modiloader | 05de89c7568e56789746623d5dcd674308390095a07758438a2e3132090fce2d

Analysis

max time kernel
12s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e38d597e16fa38ba98eddd7e9efdd985_JaffaCakes118.exe
Size

633KB
MD5

e38d597e16fa38ba98eddd7e9efdd985
SHA1

abcef5a1d55fdf3b3e163104bb4cc8d634094b1c
SHA256

05de89c7568e56789746623d5dcd674308390095a07758438a2e3132090fce2d
SHA512

1926377d77fcfb11a8a83cd49323f06cb535f956e675f3d7719dbbf6ec3576985079225335fd230630298ea2a563d09b22cecd1b7223cf35891c3546628094a8
SSDEEP

12288:cUDAdUS9kJ8lGy+bJH0QZ/z/QXmu2j6JwPJ8cdBDx3bpMwQc:cO0USVHKqXmHoiBN3Kw5

Score

10^/10

modiloader discovery execution persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2792-14-0x0000000000400000-0x0000000000481000-memory.dmp	modiloader_stage2

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Deletes itself 1 IoCs

pid	Process
2844	cmd.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sys_temtray.exe	e38d597e16fa38ba98eddd7e9efdd985_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sys_temtrayr.exe	e38d597e16fa38ba98eddd7e9efdd985_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sys_temtray.ini	e38d597e16fa38ba98eddd7e9efdd985_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sys_temtray.ini	e38d597e16fa38ba98eddd7e9efdd985_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sys_temtray.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\sys_temtray.exe	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2792-0-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2792-14-0x0000000000400000-0x0000000000481000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2144	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e38d597e16fa38ba98eddd7e9efdd985_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Discovers systems in the same network 1 TTPs 1 IoCs

discovery

Remote System Discovery

T1018

pid	Process
2932	net.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2892	2792	e38d597e16fa38ba98eddd7e9efdd985_JaffaCakes118.exe	29
PID 2792 wrote to memory of 2892	2792	e38d597e16fa38ba98eddd7e9efdd985_JaffaCakes118.exe	29
PID 2792 wrote to memory of 2892	2792	e38d597e16fa38ba98eddd7e9efdd985_JaffaCakes118.exe	29
PID 2792 wrote to memory of 2892	2792	e38d597e16fa38ba98eddd7e9efdd985_JaffaCakes118.exe	29
PID 2892 wrote to memory of 2144	2892	cmd.exe	31
PID 2892 wrote to memory of 2144	2892	cmd.exe	31
PID 2892 wrote to memory of 2144	2892	cmd.exe	31
PID 2892 wrote to memory of 2144	2892	cmd.exe	31
PID 2792 wrote to memory of 2468	2792	e38d597e16fa38ba98eddd7e9efdd985_JaffaCakes118.exe	32
PID 2792 wrote to memory of 2468	2792	e38d597e16fa38ba98eddd7e9efdd985_JaffaCakes118.exe	32
PID 2792 wrote to memory of 2468	2792	e38d597e16fa38ba98eddd7e9efdd985_JaffaCakes118.exe	32
PID 2792 wrote to memory of 2468	2792	e38d597e16fa38ba98eddd7e9efdd985_JaffaCakes118.exe	32
PID 2792 wrote to memory of 2860	2792	e38d597e16fa38ba98eddd7e9efdd985_JaffaCakes118.exe	34
PID 2792 wrote to memory of 2860	2792	e38d597e16fa38ba98eddd7e9efdd985_JaffaCakes118.exe	34
PID 2792 wrote to memory of 2860	2792	e38d597e16fa38ba98eddd7e9efdd985_JaffaCakes118.exe	34
PID 2792 wrote to memory of 2860	2792	e38d597e16fa38ba98eddd7e9efdd985_JaffaCakes118.exe	34
PID 2860 wrote to memory of 2932	2860	cmd.exe	36
PID 2860 wrote to memory of 2932	2860	cmd.exe	36
PID 2860 wrote to memory of 2932	2860	cmd.exe	36
PID 2860 wrote to memory of 2932	2860	cmd.exe	36
PID 2932 wrote to memory of 2980	2932	net.exe	37
PID 2932 wrote to memory of 2980	2932	net.exe	37
PID 2932 wrote to memory of 2980	2932	net.exe	37
PID 2932 wrote to memory of 2980	2932	net.exe	37
PID 2792 wrote to memory of 2844	2792	e38d597e16fa38ba98eddd7e9efdd985_JaffaCakes118.exe	38
PID 2792 wrote to memory of 2844	2792	e38d597e16fa38ba98eddd7e9efdd985_JaffaCakes118.exe	38
PID 2792 wrote to memory of 2844	2792	e38d597e16fa38ba98eddd7e9efdd985_JaffaCakes118.exe	38
PID 2792 wrote to memory of 2844	2792	e38d597e16fa38ba98eddd7e9efdd985_JaffaCakes118.exe	38

C:\Users\Admin\AppData\Local\Temp\e38d597e16fa38ba98eddd7e9efdd985_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e38d597e16fa38ba98eddd7e9efdd985_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c sc create WinServerView binpath= "C:\Windows\system32\sys_temtray.exe" type= share start= auto displayname= "systemtray" depend= RPCSS/Tcpip/IPSec
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\sc.exe
    sc create WinServerView binpath= "C:\Windows\system32\sys_temtray.exe" type= share start= auto displayname= "systemtray" depend= RPCSS/Tcpip/IPSec
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2144
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\e38d597e16fa38ba98eddd7e9efdd985_JaffaCakes118.exe" "C:\Windows\system32\sys_temtray.exe"
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2468
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net start WinServerView
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\net.exe
    net start WinServerView
    3⤵
    - System Location Discovery: System Language Discovery
    - Discovers systems in the same network
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start WinServerView
      4⤵
      System Location Discovery: System Language Discovery
      PID:2980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\del.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Network Share Discovery

T1135

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\del.bat

Filesize
212B

MD5
86f0a336a3fc662f71e10730a6414b96

SHA1
77f02066ae09ad1be080d17bd180f9152a0b9e3f

SHA256
b85a75c21f782203937e16b157d6c1f07ff49a5d5773b91443d23d69813d2c2f

SHA512
fc4c00e9da3d3db40be4565c667e5d6a54aeb6e29cb078c8758ec748d0dfeac40598e2d426b8064da9d5dd4ef52de525795bb132ee429751b58ae8f6d3c314f0

Download Submit
memory/2792-0-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2792-1-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2792-14-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download