modiloader | b8365315225a86f4d11d24877427a6c7a9fbc9a24e144a24a724e8d31619aaac

Analysis

max time kernel
13s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2e1f80169d5e59917834f62b74b87a9_JaffaCakes118.exe
Size

98KB
MD5

f2e1f80169d5e59917834f62b74b87a9
SHA1

2972647cfd802c2fd36b2a2b4d4fca9c9b4b2162
SHA256

b8365315225a86f4d11d24877427a6c7a9fbc9a24e144a24a724e8d31619aaac
SHA512

c0cc5238e67883e50dad4f2dbea56604253c3384a451ecf3b7c8e355f2367505380492acbc78a388af869bbf2b4d351d43d1db81fe8b18948243fae3e9795c9e
SSDEEP

3072:T3quciYGlphrMLTM+CbspEdEIASBMtw6RxmJxS:bcLGlPIM+ispEdjXBWRxSx

Score

10^/10

modiloader discovery trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/2528-7-0x0000000000010000-0x0000000000036000-memory.dmp	modiloader_stage2
behavioral1/memory/3048-12-0x0000000000010000-0x0000000000036000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
3048	apocalyps32.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2528-0-0x0000000000010000-0x0000000000036000-memory.dmp	upx
behavioral1/memory/2528-7-0x0000000000010000-0x0000000000036000-memory.dmp	upx
behavioral1/memory/3048-9-0x0000000000010000-0x0000000000036000-memory.dmp	upx
behavioral1/files/0x000b000000012266-8.dat	upx
behavioral1/memory/3048-12-0x0000000000010000-0x0000000000036000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\apocalyps32.exe	f2e1f80169d5e59917834f62b74b87a9_JaffaCakes118.exe
File opened for modification	C:\Windows\apocalyps32.exe	f2e1f80169d5e59917834f62b74b87a9_JaffaCakes118.exe
File created	C:\Windows\apocalyps32.exe	apocalyps32.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apocalyps32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2e1f80169d5e59917834f62b74b87a9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 3048	2528	f2e1f80169d5e59917834f62b74b87a9_JaffaCakes118.exe	30
PID 2528 wrote to memory of 3048	2528	f2e1f80169d5e59917834f62b74b87a9_JaffaCakes118.exe	30
PID 2528 wrote to memory of 3048	2528	f2e1f80169d5e59917834f62b74b87a9_JaffaCakes118.exe	30
PID 2528 wrote to memory of 3048	2528	f2e1f80169d5e59917834f62b74b87a9_JaffaCakes118.exe	30
PID 3048 wrote to memory of 1476	3048	apocalyps32.exe	31
PID 3048 wrote to memory of 1476	3048	apocalyps32.exe	31
PID 3048 wrote to memory of 1476	3048	apocalyps32.exe	31
PID 3048 wrote to memory of 1476	3048	apocalyps32.exe	31

C:\Users\Admin\AppData\Local\Temp\f2e1f80169d5e59917834f62b74b87a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f2e1f80169d5e59917834f62b74b87a9_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\apocalyps32.exe
  -bs
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Program Files\Internet Explorer\iexplore.exe
    -bs
    3⤵
    PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\apocalyps32.exe

Filesize
98KB

MD5
f2e1f80169d5e59917834f62b74b87a9

SHA1
2972647cfd802c2fd36b2a2b4d4fca9c9b4b2162

SHA256
b8365315225a86f4d11d24877427a6c7a9fbc9a24e144a24a724e8d31619aaac

SHA512
c0cc5238e67883e50dad4f2dbea56604253c3384a451ecf3b7c8e355f2367505380492acbc78a388af869bbf2b4d351d43d1db81fe8b18948243fae3e9795c9e

Download Submit
memory/2528-0-0x0000000000010000-0x0000000000036000-memory.dmp

Filesize
152KB

Download
memory/2528-7-0x0000000000010000-0x0000000000036000-memory.dmp

Filesize
152KB

Download
memory/3048-9-0x0000000000010000-0x0000000000036000-memory.dmp

Filesize
152KB

Download
memory/3048-12-0x0000000000010000-0x0000000000036000-memory.dmp

Filesize
152KB

Download