modiloader | b6194ae5a8f402884e219079d1466bd4ee928639f9fde2897d0a204b4d175352

Analysis

max time kernel
140s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
12-12-2024 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e89560249207a5689cddde4064c7e864_JaffaCakes118.exe
Size

3.6MB
MD5

e89560249207a5689cddde4064c7e864
SHA1

03a7139fd398b13110ac280875274b1bf736f1e1
SHA256

b6194ae5a8f402884e219079d1466bd4ee928639f9fde2897d0a204b4d175352
SHA512

7299274fc6b93f17134d0d90cd66518f46c70e3dc6b677da0cd2ab229cdbc889a65e2924f58277d1801276489be386433c9ee07a84772d99cd7cf610beb83c88
SSDEEP

98304:+RPcUW2LtV4WUAC/GrzE91Gj+kf67EZbD2VG81d:+cUW8iWUAIE/j+u6Y5wvd

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000001956c-9.dat	modiloader_stage2
behavioral1/memory/2664-17-0x0000000000400000-0x00000000004BC000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
2664	1.exe

Loads dropped DLL 5 IoCs

pid	Process
2596	WScript.exe
2596	WScript.exe
2664	1.exe
2664	1.exe
2664	1.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupWay.txt	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e89560249207a5689cddde4064c7e864_JaffaCakes118.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2848	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2848	vlc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	2876	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2876	AUDIODG.EXE
Token: 33	2876	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2876	AUDIODG.EXE
Token: 33	2848	vlc.exe
Token: SeIncBasePriorityPrivilege	2848	vlc.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2848	vlc.exe
2848	vlc.exe
2848	vlc.exe
2848	vlc.exe
2848	vlc.exe
2848	vlc.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2848	vlc.exe
2848	vlc.exe
2848	vlc.exe
2848	vlc.exe
2848	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2848	vlc.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 2596	1308	e89560249207a5689cddde4064c7e864_JaffaCakes118.exe	29
PID 1308 wrote to memory of 2596	1308	e89560249207a5689cddde4064c7e864_JaffaCakes118.exe	29
PID 1308 wrote to memory of 2596	1308	e89560249207a5689cddde4064c7e864_JaffaCakes118.exe	29
PID 1308 wrote to memory of 2596	1308	e89560249207a5689cddde4064c7e864_JaffaCakes118.exe	29
PID 1308 wrote to memory of 2596	1308	e89560249207a5689cddde4064c7e864_JaffaCakes118.exe	29
PID 1308 wrote to memory of 2596	1308	e89560249207a5689cddde4064c7e864_JaffaCakes118.exe	29
PID 1308 wrote to memory of 2596	1308	e89560249207a5689cddde4064c7e864_JaffaCakes118.exe	29
PID 2596 wrote to memory of 2848	2596	WScript.exe	30
PID 2596 wrote to memory of 2848	2596	WScript.exe	30
PID 2596 wrote to memory of 2848	2596	WScript.exe	30
PID 2596 wrote to memory of 2848	2596	WScript.exe	30
PID 2596 wrote to memory of 2664	2596	WScript.exe	31
PID 2596 wrote to memory of 2664	2596	WScript.exe	31
PID 2596 wrote to memory of 2664	2596	WScript.exe	31
PID 2596 wrote to memory of 2664	2596	WScript.exe	31
PID 2596 wrote to memory of 2664	2596	WScript.exe	31
PID 2596 wrote to memory of 2664	2596	WScript.exe	31
PID 2596 wrote to memory of 2664	2596	WScript.exe	31
PID 2664 wrote to memory of 2976	2664	1.exe	32
PID 2664 wrote to memory of 2976	2664	1.exe	32
PID 2664 wrote to memory of 2976	2664	1.exe	32
PID 2664 wrote to memory of 2976	2664	1.exe	32

C:\Users\Admin\AppData\Local\Temp\e89560249207a5689cddde4064c7e864_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e89560249207a5689cddde4064c7e864_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.vbe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.wma"
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2848
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe" /start
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\program files\internet explorer\IEXPLORE.EXE
      "C:\program files\internet explorer\IEXPLORE.EXE"
      4⤵
      PID:2976

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5c0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe

Filesize
676KB

MD5
d4b9f90b5e2664308f32ca54329c907e

SHA1
237d42ddc532d58ead03651d7f6c8755e9599c16

SHA256
23d659868fb6fa151b3ef1202304c93a1ede4a9f27c178943fc78e8c9173c431

SHA512
ca8887849935fc5f98d20f4ae7ab6fba1cd9d2b157174c82a1915d1a6a05fa67bb20ac6ab73bc1e194009b2a5163fa2e7caa5f5fe70f76ccc0e373bb6eee05cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.vbe

Filesize
94B

MD5
9105ec99418f309deb93ec69e9108330

SHA1
53c1da2eee934f7bddc155ab857b39723744bf35

SHA256
2a61dc4cb8374fd88247c069ea2ece4b8b6cad9237f8a1fd6e68879584ac3f5a

SHA512
23d461163637efead41c8f59321c7f66a360ba2d85c74cab4b2ceeaba81bd6c051a960087948e0fb88ac812512a2e019c7a7bcb879c2902e0d3d558fb2356a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.wma

