modiloader | dc1d7dc22511ce01af67bccc833de3e9d9119f11eb5da4292f90c8b0b8d0621d

Analysis

max time kernel
92s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d36f50a40d127a49df5d363aefa62909_JaffaCakes118.exe
Size

36KB
MD5

d36f50a40d127a49df5d363aefa62909
SHA1

6f8f5f662f7e422b4456546a4aa7d54194c48688
SHA256

dc1d7dc22511ce01af67bccc833de3e9d9119f11eb5da4292f90c8b0b8d0621d
SHA512

3a404d7c63c90d3fefc6b01dc3e9f2a0920db25be4e7a755dc2eccf7b7bb8d6f681a879f18128c2f6681537fa0a2c1fbc599fc22b1367b775696b3d4e6ae53f7
SSDEEP

768:o12Zohqmbw35aKIO//TX6h6aakTzcgHcDol5dqT4FaM4Q4:o12KNbwpiOzKXTzcgHcDmqT4FB4

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/4956-13-0x00000000006B0000-0x00000000006D3000-memory.dmp	modiloader_stage2

Loads dropped DLL 2 IoCs

pid	Process
4956	d36f50a40d127a49df5d363aefa62909_JaffaCakes118.exe
4956	d36f50a40d127a49df5d363aefa62909_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\atmQQ2.dll	d36f50a40d127a49df5d363aefa62909_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d36f50a40d127a49df5d363aefa62909_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4956	d36f50a40d127a49df5d363aefa62909_JaffaCakes118.exe
4956	d36f50a40d127a49df5d363aefa62909_JaffaCakes118.exe
4956	d36f50a40d127a49df5d363aefa62909_JaffaCakes118.exe
4956	d36f50a40d127a49df5d363aefa62909_JaffaCakes118.exe
4956	d36f50a40d127a49df5d363aefa62909_JaffaCakes118.exe
4956	d36f50a40d127a49df5d363aefa62909_JaffaCakes118.exe
4956	d36f50a40d127a49df5d363aefa62909_JaffaCakes118.exe
4956	d36f50a40d127a49df5d363aefa62909_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4956	d36f50a40d127a49df5d363aefa62909_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\d36f50a40d127a49df5d363aefa62909_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d36f50a40d127a49df5d363aefa62909_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\MSInfo\atmQQ2.dll

Filesize
20KB

MD5
c313e21e1675a460469293354a85c37e

SHA1
f1c8487bf1e30d4aadf6efb4a92f39802203df6f

SHA256
efacfcf2d06f1139000c3e77f3d6bec3f3fdb6a79ab67c70a81fd766d303b82d

SHA512
1d1c85d7affd92c2563e38d1d6b61bd32912b031d584943f3c6593ceabdf55c3c475dc7ef4a4bba137da1e26e8c146128384437771d566c269ee0a357c5a4095

Download Submit
memory/4956-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4956-1-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/4956-2-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4956-10-0x00000000006B0000-0x00000000006D3000-memory.dmp

Filesize
140KB

Download
memory/4956-9-0x00000000006B0000-0x00000000006D3000-memory.dmp

Filesize
140KB

Download
memory/4956-11-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4956-12-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/4956-13-0x00000000006B0000-0x00000000006D3000-memory.dmp

Filesize
140KB

Download