modiloader | f1d856023c3980c83cc8e15bcb962db208ca8d7112c58b5e6df6279a36073a09

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/12/2024, 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe
Size

294KB
MD5

d74f54b77e0c4fed6b92e5c05a25894b
SHA1

c1fe5e83e96b66a99283635a8680dc166848a74b
SHA256

f1d856023c3980c83cc8e15bcb962db208ca8d7112c58b5e6df6279a36073a09
SHA512

50172b652c7e5f5b851dbbc4ef4c9ca42770303d7e65575d35463ad7e80a1621def0e26e75977f7b460b4a79734e48d6f91b23ad3a1fe0ec6fa2b8417e562dc6
SSDEEP

6144:vVrhP9RbTRXkqaSFJoFJX+TWgUW4iRLA3zm+2tfvCuZwo/Zk/6hFBR47396xrZk:LP/bT5kqa8MJOWCAYvThkR3oxrO

Score

10^/10

modiloader defense_evasion discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016cc5-14.dat	modiloader_stage2
behavioral1/memory/2904-19-0x0000000000400000-0x000000000046B000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
2904	âûàûâ.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	âûàûâ.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	âûàûâ.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	âûàûâ.exe

Loads dropped DLL 1 IoCs

pid	Process
1800	d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\âûàûâ.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\âûàûâ.exe"	âûàûâ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	âûàûâ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2204	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe
2904	âûàûâ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2904	âûàûâ.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 1788	1800	d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe	30
PID 1800 wrote to memory of 1788	1800	d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe	30
PID 1800 wrote to memory of 1788	1800	d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe	30
PID 1800 wrote to memory of 1788	1800	d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe	30
PID 1800 wrote to memory of 2904	1800	d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe	32
PID 1800 wrote to memory of 2904	1800	d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe	32
PID 1800 wrote to memory of 2904	1800	d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe	32
PID 1800 wrote to memory of 2904	1800	d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe	32
PID 1788 wrote to memory of 2204	1788	cmd.exe	33
PID 1788 wrote to memory of 2204	1788	cmd.exe	33
PID 1788 wrote to memory of 2204	1788	cmd.exe	33
PID 1788 wrote to memory of 2204	1788	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Build.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\SysWOW64\reg.exe
    Reg Delete HKLM\System\CurrentControlSet\Control\SafeBoot\*.*
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2204
- C:\Users\Admin\AppData\Local\Temp\âûàûâ.exe
  "C:\Users\Admin\AppData\Local\Temp\âûàûâ.exe"
  2⤵
  - Executes dropped EXE
  - Impair Defenses: Safe Mode Boot
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2904

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Build.bat

Filesize
1KB

MD5
3f5b9f2b34b14f22b7775c2c0a91f1a2

SHA1
0297877c09e7761df5a5980bcaf1b0b0262709da

SHA256
cf63ce623bddd27c7b62a49aa40cd5a231fbdbde94405a8a10c13eb6a8b49ba8

SHA512
8e68daf530086151c0146d74da292d26ea15c67adfed763209ebb984c8b622008f721fe3e2d5ae8b1b599d57976319ee6f653589f50e0f97620b1baefeda69b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\âûàûâ.exe

Filesize
401KB

MD5
4bc37f0a2f0920dbca852fedaf8eea47

SHA1
b65c15ea93416ddc135ec808e1b57bd1dd800459

SHA256
0cc0ff43a156227bdfba1d777cd8738021607c3ed8a330548c37ad26d63afa03

SHA512
b5ed2976bb6433fd1617dd8271871543e588c9562a341289d18eea010b1c285d1a4dcb303027ea0689ec7e1a8d5be9c85cd21b8ed764fe9040bf537582e9abcd

Download Submit
memory/2904-17-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2904-20-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2904-19-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download