modiloader | d9a3874f938879317a93cda4cc0eb7e3a58e388bcd23c83eacb90824fbbc4680

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 03:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d06911e47926e4f42b13cd50b8bafe64_JaffaCakes118.exe
Size

3.0MB
MD5

d06911e47926e4f42b13cd50b8bafe64
SHA1

e8898d04a2447e2fcf6dbf8170a8ad32dfa5f937
SHA256

d9a3874f938879317a93cda4cc0eb7e3a58e388bcd23c83eacb90824fbbc4680
SHA512

78a1e2b2a15a2f8ed42741fc7f06c3afbd4e3173b600d3ec8cbf8a04fd117fbc5bb2669a0acce9a535f6cc6377a72543569e93f92e4b46cb734291541c6f4c31
SSDEEP

49152:k6E/tOO6mW3DXN5vQWzK89XWwlYgLWI0fbheI85SD:kfOO6m0vtK8hWwlxgNeFsD

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/memory/3256-52-0x0000000000400000-0x00000000006FD000-memory.dmp	modiloader_stage2
behavioral2/memory/1496-53-0x0000000000400000-0x00000000006FD000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
3256	rejoice47.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_rejoice47.exe	rejoice47.exe
File opened for modification	C:\Windows\SysWOW64\_rejoice47.exe	rejoice47.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat	d06911e47926e4f42b13cd50b8bafe64_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice47.exe	d06911e47926e4f42b13cd50b8bafe64_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice47.exe	d06911e47926e4f42b13cd50b8bafe64_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d06911e47926e4f42b13cd50b8bafe64_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rejoice47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 3256	1496	d06911e47926e4f42b13cd50b8bafe64_JaffaCakes118.exe	83
PID 1496 wrote to memory of 3256	1496	d06911e47926e4f42b13cd50b8bafe64_JaffaCakes118.exe	83
PID 1496 wrote to memory of 3256	1496	d06911e47926e4f42b13cd50b8bafe64_JaffaCakes118.exe	83
PID 3256 wrote to memory of 4112	3256	rejoice47.exe	84
PID 3256 wrote to memory of 4112	3256	rejoice47.exe	84
PID 3256 wrote to memory of 4112	3256	rejoice47.exe	84
PID 3256 wrote to memory of 2840	3256	rejoice47.exe	85
PID 3256 wrote to memory of 2840	3256	rejoice47.exe	85
PID 1496 wrote to memory of 4804	1496	d06911e47926e4f42b13cd50b8bafe64_JaffaCakes118.exe	86
PID 1496 wrote to memory of 4804	1496	d06911e47926e4f42b13cd50b8bafe64_JaffaCakes118.exe	86
PID 1496 wrote to memory of 4804	1496	d06911e47926e4f42b13cd50b8bafe64_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\d06911e47926e4f42b13cd50b8bafe64_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d06911e47926e4f42b13cd50b8bafe64_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice47.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice47.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3256
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\system32\calc.exe"
    3⤵
    PID:4112
- - C:\program files\internet explorer\IEXPLORE.EXE
    "C:\program files\internet explorer\IEXPLORE.EXE"
    3⤵
    PID:2840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat

Filesize
212B

MD5
e37865df95851655761d369360d1d505

SHA1
708c1fb2327ddc987279f224569bfefb232f1e06

SHA256
9ac224daae60c522aaea533f55b9db70ce0ba7a656def34fe1127ff0727ce7ee

SHA512
524abfdf79210a923c2ce5e7bf355751e33866338e025b4700be4903dd1a773e68ed8c1857c6d28ef5865048cb7f2c0e74e4c42a40e6baaf00e36ae2be86c571

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\rejoice47.exe

Filesize
3.0MB

MD5
d06911e47926e4f42b13cd50b8bafe64

SHA1
e8898d04a2447e2fcf6dbf8170a8ad32dfa5f937

SHA256
d9a3874f938879317a93cda4cc0eb7e3a58e388bcd23c83eacb90824fbbc4680

SHA512
78a1e2b2a15a2f8ed42741fc7f06c3afbd4e3173b600d3ec8cbf8a04fd117fbc5bb2669a0acce9a535f6cc6377a72543569e93f92e4b46cb734291541c6f4c31

Download Submit
memory/1496-8-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/1496-25-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/1496-26-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/1496-7-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/1496-24-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/1496-23-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/1496-22-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/1496-21-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/1496-20-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/1496-19-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/1496-0-0x0000000000400000-0x00000000006FD000-memory.dmp

Filesize
3.0MB

Download
memory/1496-17-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/1496-6-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/1496-15-0x00000000036B0000-0x00000000036B1000-memory.dmp

Filesize
4KB

Download
memory/1496-14-0x00000000036B0000-0x00000000036B1000-memory.dmp

Filesize
4KB

Download
memory/1496-13-0x00000000036B0000-0x00000000036B1000-memory.dmp

Filesize
4KB

Download
memory/1496-12-0x00000000036B0000-0x00000000036B1000-memory.dmp

Filesize
4KB

Download
memory/1496-11-0x00000000036A0000-0x00000000037A0000-memory.dmp

Filesize
1024KB

Download
memory/1496-10-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/1496-9-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/1496-18-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/1496-27-0x00000000036A0000-0x00000000036A3000-memory.dmp

Filesize
12KB

Download
memory/1496-16-0x00000000036B0000-0x00000000036B1000-memory.dmp

Filesize
4KB

Download
memory/1496-5-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/1496-4-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/1496-40-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/1496-39-0x00000000036B0000-0x00000000036B1000-memory.dmp

Filesize
4KB

Download
memory/1496-38-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/1496-37-0x0000000003730000-0x0000000003731000-memory.dmp

Filesize
4KB

Download
memory/1496-36-0x00000000036F0000-0x00000000036F1000-memory.dmp

Filesize
4KB

Download
memory/1496-35-0x0000000003700000-0x0000000003701000-memory.dmp

Filesize
4KB

Download
memory/1496-34-0x00000000036C0000-0x00000000036C1000-memory.dmp

Filesize
4KB

Download
memory/1496-33-0x00000000036D0000-0x00000000036D1000-memory.dmp

Filesize
4KB

Download
memory/1496-32-0x00000000036E0000-0x00000000036E1000-memory.dmp

Filesize
4KB

Download
memory/1496-31-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1496-30-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/1496-3-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/1496-2-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/1496-1-0x00000000024E0000-0x0000000002534000-memory.dmp

Filesize
336KB

Download
memory/1496-53-0x0000000000400000-0x00000000006FD000-memory.dmp

Filesize
3.0MB

Download
memory/1496-51-0x00000000024E0000-0x0000000002534000-memory.dmp

Filesize
336KB

Download
memory/3256-52-0x0000000000400000-0x00000000006FD000-memory.dmp

Filesize
3.0MB

Download
memory/3256-50-0x0000000002280000-0x00000000022D4000-memory.dmp

Filesize
336KB

Download
memory/3256-44-0x0000000002280000-0x00000000022D4000-memory.dmp

Filesize
336KB

Download