modiloader | d9a3874f938879317a93cda4cc0eb7e3a58e388bcd23c83eacb90824fbbc4680

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 03:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d06911e47926e4f42b13cd50b8bafe64_JaffaCakes118.exe
Size

3.0MB
MD5

d06911e47926e4f42b13cd50b8bafe64
SHA1

e8898d04a2447e2fcf6dbf8170a8ad32dfa5f937
SHA256

d9a3874f938879317a93cda4cc0eb7e3a58e388bcd23c83eacb90824fbbc4680
SHA512

78a1e2b2a15a2f8ed42741fc7f06c3afbd4e3173b600d3ec8cbf8a04fd117fbc5bb2669a0acce9a535f6cc6377a72543569e93f92e4b46cb734291541c6f4c31
SSDEEP

49152:k6E/tOO6mW3DXN5vQWzK89XWwlYgLWI0fbheI85SD:kfOO6m0vtK8hWwlxgNeFsD

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 6 IoCs

resource	yara_rule
behavioral1/memory/2364-33-0x0000000000400000-0x00000000006FD000-memory.dmp	modiloader_stage2
behavioral1/memory/2364-46-0x00000000048A0000-0x0000000004B9D000-memory.dmp	modiloader_stage2
behavioral1/memory/2364-45-0x0000000003560000-0x0000000003660000-memory.dmp	modiloader_stage2
behavioral1/memory/2364-69-0x0000000000400000-0x00000000006FD000-memory.dmp	modiloader_stage2
behavioral1/memory/2676-70-0x0000000000400000-0x00000000006FD000-memory.dmp	modiloader_stage2
behavioral1/memory/2676-72-0x0000000000400000-0x00000000006FD000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
1932	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2676	rejoice47.exe

Loads dropped DLL 5 IoCs

pid	Process
2364	d06911e47926e4f42b13cd50b8bafe64_JaffaCakes118.exe
2364	d06911e47926e4f42b13cd50b8bafe64_JaffaCakes118.exe
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_rejoice47.exe	rejoice47.exe
File opened for modification	C:\Windows\SysWOW64\_rejoice47.exe	rejoice47.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2676 set thread context of 2852	2676	rejoice47.exe	32

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice47.exe	d06911e47926e4f42b13cd50b8bafe64_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice47.exe	d06911e47926e4f42b13cd50b8bafe64_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat	d06911e47926e4f42b13cd50b8bafe64_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2704	2676	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d06911e47926e4f42b13cd50b8bafe64_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rejoice47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2676	2364	d06911e47926e4f42b13cd50b8bafe64_JaffaCakes118.exe	31
PID 2364 wrote to memory of 2676	2364	d06911e47926e4f42b13cd50b8bafe64_JaffaCakes118.exe	31
PID 2364 wrote to memory of 2676	2364	d06911e47926e4f42b13cd50b8bafe64_JaffaCakes118.exe	31
PID 2364 wrote to memory of 2676	2364	d06911e47926e4f42b13cd50b8bafe64_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2852	2676	rejoice47.exe	32
PID 2676 wrote to memory of 2852	2676	rejoice47.exe	32
PID 2676 wrote to memory of 2852	2676	rejoice47.exe	32
PID 2676 wrote to memory of 2852	2676	rejoice47.exe	32
PID 2676 wrote to memory of 2852	2676	rejoice47.exe	32
PID 2676 wrote to memory of 2852	2676	rejoice47.exe	32
PID 2676 wrote to memory of 2704	2676	rejoice47.exe	33
PID 2676 wrote to memory of 2704	2676	rejoice47.exe	33
PID 2676 wrote to memory of 2704	2676	rejoice47.exe	33
PID 2676 wrote to memory of 2704	2676	rejoice47.exe	33
PID 2364 wrote to memory of 1932	2364	d06911e47926e4f42b13cd50b8bafe64_JaffaCakes118.exe	34
PID 2364 wrote to memory of 1932	2364	d06911e47926e4f42b13cd50b8bafe64_JaffaCakes118.exe	34
PID 2364 wrote to memory of 1932	2364	d06911e47926e4f42b13cd50b8bafe64_JaffaCakes118.exe	34
PID 2364 wrote to memory of 1932	2364	d06911e47926e4f42b13cd50b8bafe64_JaffaCakes118.exe	34
PID 2364 wrote to memory of 1932	2364	d06911e47926e4f42b13cd50b8bafe64_JaffaCakes118.exe	34
PID 2364 wrote to memory of 1932	2364	d06911e47926e4f42b13cd50b8bafe64_JaffaCakes118.exe	34
PID 2364 wrote to memory of 1932	2364	d06911e47926e4f42b13cd50b8bafe64_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\d06911e47926e4f42b13cd50b8bafe64_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d06911e47926e4f42b13cd50b8bafe64_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice47.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice47.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\system32\calc.exe"
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 300
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat""
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\SetupDel.bat

Filesize
212B

MD5
e37865df95851655761d369360d1d505

SHA1
708c1fb2327ddc987279f224569bfefb232f1e06

SHA256
9ac224daae60c522aaea533f55b9db70ce0ba7a656def34fe1127ff0727ce7ee

SHA512
524abfdf79210a923c2ce5e7bf355751e33866338e025b4700be4903dd1a773e68ed8c1857c6d28ef5865048cb7f2c0e74e4c42a40e6baaf00e36ae2be86c571

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice47.exe

Filesize
3.0MB

MD5
d06911e47926e4f42b13cd50b8bafe64

SHA1
e8898d04a2447e2fcf6dbf8170a8ad32dfa5f937

SHA256
d9a3874f938879317a93cda4cc0eb7e3a58e388bcd23c83eacb90824fbbc4680

SHA512
78a1e2b2a15a2f8ed42741fc7f06c3afbd4e3173b600d3ec8cbf8a04fd117fbc5bb2669a0acce9a535f6cc6377a72543569e93f92e4b46cb734291541c6f4c31

Download Submit
memory/2364-15-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/2364-60-0x0000000003660000-0x0000000003661000-memory.dmp

Filesize
4KB

Download
memory/2364-8-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/2364-7-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/2364-10-0x0000000003560000-0x0000000003660000-memory.dmp

Filesize
1024KB

Download
memory/2364-6-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/2364-5-0x0000000002060000-0x0000000002061000-memory.dmp

Filesize
4KB

Download
memory/2364-30-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/2364-29-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/2364-28-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2364-33-0x0000000000400000-0x00000000006FD000-memory.dmp

Filesize
3.0MB

Download
memory/2364-34-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/2364-27-0x00000000035B0000-0x00000000035B1000-memory.dmp

Filesize
4KB

Download
memory/2364-26-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/2364-25-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/2364-24-0x00000000035A0000-0x00000000035A1000-memory.dmp

Filesize
4KB

Download
memory/2364-23-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2364-22-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/2364-21-0x0000000003560000-0x0000000003563000-memory.dmp

Filesize
12KB

Download
memory/2364-18-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download
memory/2364-17-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/2364-16-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/2364-0-0x0000000000400000-0x00000000006FD000-memory.dmp

Filesize
3.0MB

Download
memory/2364-9-0x0000000002070000-0x0000000002071000-memory.dmp

Filesize
4KB

Download
memory/2364-4-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/2364-12-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/2364-11-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/2364-13-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/2364-20-0x0000000003660000-0x0000000003661000-memory.dmp

Filesize
4KB

Download
memory/2364-19-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/2364-3-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/2364-2-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/2364-37-0x0000000000300000-0x0000000000354000-memory.dmp

Filesize
336KB

Download
memory/2364-43-0x00000000048A0000-0x0000000004B9D000-memory.dmp

Filesize
3.0MB

Download
memory/2364-51-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download
memory/2364-69-0x0000000000400000-0x00000000006FD000-memory.dmp

Filesize
3.0MB

Download
memory/2364-46-0x00000000048A0000-0x0000000004B9D000-memory.dmp

Filesize
3.0MB

Download
memory/2364-45-0x0000000003560000-0x0000000003660000-memory.dmp

Filesize
1024KB

Download
memory/2364-1-0x0000000000300000-0x0000000000354000-memory.dmp

Filesize
336KB

Download
memory/2364-14-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/2676-44-0x0000000000400000-0x00000000006FD000-memory.dmp

Filesize
3.0MB

Download
memory/2676-48-0x0000000000800000-0x0000000000854000-memory.dmp

Filesize
336KB

Download
memory/2676-70-0x0000000000400000-0x00000000006FD000-memory.dmp

Filesize
3.0MB

Download
memory/2676-71-0x0000000000800000-0x0000000000854000-memory.dmp

Filesize
336KB

Download
memory/2676-72-0x0000000000400000-0x00000000006FD000-memory.dmp

Filesize
3.0MB

Download
memory/2852-53-0x0000000000400000-0x00000000006FD000-memory.dmp

Filesize
3.0MB

Download
memory/2852-52-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download