modiloader | c10bb54564195c206caead5d150e2e93bafd48b00c3388d29ba39bdbdd750425

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-12-2024 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe
Size

336KB
MD5

c3c7fa161970b2bb3d91c44500c0e706
SHA1

674bd54a273618fd9f068bbbce8f7ea794c3735d
SHA256

c10bb54564195c206caead5d150e2e93bafd48b00c3388d29ba39bdbdd750425
SHA512

bcefd70804a9960621db9136bda8b502a458411e77bed2765753b8efa45ffed884c0f09e732b95367d40be1f3e43d29b2b0c85619fc7f3935d2b85692f102561
SSDEEP

6144:99uWL0gh/mIHFDPi8zbB8Wmxi16FRQ1Sm//JKbGIi8/ylvEWOvLd49lHWhYBZ:99tL0gh/mMFDp6Wmxi8FRwJAbHjylvEg

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 4 IoCs

resource	yara_rule
behavioral1/files/0x0008000000018728-13.dat	modiloader_stage2
behavioral1/memory/2012-28-0x0000000000400000-0x0000000000448000-memory.dmp	modiloader_stage2
behavioral1/memory/2772-62-0x0000000000400000-0x0000000000433000-memory.dmp	modiloader_stage2
behavioral1/memory/2772-49-0x0000000000400000-0x0000000000433000-memory.dmp	modiloader_stage2

Executes dropped EXE 6 IoCs

pid	Process
1124	semoo.exe
2012	win2-v25.exe
2728	NickChange-1.5.exe
2772	win2-v2.exe
2984	win7.exe
2872	C (5).exe

Loads dropped DLL 18 IoCs

pid	Process
2440	c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe
1124	semoo.exe
1124	semoo.exe
1124	semoo.exe
2012	win2-v25.exe
2012	win2-v25.exe
2728	NickChange-1.5.exe
2728	NickChange-1.5.exe
2728	NickChange-1.5.exe
2772	win2-v2.exe
2772	win2-v2.exe
2772	win2-v2.exe
2984	win7.exe
2984	win7.exe
2984	win7.exe
2984	win7.exe
2984	win7.exe
2872	C (5).exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	semoo.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\NickChange-1.5.plsc	c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe
File created	C:\Program Files\semoo.exe	c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe
File opened for modification	C:\Program Files\semoo.exe	c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe
File opened for modification	C:\Program Files\NickChange-1.5.plsc	NickChange-1.5.exe
File created	C:\Program Files\__tmp_rar_sfx_access_check_259438991	c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe
File created	C:\Program Files\NickChange-1.5.plsc	c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe
File opened for modification	C:\Program Files\win2-v2.exe	NickChange-1.5.exe
File created	C:\Program Files\__tmp_rar_sfx_access_check_259439412	NickChange-1.5.exe
File created	C:\Program Files\win2-v2.exe	NickChange-1.5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C (5).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	semoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win2-v25.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NickChange-1.5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win2-v2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2872	C (5).exe
2872	C (5).exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1776	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2984	win7.exe
1776	AcroRd32.exe
1776	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 1124	2440	c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe	30
PID 2440 wrote to memory of 1124	2440	c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe	30
PID 2440 wrote to memory of 1124	2440	c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe	30
PID 2440 wrote to memory of 1124	2440	c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe	30
PID 2440 wrote to memory of 1124	2440	c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe	30
PID 2440 wrote to memory of 1124	2440	c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe	30
PID 2440 wrote to memory of 1124	2440	c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2572	2440	c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe	31
PID 2440 wrote to memory of 2572	2440	c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe	31
PID 2440 wrote to memory of 2572	2440	c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe	31
PID 2440 wrote to memory of 2572	2440	c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe	31
PID 2440 wrote to memory of 2572	2440	c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe	31
PID 2440 wrote to memory of 2572	2440	c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe	31
PID 2440 wrote to memory of 2572	2440	c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe	31
PID 1124 wrote to memory of 2012	1124	semoo.exe	32
PID 1124 wrote to memory of 2012	1124	semoo.exe	32
PID 1124 wrote to memory of 2012	1124	semoo.exe	32
PID 1124 wrote to memory of 2012	1124	semoo.exe	32
PID 1124 wrote to memory of 2012	1124	semoo.exe	32
PID 1124 wrote to memory of 2012	1124	semoo.exe	32
PID 1124 wrote to memory of 2012	1124	semoo.exe	32
PID 2012 wrote to memory of 2728	2012	win2-v25.exe	33
PID 2012 wrote to memory of 2728	2012	win2-v25.exe	33
PID 2012 wrote to memory of 2728	2012	win2-v25.exe	33
PID 2012 wrote to memory of 2728	2012	win2-v25.exe	33
PID 2012 wrote to memory of 2728	2012	win2-v25.exe	33
PID 2012 wrote to memory of 2728	2012	win2-v25.exe	33
PID 2012 wrote to memory of 2728	2012	win2-v25.exe	33
PID 2728 wrote to memory of 2772	2728	NickChange-1.5.exe	34
PID 2728 wrote to memory of 2772	2728	NickChange-1.5.exe	34
PID 2728 wrote to memory of 2772	2728	NickChange-1.5.exe	34
PID 2728 wrote to memory of 2772	2728	NickChange-1.5.exe	34
PID 2728 wrote to memory of 2772	2728	NickChange-1.5.exe	34
PID 2728 wrote to memory of 2772	2728	NickChange-1.5.exe	34
PID 2728 wrote to memory of 2772	2728	NickChange-1.5.exe	34
PID 2728 wrote to memory of 2888	2728	NickChange-1.5.exe	35
PID 2728 wrote to memory of 2888	2728	NickChange-1.5.exe	35
PID 2728 wrote to memory of 2888	2728	NickChange-1.5.exe	35
PID 2728 wrote to memory of 2888	2728	NickChange-1.5.exe	35
PID 2728 wrote to memory of 2888	2728	NickChange-1.5.exe	35
PID 2728 wrote to memory of 2888	2728	NickChange-1.5.exe	35
PID 2728 wrote to memory of 2888	2728	NickChange-1.5.exe	35
PID 2772 wrote to memory of 2984	2772	win2-v2.exe	36
PID 2772 wrote to memory of 2984	2772	win2-v2.exe	36
PID 2772 wrote to memory of 2984	2772	win2-v2.exe	36
PID 2772 wrote to memory of 2984	2772	win2-v2.exe	36
PID 2772 wrote to memory of 2984	2772	win2-v2.exe	36
PID 2772 wrote to memory of 2984	2772	win2-v2.exe	36
PID 2772 wrote to memory of 2984	2772	win2-v2.exe	36
PID 2888 wrote to memory of 1776	2888	rundll32.exe	38
PID 2888 wrote to memory of 1776	2888	rundll32.exe	38
PID 2888 wrote to memory of 1776	2888	rundll32.exe	38
PID 2888 wrote to memory of 1776	2888	rundll32.exe	38
PID 2888 wrote to memory of 1776	2888	rundll32.exe	38
PID 2888 wrote to memory of 1776	2888	rundll32.exe	38
PID 2888 wrote to memory of 1776	2888	rundll32.exe	38
PID 2572 wrote to memory of 2004	2572	rundll32.exe	39
PID 2572 wrote to memory of 2004	2572	rundll32.exe	39
PID 2572 wrote to memory of 2004	2572	rundll32.exe	39
PID 2572 wrote to memory of 2004	2572	rundll32.exe	39
PID 2572 wrote to memory of 2004	2572	rundll32.exe	39
PID 2572 wrote to memory of 2004	2572	rundll32.exe	39
PID 2572 wrote to memory of 2004	2572	rundll32.exe	39
PID 2984 wrote to memory of 2872	2984	win7.exe	40

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232
- C:\Users\Admin\AppData\Local\Temp\c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Program Files\semoo.exe
    "C:\Program Files\semoo.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1124
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\win2-v25.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\win2-v25.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2012
    - - C:\Users\Admin\AppData\Local\Temp\NickChange-1.5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NickChange-1.5.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2728
      - C:\Program Files\win2-v2.exe
        
        "C:\Program Files\win2-v2.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\win7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\win7.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\C (5).exe
        
        "C:\Users\Admin\AppData\Local\Temp\C (5).exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2872
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Program Files\NickChange-1.5.plsc
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Program Files\NickChange-1.5.plsc"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:1776
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Program Files\NickChange-1.5.plsc
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Program Files\NickChange-1.5.plsc"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\NickChange-1.5.plsc

Filesize
8KB

MD5
ac9ce25e4e0d40c5b3ee3babc56d0262

SHA1
10f1df059cb62a3d103a45de49cbd9889b9b51bb

SHA256
1a5649177b150bcf8673d191b2f20b05deb00eff13ab4b63ed710de2b7c05b0a

SHA512
76d4e1606740e64599d5d5de44f9a01766f0b6a03efc73d776c41603cda8215957050538508aa6914d9650d521246b3345996e064b796da26cf4243799cffb50

