635aaa4c7a7925faaeda3b0c0db3dfb18eb68f16c51daf3eda45805986dc2ab309dd5a798c39227f7cc71baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

Filesize
4KB

MD5
f8b3fdcd01ac3d80075d2190bf6be43f

SHA1
4fd06ea6c6430de08033796e6fac1db854940cab

SHA256
8f427b3160bdeb7fe0c4a70b8701050b1baf84bfb4685fb2e7738d010a797cfc

SHA512
2f6b0cdd6bffa2a7d3613912252d70cba4c886c8942f3aff7f87e9c29e662d1a7c50074c3c8b76765856c5398ae6beed76d03dc5976c1a9bc27a49d49e0eedb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
7KB

MD5
fbe4bab53f74d3049ef4b306d4cd8742

SHA1
6504b63908997a71a65997fa31eda4ae4de013e7

SHA256
446658dd5af649857fff445c600f26cdc1d0c19c86a080f312b89b1890182092

SHA512
d458ab806a3ed3d1494a13ad8a75df874a0b227cb4f337996cb82df3c4a26dc9c4fe48a664b53b052a4af123ea8d89911d9d9493870e6b5992d5621a32260c2f

Download Submit
C:\Windows\SysWOW64\mitolunoki.exe

Filesize
424KB

MD5
888df0bb402e5bb9488ffeb100efc4a3

SHA1
cffe4285be4d3ff50e56f8aad2fedc58df541ffb

SHA256
dc1dd674a79c29cf7d04d4458290ac377d9bd7a75f3f59f95bb9404a371f22dd

SHA512
ad4b7fca93caf607c55c51f158f19b97742efc3b8dbf0c76a5a60ebb2bcb4d1a3107b36811f3c821b86b18bf632006084452724714e9c17ff26762f10365040d

Download Submit
C:\Windows\SysWOW64\mitolunokihk.dll

Filesize
24KB

MD5
9ac9028338d1b353a7cacb563bb91df7

SHA1
a20c5dee8f05c91686324cec2d5b092bafe58339

SHA256
93c0e7f41d5d74217189e4cc2d5cdb8f97d8e5eeef0a0dcf4cecd67e3393682c

SHA512
ac83c8f7b6fe913487015d8d7a2e430e917d230b6b2907150f6c4a73bf64c3a02320dddc29fea03db5df8ac5620d8a902fe7be80ba1b1bd1e6f5b8b1b016ddfe

Download Submit
C:\Windows\SysWOW64\pk.bin

Filesize
4KB

MD5
377fe54e3313ab9516090d96ac8f209a

SHA1
d0d1ca9beabd6eef1db0f1a661ac5a2a29852441

SHA256
5b72dda0431b01ec4be936f78fcb9974d2948859104f2e7ba8ef39c2a6fa90f5

SHA512
fb16e98aec5d5ffada9225087d2875d1f7f2e62437b0e3b6fe158cb56bd732f21a25612f83d339b7f29edd4134aa948dc1e9fe59959427f78cd6400535415632

Download Submit
memory/1440-58-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1440-106-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1440-30-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3432-59-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3432-61-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3432-105-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4616-57-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads