modiloader | 96ee2876f77a9e6f40cf913b3e2b3a1a3e5497cc8f3f7ad23c8d3e36c1ace665

Analysis

max time kernel
136s
max time network
134s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12-12-2024 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5c86a0febda2795153db26378892d2f_JaffaCakes118.exe
Size

721KB
MD5

e5c86a0febda2795153db26378892d2f
SHA1

8498af250183a4d0883ad3b3e813025ac2ba409e
SHA256

96ee2876f77a9e6f40cf913b3e2b3a1a3e5497cc8f3f7ad23c8d3e36c1ace665
SHA512

52fb279ec14c431f9d2835e70bfd6c013489d30c4d204a1a685c15b664ef3287708623c1f5408a743d060b4938ec006d0a54c43b2ebdc53ca99b4e16cf9e7522
SSDEEP

12288:tc//////816/i3Y2TCwXNgPXhHbDJa22aCuYZshCcvov+uxNfUVN+FVifk7jgu1t:tc//////816AiwOlbFa2tBsv+uxhUz+N

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 8 IoCs

resource	yara_rule
behavioral1/memory/2240-4-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2
behavioral1/memory/2240-7-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2
behavioral1/memory/2240-6-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2
behavioral1/memory/2240-8-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2
behavioral1/memory/2240-16-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2
behavioral1/memory/2240-15-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2
behavioral1/memory/2240-12-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2
behavioral1/memory/2240-9-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2108 set thread context of 2240	2108	e5c86a0febda2795153db26378892d2f_JaffaCakes118.exe	30
PID 2240 set thread context of 2460	2240	e5c86a0febda2795153db26378892d2f_JaffaCakes118.exe	31

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\2010.txt	e5c86a0febda2795153db26378892d2f_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5c86a0febda2795153db26378892d2f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5c86a0febda2795153db26378892d2f_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440180618"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{173AE5A1-B8A1-11EF-A723-5ADFF6BE2048} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2460	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2460	IEXPLORE.EXE
2460	IEXPLORE.EXE
2896	IEXPLORE.EXE
2896	IEXPLORE.EXE
2896	IEXPLORE.EXE
2896	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2240	2108	e5c86a0febda2795153db26378892d2f_JaffaCakes118.exe	30
PID 2108 wrote to memory of 2240	2108	e5c86a0febda2795153db26378892d2f_JaffaCakes118.exe	30
PID 2108 wrote to memory of 2240	2108	e5c86a0febda2795153db26378892d2f_JaffaCakes118.exe	30
PID 2108 wrote to memory of 2240	2108	e5c86a0febda2795153db26378892d2f_JaffaCakes118.exe	30
PID 2108 wrote to memory of 2240	2108	e5c86a0febda2795153db26378892d2f_JaffaCakes118.exe	30
PID 2108 wrote to memory of 2240	2108	e5c86a0febda2795153db26378892d2f_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2460	2240	e5c86a0febda2795153db26378892d2f_JaffaCakes118.exe	31
PID 2240 wrote to memory of 2460	2240	e5c86a0febda2795153db26378892d2f_JaffaCakes118.exe	31
PID 2240 wrote to memory of 2460	2240	e5c86a0febda2795153db26378892d2f_JaffaCakes118.exe	31
PID 2240 wrote to memory of 2460	2240	e5c86a0febda2795153db26378892d2f_JaffaCakes118.exe	31
PID 2240 wrote to memory of 2460	2240	e5c86a0febda2795153db26378892d2f_JaffaCakes118.exe	31
PID 2460 wrote to memory of 2896	2460	IEXPLORE.EXE	32
PID 2460 wrote to memory of 2896	2460	IEXPLORE.EXE	32
PID 2460 wrote to memory of 2896	2460	IEXPLORE.EXE	32
PID 2460 wrote to memory of 2896	2460	IEXPLORE.EXE	32

C:\Users\Admin\AppData\Local\Temp\e5c86a0febda2795153db26378892d2f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e5c86a0febda2795153db26378892d2f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\e5c86a0febda2795153db26378892d2f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e5c86a0febda2795153db26378892d2f_JaffaCakes118.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\program files\internet explorer\IEXPLORE.EXE
    "C:\program files\internet explorer\IEXPLORE.EXE"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2460 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e49c24c9a4a31ead6831cddf4ba892b

SHA1
9b43aef7f7c5fa751f4c1bd41ac9c52c59b6075d

SHA256
b3b9d926153edbeebd4fd629e4978df6471bae117fba15183aaea715f2e1ae27

SHA512
a13dca0902213b8f5374d9cbc990d52b1115cbe7e35d47e67b7c4c69e9b5bd3767444dd6cb6fc1bda42227a913cc54012b0773592806057dbbe258e13421006e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac5b542e12964e6a53062654f1cc8bdd

