modiloader | 4cebb8f47d102f57151649966b7a8707f37dbab2a11c6508d55bf5d5bb68cb20

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d40480862f544ef81726411d1bdb81f4_JaffaCakes118.exe
Size

750KB
MD5

d40480862f544ef81726411d1bdb81f4
SHA1

c8b07741244a2bf9862c82fa4f3d9e42c5cea6b6
SHA256

4cebb8f47d102f57151649966b7a8707f37dbab2a11c6508d55bf5d5bb68cb20
SHA512

a15d5665b2156811cca5246cea98567ebf867b988ab6b2d02ed4f757d7a7317ebc4ce18125a0d6aac2e312d5c1889209f19a92fd762b9ce5b7d533cecc1b3d7b
SSDEEP

12288:iR8u1CP68p5WfL7S+TlHXff3QaCY0gaY1hzLQxpULQZ+v0xnKJAkGeZlAYluLEMg:uvM68HoLW+TlHXff3QaCG7XqU6BnKJAI

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 9 IoCs

resource	yara_rule
behavioral1/memory/2328-33-0x0000000000400000-0x000000000050A600-memory.dmp	modiloader_stage2
behavioral1/files/0x0009000000018742-35.dat	modiloader_stage2
behavioral1/memory/1160-30-0x00000000009C0000-0x0000000000ACB000-memory.dmp	modiloader_stage2
behavioral1/memory/2860-46-0x0000000000400000-0x000000000050A600-memory.dmp	modiloader_stage2
behavioral1/memory/2328-44-0x0000000003140000-0x000000000324B000-memory.dmp	modiloader_stage2
behavioral1/memory/2328-60-0x0000000000400000-0x000000000050A600-memory.dmp	modiloader_stage2
behavioral1/memory/2328-68-0x0000000000400000-0x000000000050A600-memory.dmp	modiloader_stage2
behavioral1/memory/2860-70-0x0000000000400000-0x000000000050A600-memory.dmp	modiloader_stage2
behavioral1/memory/2860-72-0x0000000000400000-0x000000000050A600-memory.dmp	modiloader_stage2

Executes dropped EXE 4 IoCs

pid	Process
2336	3.exe
1160	3.exe
2328	3.exe
2860	rejoice101.exe

Loads dropped DLL 13 IoCs

pid	Process
2364	d40480862f544ef81726411d1bdb81f4_JaffaCakes118.exe
2336	3.exe
2336	3.exe
1160	3.exe
1160	3.exe
1160	3.exe
2328	3.exe
2328	3.exe
2328	3.exe
2860	rejoice101.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d40480862f544ef81726411d1bdb81f4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	3.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\_rejoice101.exe	rejoice101.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_259445512	3.exe
File created	C:\Windows\SysWOW64\3.exe	3.exe
File opened for modification	C:\Windows\SysWOW64\3.exe	3.exe
File created	C:\Windows\SysWOW64\_rejoice101.exe	rejoice101.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2860 set thread context of 2120	2860	rejoice101.exe	35

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe	3.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe	3.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat	3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2608	2860	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rejoice101.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d40480862f544ef81726411d1bdb81f4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2336	2364	d40480862f544ef81726411d1bdb81f4_JaffaCakes118.exe	31
PID 2364 wrote to memory of 2336	2364	d40480862f544ef81726411d1bdb81f4_JaffaCakes118.exe	31
PID 2364 wrote to memory of 2336	2364	d40480862f544ef81726411d1bdb81f4_JaffaCakes118.exe	31
PID 2364 wrote to memory of 2336	2364	d40480862f544ef81726411d1bdb81f4_JaffaCakes118.exe	31
PID 2336 wrote to memory of 1160	2336	3.exe	32
PID 2336 wrote to memory of 1160	2336	3.exe	32
PID 2336 wrote to memory of 1160	2336	3.exe	32
PID 2336 wrote to memory of 1160	2336	3.exe	32
PID 2336 wrote to memory of 1160	2336	3.exe	32
PID 2336 wrote to memory of 1160	2336	3.exe	32
PID 2336 wrote to memory of 1160	2336	3.exe	32
PID 1160 wrote to memory of 2328	1160	3.exe	33
PID 1160 wrote to memory of 2328	1160	3.exe	33
PID 1160 wrote to memory of 2328	1160	3.exe	33
PID 1160 wrote to memory of 2328	1160	3.exe	33
PID 1160 wrote to memory of 2328	1160	3.exe	33
PID 1160 wrote to memory of 2328	1160	3.exe	33
PID 1160 wrote to memory of 2328	1160	3.exe	33
PID 2328 wrote to memory of 2860	2328	3.exe	34
PID 2328 wrote to memory of 2860	2328	3.exe	34
PID 2328 wrote to memory of 2860	2328	3.exe	34
PID 2328 wrote to memory of 2860	2328	3.exe	34
PID 2328 wrote to memory of 2860	2328	3.exe	34
PID 2328 wrote to memory of 2860	2328	3.exe	34
PID 2328 wrote to memory of 2860	2328	3.exe	34
PID 2860 wrote to memory of 2120	2860	rejoice101.exe	35
PID 2860 wrote to memory of 2120	2860	rejoice101.exe	35
PID 2860 wrote to memory of 2120	2860	rejoice101.exe	35
PID 2860 wrote to memory of 2120	2860	rejoice101.exe	35
PID 2860 wrote to memory of 2120	2860	rejoice101.exe	35
PID 2860 wrote to memory of 2120	2860	rejoice101.exe	35
PID 2860 wrote to memory of 2120	2860	rejoice101.exe	35
PID 2860 wrote to memory of 2120	2860	rejoice101.exe	35
PID 2860 wrote to memory of 2120	2860	rejoice101.exe	35
PID 2860 wrote to memory of 2608	2860	rejoice101.exe	36
PID 2860 wrote to memory of 2608	2860	rejoice101.exe	36
PID 2860 wrote to memory of 2608	2860	rejoice101.exe	36
PID 2860 wrote to memory of 2608	2860	rejoice101.exe	36
PID 2860 wrote to memory of 2608	2860	rejoice101.exe	36
PID 2860 wrote to memory of 2608	2860	rejoice101.exe	36
PID 2860 wrote to memory of 2608	2860	rejoice101.exe	36
PID 2328 wrote to memory of 2604	2328	3.exe	37
PID 2328 wrote to memory of 2604	2328	3.exe	37
PID 2328 wrote to memory of 2604	2328	3.exe	37
PID 2328 wrote to memory of 2604	2328	3.exe	37
PID 2328 wrote to memory of 2604	2328	3.exe	37
PID 2328 wrote to memory of 2604	2328	3.exe	37
PID 2328 wrote to memory of 2604	2328	3.exe	37

C:\Users\Admin\AppData\Local\Temp\d40480862f544ef81726411d1bdb81f4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d40480862f544ef81726411d1bdb81f4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\SysWOW64\3.exe
    "C:\Windows\system32\3.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1160
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2328
    - - C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2860
      - C:\Windows\SysWOW64\calc.exe
        
        "C:\Windows\system32\calc.exe"
        6⤵
        
        PID:2120
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 340
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2608
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat""
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat

Filesize
144B

MD5
6e0accd9b56700b7850b002896bf5383

SHA1
c058ad423f42638e06171349e2d56931d03ab800

SHA256
533abe1be65c4ff52feab7cfd105cfffe64dd18c0554f9204a46a75a7978addf

SHA512
0f4f18356b1f303be7a823f7b64e57151a6135caab9f87fc1dd2b24a63631cdd827e137405c5f9dd5047a3a2eeeef1367d62d767740fb7657e2c47c16ff2240c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe

Filesize
702KB

MD5
9bcaaf6c65896d7b446386798a33dc17

SHA1
baa4f67ec22262768b166a6c413d3a48ae911fec

SHA256
53ca0b273d0f1111399f402494a802f7cf22c5fe64902014e593d2340a2085f0

SHA512
91d857b11039923620bde1f52b5f98d83a8c7e6da57ab850f0e53af380ee03aeffb6989e867f3ce7fa95e2d4ac3741ef32a996c3c2cc56310d64da754b9a38f9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\3.exe

Filesize
1.0MB

MD5
1c3d15ba1d152f568dd49d0b9fc34588

SHA1
f3a171fe18544328ef98efbcd367f2044330ec86

SHA256
e9162e886791805f72884a2bae9a100bd337d893a363973926544862ef67f1e0

SHA512
50f2e53fb5a233ec5af5364279ba7965abbcca7f78f98b1e17c6c60a60d5fd281cc0775f26fa821e327b10232b9c8152ffff9c7001cbc5e875d14630bedba9c5

Download Submit
\Windows\SysWOW64\3.exe

Filesize
616KB

MD5
0d2076b83fcd86a9d05833c5be1e433f

SHA1
077d5b0397cf44c5d04b7548d5b99d3368874ab4

SHA256
806c17b60d3c2d1d20e270b5732cfe6e072499e297ddbbab160d646f5832dbf1

SHA512
dd7a84a1c064922fb7777ab592544031e1bbdfbbea0e52fb0016fe21ef25909536e6e1a01993440bbd53dc108e88606678cce2b6984093dd469b71c5802b7e56

Download Submit
memory/1160-59-0x00000000009C0000-0x0000000000ACB000-memory.dmp

Filesize
1.0MB

Download
memory/1160-30-0x00000000009C0000-0x0000000000ACB000-memory.dmp

Filesize
1.0MB

Download
memory/1160-32-0x00000000009C0000-0x0000000000ACB000-memory.dmp

Filesize
1.0MB

Download
memory/2120-51-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2328-44-0x0000000003140000-0x000000000324B000-memory.dmp

Filesize
1.0MB

Download
memory/2328-33-0x0000000000400000-0x000000000050A600-memory.dmp

Filesize
1.0MB

Download
memory/2328-60-0x0000000000400000-0x000000000050A600-memory.dmp

Filesize
1.0MB

Download
memory/2328-68-0x0000000000400000-0x000000000050A600-memory.dmp

Filesize
1.0MB

Download
memory/2336-18-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2364-0-0x0000000001000000-0x000000000116F000-memory.dmp

Filesize
1.4MB

Download
memory/2364-20-0x0000000001000000-0x000000000116F000-memory.dmp

Filesize
1.4MB

Download
memory/2860-46-0x0000000000400000-0x000000000050A600-memory.dmp

Filesize
1.0MB

Download
memory/2860-70-0x0000000000400000-0x000000000050A600-memory.dmp

Filesize
1.0MB

Download
memory/2860-71-0x0000000000B40000-0x0000000000C4B000-memory.dmp

Filesize
1.0MB

Download
memory/2860-72-0x0000000000400000-0x000000000050A600-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads