modiloader | 0ec6d1d92ab28d4c51093d763fbc421cd749bfbb238e7bd09cbad54abfe45d0a

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe
Size

171KB
MD5

d023b9a1794027921c6f8b9dfc9afc49
SHA1

fa0e8e3ec2933eae7e4b84ad3f57ba6e842e9f60
SHA256

0ec6d1d92ab28d4c51093d763fbc421cd749bfbb238e7bd09cbad54abfe45d0a
SHA512

96a9e8b82f588edce8b5d1b7c513883415e6e700b953261d76c7c28e218df5abf755dec2aba7625f48b8c96a8f5dcb1c881b25ae6d0eca8abc7f23d3ccbcd725
SSDEEP

3072:UZOcXlWZvIyoNJxmaKrQUdM24BOcXlWZvIyoNJxmaKrQUxM24:QOceOHx6rQDzOceOHx6rQv

Score

10^/10

modiloader discovery trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2668-44-0x0000000000400000-0x0000000000432000-memory.dmp	modiloader_stage2

Executes dropped EXE 4 IoCs

pid	Process
2680	sys.exe
2780	sys.exe
2688	sys.exe
2640	sys.exe

Loads dropped DLL 6 IoCs

pid	Process
2668	d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe
2668	d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe
2680	sys.exe
2668	d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe
2668	d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe
2688	sys.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2680 set thread context of 2780	2680	sys.exe	31
PID 2680 set thread context of 0	2680	sys.exe
PID 2688 set thread context of 2640	2688	sys.exe	33
PID 2688 set thread context of 0	2688	sys.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000012118-4.dat	upx
behavioral1/memory/2680-11-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/2680-22-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/files/0x0007000000012118-38.dat	upx
behavioral1/memory/2688-58-0x0000000000400000-0x0000000000430000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2780	sys.exe
2780	sys.exe
2640	sys.exe
2640	sys.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2680	sys.exe
2688	sys.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2680	2668	d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2680	2668	d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2680	2668	d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2680	2668	d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe	30
PID 2680 wrote to memory of 2780	2680	sys.exe	31
PID 2680 wrote to memory of 2780	2680	sys.exe	31
PID 2680 wrote to memory of 2780	2680	sys.exe	31
PID 2680 wrote to memory of 2780	2680	sys.exe	31
PID 2680 wrote to memory of 2780	2680	sys.exe	31
PID 2680 wrote to memory of 2780	2680	sys.exe	31
PID 2680 wrote to memory of 2780	2680	sys.exe	31
PID 2680 wrote to memory of 2780	2680	sys.exe	31
PID 2680 wrote to memory of 0	2680	sys.exe
PID 2680 wrote to memory of 0	2680	sys.exe
PID 2680 wrote to memory of 0	2680	sys.exe
PID 2680 wrote to memory of 0	2680	sys.exe
PID 2780 wrote to memory of 1220	2780	sys.exe	21
PID 2780 wrote to memory of 1220	2780	sys.exe	21
PID 2780 wrote to memory of 1220	2780	sys.exe	21
PID 2780 wrote to memory of 1220	2780	sys.exe	21
PID 2668 wrote to memory of 2688	2668	d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2688	2668	d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2688	2668	d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2688	2668	d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe	32
PID 2688 wrote to memory of 2640	2688	sys.exe	33
PID 2688 wrote to memory of 2640	2688	sys.exe	33
PID 2688 wrote to memory of 2640	2688	sys.exe	33
PID 2688 wrote to memory of 2640	2688	sys.exe	33
PID 2688 wrote to memory of 2640	2688	sys.exe	33
PID 2688 wrote to memory of 2640	2688	sys.exe	33
PID 2688 wrote to memory of 2640	2688	sys.exe	33
PID 2688 wrote to memory of 2640	2688	sys.exe	33
PID 2688 wrote to memory of 0	2688	sys.exe
PID 2688 wrote to memory of 0	2688	sys.exe
PID 2688 wrote to memory of 0	2688	sys.exe
PID 2688 wrote to memory of 0	2688	sys.exe
PID 2640 wrote to memory of 1220	2640	sys.exe	21
PID 2640 wrote to memory of 1220	2640	sys.exe	21
PID 2640 wrote to memory of 1220	2640	sys.exe	21
PID 2640 wrote to memory of 1220	2640	sys.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220
- C:\Users\Admin\AppData\Local\Temp\d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\sys.exe
    "C:\Users\Admin\AppData\Local\Temp\sys.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Users\Admin\AppData\Local\Temp\sys.exe
      "C:\Users\Admin\AppData\Local\Temp\sys.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2780
- - C:\Users\Admin\AppData\Local\Temp\sys.exe
    "C:\Users\Admin\AppData\Local\Temp\sys.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Users\Admin\AppData\Local\Temp\sys.exe
      "C:\Users\Admin\AppData\Local\Temp\sys.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\sys.exe

Filesize
80KB

MD5
f365930d84aa84aaf254a40fe2852ac6

SHA1
ed63672e5364bd8a7eedd21d48ff2c7304ec502c

SHA256
bb2d069adecdb05c683206376927bf8cd9633e49b1b620078f2cb015ac54d8bb

SHA512
99b1c975c7d6a4e99f49bd51e6c6f9d5666526ee3ee846775565af9d620bbe849b307165065eba90ed834380be498f3f0e47a8fa26cc105ceb814e29c2d19672

Download Submit
\Users\Admin\AppData\Local\Temp\sys.exe

Filesize
80KB

MD5
715715237a0bfb04d226485f79893be0

SHA1
bc6a1f5ad7d4e09491512b67cd01e6497125060f

SHA256
209b2abaa0e7996a6be8f38f72b1aa16b84b1de86b8f80db33b718f607c8bf78

SHA512
d3af21e34527a4ea0d866140f272c82184d962b6ad64383fde692df28c5a880ffad5c222d46de31dac838d0b79e10d7e7b8aaa0da0e64ced8834eb5ac6ec0927

Download Submit
memory/1220-23-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1220-26-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/2640-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2640-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2668-44-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2668-45-0x0000000002430000-0x0000000002460000-memory.dmp

Filesize
192KB

Download
memory/2668-9-0x0000000002430000-0x0000000002460000-memory.dmp

Filesize
192KB

Download
memory/2668-10-0x0000000002430000-0x0000000002460000-memory.dmp

Filesize
192KB

Download
memory/2680-22-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2680-11-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2688-58-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2780-16-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2780-19-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2780-20-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download