Download Submit
C:\Users\Admin\AppData\Local\Temp\C (5).exe

Filesize
29KB

MD5
bf1fcccb5ecccd54b525170a1557247f

SHA1
e25a2b16a0d69d9f1ce1e33614ceb05a75d1e448

SHA256
f2a882499fce786cf5babe5625f34030e5d0cdf8522c8ab8005020f84824c60c

SHA512
d81c676cabbe137bfd2837f2543f8dc84964d8d6175ec94a9ca3de4c3848dad03b0656c7229f31bb61a376802e39094a12f43cdc9e00aac11ed298bf6a1bbffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\win7.exe

Filesize
100KB

MD5
f6943c2df5bcfbd8ae2d666193961a23

SHA1
7af6d39e7366d162ca6fc207f948f32dece71b46

SHA256
7cb411b7d2c90621b7dc15202bacb3b1e8c064ad01308b47fdb652bea6e4a059

SHA512
037fb67f4e98f3aa9de3bbc8e55c3add3979b4d629369ebab65b2e9054fa829c552cfa8f305373c1654836589a72d0a41003fd0d8171c458650eb020144113a0

Download Submit
\Program Files\semoo.exe

Filesize
292KB

MD5
c71cbb29e7992dcfc63303d55f710019

SHA1
60a42b969dec8d6e456723df29d301fef0cd432b

SHA256
41e278db377e0d08dcb0399477436bdbb29407384620cfc7ea373a9c144692d8

SHA512
1244723886990484bf165e0a3e459e7c1c060294e760df04e169088b7c78767ad2d91075774c6b6aeab80d6e7f2766776052efa58d14d53bdb47498b3d86b180

Download Submit
\Program Files\win2-v2.exe

Filesize
96KB

MD5
1a1ce4531faac5f46173274edf33c956

SHA1
d3e4264660e6115a7811d4c906d3aa9d6f1ab77d

SHA256
1d6664e69e02252fad0013c293f8c9bc5a771742fed00b14129bd9ee6df61e89

SHA512
e1680a55e6df3c81ca0ab037d1036b2aa85c9abda1e35bd90c1cbfcb2d7912af355aea25c13a296fa507a7485a2da8b39b7616fbafbe4dda637cbae3dc9e8c8b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\win2-v25.exe

Filesize
260KB

MD5
518bc2c7dfb237900d902d76442d9e6b

SHA1
7c9d7df603a55f744e5bdeebddcb653e7183265d

SHA256
a2e261b72a916ea8587a8ecab801165d46c0315a0934992b9bed7079abbe9ead

SHA512
ab98b6cc3d3cdc9cd2771fbad5fc3db546a99905e86c2fcf8ee7007f644530fe9f2a8dea24b1d32d6f9998bcf2caf7c8e19ae29069e999b0aeca748e7e769115

Download Submit
\Users\Admin\AppData\Local\Temp\NickChange-1.5.exe

Filesize
152KB

MD5
6abb97927cc7dc8ebb02cf68d5f66219

SHA1
1ad170c2479961afe01632203a41144c55afca0e

SHA256
5ed00e6e6290d4ef2cbd7116717dfbd75c48b424b6851becc5e2c038d0dc403a

SHA512
e159ec2e9ead40a8bd8ce8f69a55b6c62ebd3da9cee502a2368528164dd7fe9aad5c9a53f405318ae467529c75feac91a45444152938fef5e1dc229cb90d299c

Download Submit
memory/1232-90-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1232-93-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/2012-28-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2728-44-0x00000000035C0000-0x00000000035F3000-memory.dmp

Filesize
204KB

Download
memory/2728-43-0x00000000035C0000-0x00000000035F3000-memory.dmp

Filesize
204KB

Download
memory/2772-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-62-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-86-0x0000000000400000-0x00000000004083A0-memory.dmp

Filesize
32KB

Download
memory/2872-102-0x0000000000400000-0x00000000004083A0-memory.dmp

Filesize
32KB

Download
memory/2984-82-0x0000000004AA0000-0x0000000004AA9000-memory.dmp

Filesize
36KB

Download
memory/2984-84-0x00000000046E0000-0x00000000046E2000-memory.dmp

Filesize
8KB

Download
memory/2984-81-0x0000000004AA0000-0x0000000004AA9000-memory.dmp

Filesize
36KB

Download
memory/2984-83-0x0000000004B00000-0x0000000004B09000-memory.dmp

Filesize
36KB

Download
memory/2984-111-0x0000000004B00000-0x0000000004B09000-memory.dmp

Filesize
36KB

Download