modiloader | 0ec6d1d92ab28d4c51093d763fbc421cd749bfbb238e7bd09cbad54abfe45d0a

Analysis

max time kernel
93s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2024, 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe
Size

171KB
MD5

d023b9a1794027921c6f8b9dfc9afc49
SHA1

fa0e8e3ec2933eae7e4b84ad3f57ba6e842e9f60
SHA256

0ec6d1d92ab28d4c51093d763fbc421cd749bfbb238e7bd09cbad54abfe45d0a
SHA512

96a9e8b82f588edce8b5d1b7c513883415e6e700b953261d76c7c28e218df5abf755dec2aba7625f48b8c96a8f5dcb1c881b25ae6d0eca8abc7f23d3ccbcd725
SSDEEP

3072:UZOcXlWZvIyoNJxmaKrQUdM24BOcXlWZvIyoNJxmaKrQUxM24:QOceOHx6rQDzOceOHx6rQv

Score

10^/10

modiloader discovery trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/1040-36-0x0000000000400000-0x0000000000432000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

pid	Process
4952	sys.exe
2196	sys.exe
8	sys.exe
724	sys.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4952 set thread context of 2196	4952	sys.exe	84
PID 4952 set thread context of 0	4952	sys.exe
PID 8 set thread context of 724	8	sys.exe	86
PID 8 set thread context of 0	8	sys.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c000000023b2e-4.dat	upx
behavioral2/memory/4952-11-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4952-20-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x000c000000023b2e-35.dat	upx
behavioral2/memory/8-46-0x0000000000400000-0x0000000000430000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2196	sys.exe
2196	sys.exe
2196	sys.exe
2196	sys.exe
724	sys.exe
724	sys.exe
724	sys.exe
724	sys.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4952	sys.exe
8	sys.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 4952	1040	d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe	83
PID 1040 wrote to memory of 4952	1040	d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe	83
PID 1040 wrote to memory of 4952	1040	d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe	83
PID 4952 wrote to memory of 2196	4952	sys.exe	84
PID 4952 wrote to memory of 2196	4952	sys.exe	84
PID 4952 wrote to memory of 2196	4952	sys.exe	84
PID 4952 wrote to memory of 2196	4952	sys.exe	84
PID 4952 wrote to memory of 2196	4952	sys.exe	84
PID 4952 wrote to memory of 2196	4952	sys.exe	84
PID 4952 wrote to memory of 2196	4952	sys.exe	84
PID 4952 wrote to memory of 0	4952	sys.exe
PID 4952 wrote to memory of 0	4952	sys.exe
PID 4952 wrote to memory of 0	4952	sys.exe
PID 4952 wrote to memory of 0	4952	sys.exe
PID 2196 wrote to memory of 3504	2196	sys.exe	56
PID 2196 wrote to memory of 3504	2196	sys.exe	56
PID 2196 wrote to memory of 3504	2196	sys.exe	56
PID 2196 wrote to memory of 3504	2196	sys.exe	56
PID 1040 wrote to memory of 8	1040	d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe	85
PID 1040 wrote to memory of 8	1040	d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe	85
PID 1040 wrote to memory of 8	1040	d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe	85
PID 8 wrote to memory of 724	8	sys.exe	86
PID 8 wrote to memory of 724	8	sys.exe	86
PID 8 wrote to memory of 724	8	sys.exe	86
PID 8 wrote to memory of 724	8	sys.exe	86
PID 8 wrote to memory of 724	8	sys.exe	86
PID 8 wrote to memory of 724	8	sys.exe	86
PID 8 wrote to memory of 724	8	sys.exe	86
PID 8 wrote to memory of 0	8	sys.exe
PID 8 wrote to memory of 0	8	sys.exe
PID 8 wrote to memory of 0	8	sys.exe
PID 8 wrote to memory of 0	8	sys.exe
PID 724 wrote to memory of 3504	724	sys.exe	56
PID 724 wrote to memory of 3504	724	sys.exe	56
PID 724 wrote to memory of 3504	724	sys.exe	56
PID 724 wrote to memory of 3504	724	sys.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3504
- C:\Users\Admin\AppData\Local\Temp\d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Users\Admin\AppData\Local\Temp\sys.exe
    "C:\Users\Admin\AppData\Local\Temp\sys.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4952
  - - C:\Users\Admin\AppData\Local\Temp\sys.exe
      "C:\Users\Admin\AppData\Local\Temp\sys.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2196
- - C:\Users\Admin\AppData\Local\Temp\sys.exe
    "C:\Users\Admin\AppData\Local\Temp\sys.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:8
  - - C:\Users\Admin\AppData\Local\Temp\sys.exe
      "C:\Users\Admin\AppData\Local\Temp\sys.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sys.exe

Filesize
80KB

MD5
f365930d84aa84aaf254a40fe2852ac6

SHA1
ed63672e5364bd8a7eedd21d48ff2c7304ec502c

SHA256
bb2d069adecdb05c683206376927bf8cd9633e49b1b620078f2cb015ac54d8bb

SHA512
99b1c975c7d6a4e99f49bd51e6c6f9d5666526ee3ee846775565af9d620bbe849b307165065eba90ed834380be498f3f0e47a8fa26cc105ceb814e29c2d19672

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys.exe

Filesize
80KB

MD5
715715237a0bfb04d226485f79893be0

SHA1
bc6a1f5ad7d4e09491512b67cd01e6497125060f

SHA256
209b2abaa0e7996a6be8f38f72b1aa16b84b1de86b8f80db33b718f607c8bf78

SHA512
d3af21e34527a4ea0d866140f272c82184d962b6ad64383fde692df28c5a880ffad5c222d46de31dac838d0b79e10d7e7b8aaa0da0e64ced8834eb5ac6ec0927

Download Submit
memory/8-46-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/724-44-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1040-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2196-17-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2196-14-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2196-18-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3504-21-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/3504-22-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download
memory/4952-11-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4952-20-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download