modiloader | f1d856023c3980c83cc8e15bcb962db208ca8d7112c58b5e6df6279a36073a09

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/12/2024, 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe
Size

294KB
MD5

d74f54b77e0c4fed6b92e5c05a25894b
SHA1

c1fe5e83e96b66a99283635a8680dc166848a74b
SHA256

f1d856023c3980c83cc8e15bcb962db208ca8d7112c58b5e6df6279a36073a09
SHA512

50172b652c7e5f5b851dbbc4ef4c9ca42770303d7e65575d35463ad7e80a1621def0e26e75977f7b460b4a79734e48d6f91b23ad3a1fe0ec6fa2b8417e562dc6
SSDEEP

6144:vVrhP9RbTRXkqaSFJoFJX+TWgUW4iRLA3zm+2tfvCuZwo/Zk/6hFBR47396xrZk:LP/bT5kqa8MJOWCAYvThkR3oxrO

Score

10^/10

modiloader defense_evasion discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 5 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b92-8.dat	modiloader_stage2
behavioral2/memory/4148-15-0x0000000000400000-0x000000000046B000-memory.dmp	modiloader_stage2
behavioral2/memory/4148-19-0x0000000000400000-0x000000000046B000-memory.dmp	modiloader_stage2
behavioral2/memory/4148-26-0x0000000000400000-0x000000000046B000-memory.dmp	modiloader_stage2
behavioral2/memory/4148-27-0x0000000000400000-0x000000000046B000-memory.dmp	modiloader_stage2

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4148	âûàûâ.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	âûàûâ.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	âûàûâ.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	âûàûâ.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	âûàûâ.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	âûàûâ.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	âûàûâ.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\âûàûâ.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\âûàûâ.exe"	âûàûâ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	âûàûâ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1524	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe
4148	âûàûâ.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3980	explorer.exe
Token: SeCreatePagefilePrivilege	3980	explorer.exe
Token: SeShutdownPrivilege	3980	explorer.exe
Token: SeCreatePagefilePrivilege	3980	explorer.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 324	4344	d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe	86
PID 4344 wrote to memory of 324	4344	d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe	86
PID 4344 wrote to memory of 324	4344	d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe	86
PID 4344 wrote to memory of 4148	4344	d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe	88
PID 4344 wrote to memory of 4148	4344	d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe	88
PID 4344 wrote to memory of 4148	4344	d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe	88
PID 324 wrote to memory of 1524	324	cmd.exe	89
PID 324 wrote to memory of 1524	324	cmd.exe	89
PID 324 wrote to memory of 1524	324	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Build.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:324
- - C:\Windows\SysWOW64\reg.exe
    Reg Delete HKLM\System\CurrentControlSet\Control\SafeBoot\*.*
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1524
- C:\Users\Admin\AppData\Local\Temp\âûàûâ.exe
  "C:\Users\Admin\AppData\Local\Temp\âûàûâ.exe"
  2⤵
  - Executes dropped EXE
  - Impair Defenses: Safe Mode Boot
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4148

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Suspicious use of AdjustPrivilegeToken
PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Build.bat

Filesize
1KB

MD5
3f5b9f2b34b14f22b7775c2c0a91f1a2

SHA1
0297877c09e7761df5a5980bcaf1b0b0262709da

SHA256
cf63ce623bddd27c7b62a49aa40cd5a231fbdbde94405a8a10c13eb6a8b49ba8

SHA512
8e68daf530086151c0146d74da292d26ea15c67adfed763209ebb984c8b622008f721fe3e2d5ae8b1b599d57976319ee6f653589f50e0f97620b1baefeda69b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\âûàûâ.exe

Filesize
401KB

MD5
4bc37f0a2f0920dbca852fedaf8eea47

SHA1
b65c15ea93416ddc135ec808e1b57bd1dd800459

SHA256
0cc0ff43a156227bdfba1d777cd8738021607c3ed8a330548c37ad26d63afa03

SHA512
b5ed2976bb6433fd1617dd8271871543e588c9562a341289d18eea010b1c285d1a4dcb303027ea0689ec7e1a8d5be9c85cd21b8ed764fe9040bf537582e9abcd

Download Submit
memory/4148-13-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4148-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4148-16-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4148-19-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4148-26-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4148-27-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download