SHA1
b92d3c070d0cfec2c5143d0bb4364d8b260315b7

SHA256
75d0d75656c150d48a717eba9b625ae54d87ecaca2eb792292dbc3123912930e

SHA512
cb73ec6db58219cb6ce910cc30fad00e59c4b1c00f1f2eff9e7f28dfefb1fa896de5d62527b06c563e4a0f0202d0b929efecd37356552b816555c429c2be1e37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98eec4cd8d6e3e9abed73d26bc7846dd

SHA1
7a2b604988ff086f497037df17f86216e4b6007c

SHA256
1c45511da584dcda3aae3e26488b58cb19d8f30ca65da08ec37623151df13227

SHA512
d87cde9058ed1dcf4c0cd031dcd67d91042c9d82872f46cff87961aa56e37b215c56fb4ab80839c2f7c5c0615a0b2cc89a01f277599d2891c04ea4853b027a1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8760cc4bc9dedcd5ec139322f4e3735c

SHA1
74180734807d08f04d5790620645503b2226eb4a

SHA256
4294785f223cc3ca547b5bcb4093e83b06e36675a357234300da6bf5ed8a65c3

SHA512
08d7427da13eb14e3fc144b351f527e50801d4b33259f7d470bfcbc55ebf2d4cbffa65ceb4ab4b22bb139dd956ba0e2ed5fe13fc36c46344f3919c06e30d4a61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3016d307691e5eaa4d7142ebe505e9b

SHA1
0ae901f18dcccadd8e4cb042584ca54ab804a7d3

SHA256
319980ecd8d6306b175414218b55864a4b39052e6d729bf457f4d4a3de84e670

SHA512
13ed64b10204a4b2d21de433c21460e8047bf28e0f48d13c5518564e3e041e8b9ba9c79bdd7e40cb2425e9609ef671e1cb70630723b5c61985a214a147274360

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02704a128bfb0f9abae15d384bc963e3

SHA1
b0a62b9e36e47a86592482cd8fc834c01e1690f5

SHA256
c930baf9739c60271d7dc9b511a6e8e30a7f52246942da40f455728ffa46f946

SHA512
0673df0c28cf503f021a063483ccf10838de7b81ad96ed0edb4234f86b112ed5301eac89f68de724c7baec19b6fb4694745bc313f05874036968114ba6fb5968

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0516f352d33402d3511eec7eb5dd6d4c

SHA1
72e6d10a4b0543f40dbd553ad41c4333012c20bb

SHA256
59b746960624ca6d73a6636bf7455ba45ca95a4500fa7b687dd21a4812040a64

SHA512
44fc4cdd0df5a136f9da9e03eaebd212806ea53bd75ca79c984293677919bedc07984de3ab6113b68a1dbcd54d1138e10045efee5192c725d7a2a4b808455337

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86c623dacdce864b292ce3b7b1669334

SHA1
fac5a146ea9f8d5c12c99d273cd041ab1af2ca44

SHA256
ddff4fedc4898024e817db59919501878a6d2c361b7636ac7bb140090067fabb

SHA512
b64a742bd7e5d31643e3accd5a283ba009795fe8deddd0ef52023c8ffe86eca32ec6472e6e96670d5cf2a8adf97dcc9136675edd0179081ce38c5dc6ab512568

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69a72eda17f56181e3e5e0e43ae731fd

SHA1
08b42f838efb7e5c3dd3c196c619b11c56b20409

SHA256
a9ea82e2eb88e04f6f1179ab4ecfdce108e19b6cb4b10a205d8719329ef31257

SHA512
c81132febae3a55565f3672039bd988a28afdc3e068108ebb46a35a78950ee1bfcfacd5cf7d9bc65901fc94492e53d1e38ecdcee163e01774945512ca28969dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6382fb1c59bc2ec1c782c4405d385e5

SHA1
bbd3728912002b4d315c358dc964a808f25d9c93

SHA256
dcccbe7927f953ac3635aa43e28f14722bc05d1c62ed14f6c41db08d09843e8e

SHA512
07b13337d00e39668e7246762eafe710e693dcebf602131c95bd281a826b9a9f530581c79b2da648adeaded8375d58d1d0ccf7f91ae9223817d9701b44311a15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
409ab4a81d62690e3a1e6ee19310ac69

SHA1
a1287923c86e8aa7bc400e4448a82e6122d3ae4f

SHA256
9ae8d44bb9c90e7e58695060ff6ce126136e9a6942be715e4d54791319bc1c98

SHA512
d9ca2fe666bd00202e1a08b03102ec7c2bfc6003b22500650ef20572140bd95851cac4c82a8bb7d57f788e708f8251a3ea493bfff722c045f50def6e9d19dabd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE85E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE92D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2108-5-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2240-2-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2240-12-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2240-15-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2240-16-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2240-8-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2240-0-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2240-4-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2240-6-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2240-7-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2240-9-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2460-11-0x0000000000060000-0x000000000011B000-memory.dmp

Filesize
748KB

Download