Filesize
3.3MB

MD5
240b327bdcb93918ab6eb34b0b6e6cc1

SHA1
8fe0d141414e9779e3b89f23835951888ef4fafd

SHA256
1d3a8c99184ae2cb66ab80bb57da26b3cc4c9c2f091869c67a61d3e226bc9673

SHA512
c877a7dbc3b48358f8b9bdce5b13c584bc5a223bba5b36e77f6b60b85e29e74d717a012281db357e3b05c9dda2eb8392bad21fb1ea50a453b7583e0af6373779

Download Submit
memory/1308-23-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2664-17-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2848-41-0x000007FEF6FD0000-0x000007FEF6FEB000-memory.dmp

Filesize
108KB

Download
memory/2848-37-0x000007FEF76B0000-0x000007FEF76C8000-memory.dmp

Filesize
96KB

Download
memory/2848-27-0x000007FEFB370000-0x000007FEFB388000-memory.dmp

Filesize
96KB

Download
memory/2848-31-0x000007FEF77D0000-0x000007FEF77E1000-memory.dmp

Filesize
68KB

Download
memory/2848-32-0x000007FEF77B0000-0x000007FEF77CD000-memory.dmp

Filesize
116KB

Download
memory/2848-26-0x000007FEF6560000-0x000007FEF6816000-memory.dmp

Filesize
2.7MB

Download
memory/2848-30-0x000007FEF77F0000-0x000007FEF7807000-memory.dmp

Filesize
92KB

Download
memory/2848-29-0x000007FEF7810000-0x000007FEF7821000-memory.dmp

Filesize
68KB

Download
memory/2848-28-0x000007FEF7830000-0x000007FEF7847000-memory.dmp

Filesize
92KB

Download
memory/2848-34-0x000007FEF7750000-0x000007FEF7761000-memory.dmp

Filesize
68KB

Download
memory/2848-43-0x000007FEF6990000-0x000007FEF69A8000-memory.dmp

Filesize
96KB

Download
memory/2848-44-0x000007FEF6960000-0x000007FEF6990000-memory.dmp

Filesize
192KB

Download
memory/2848-45-0x000007FEF6260000-0x000007FEF62C7000-memory.dmp

Filesize
412KB

Download
memory/2848-33-0x000007FEF62D0000-0x000007FEF64DB000-memory.dmp

Filesize
2.0MB

Download
memory/2848-42-0x000007FEF69B0000-0x000007FEF69C1000-memory.dmp

Filesize
68KB

Download
memory/2848-25-0x000007FEF7850000-0x000007FEF7884000-memory.dmp

Filesize
208KB

Download
memory/2848-40-0x000007FEF7650000-0x000007FEF7661000-memory.dmp

Filesize
68KB

Download
memory/2848-39-0x000007FEF7670000-0x000007FEF7681000-memory.dmp

Filesize
68KB

Download
memory/2848-38-0x000007FEF7690000-0x000007FEF76A1000-memory.dmp

Filesize
68KB

Download
memory/2848-24-0x000000013FCD0000-0x000000013FDC8000-memory.dmp

Filesize
992KB

Download
memory/2848-36-0x000007FEF76D0000-0x000007FEF76F1000-memory.dmp

Filesize
132KB

Download
memory/2848-35-0x000007FEF7700000-0x000007FEF7741000-memory.dmp

Filesize
260KB

Download
memory/2848-49-0x000007FEF6530000-0x000007FEF6554000-memory.dmp

Filesize
144KB

Download
memory/2848-48-0x000007FEF6940000-0x000007FEF6951000-memory.dmp

Filesize
68KB

Download
memory/2848-54-0x000007FEF4F40000-0x000007FEF4F51000-memory.dmp

Filesize
68KB

Download
memory/2848-59-0x000007FEF2FD0000-0x000007FEF2FE2000-memory.dmp

Filesize
72KB

Download
memory/2848-60-0x000007FEF2E50000-0x000007FEF2FCA000-memory.dmp

Filesize
1.5MB

Download
memory/2848-46-0x000007FEF51B0000-0x000007FEF6260000-memory.dmp

Filesize
16.7MB

Download
memory/2848-58-0x000007FEF2FF0000-0x000007FEF3001000-memory.dmp

Filesize
68KB

Download
memory/2848-57-0x000007FEF3330000-0x000007FEF3345000-memory.dmp

Filesize
84KB

Download
memory/2848-56-0x000007FEF4E50000-0x000007FEF4F15000-memory.dmp

Filesize
788KB

Download
memory/2848-55-0x000007FEF4F20000-0x000007FEF4F36000-memory.dmp

Filesize
88KB

Download
memory/2848-53-0x000007FEF4F60000-0x000007FEF4F8F000-memory.dmp

Filesize
188KB

Download
memory/2848-52-0x000007FEF6520000-0x000007FEF6530000-memory.dmp

Filesize
64KB

Download
memory/2848-51-0x000007FEF4F90000-0x000007FEF4FA7000-memory.dmp

Filesize
92KB

Download
memory/2848-50-0x000007FEF4FB0000-0x000007FEF5130000-memory.dmp

Filesize
1.5MB

Download
memory/2848-47-0x000007FEF5130000-0x000007FEF51AC000-memory.dmp

Filesize
496KB

Download
memory/2848-63-0x000007FEF6560000-0x000007FEF6816000-memory.dmp

Filesize
2.7MB

Download