modiloader | ce4625b42cf8f73d54b9c511fda207b68854debd8f2340d1d76113d9c03e893a

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3e0c7308f933365b61bb899ec2f2c43_JaffaCakes118.exe
Size

57KB
MD5

f3e0c7308f933365b61bb899ec2f2c43
SHA1

e1c651107b06ded92183b27e349a2e403574ad31
SHA256

ce4625b42cf8f73d54b9c511fda207b68854debd8f2340d1d76113d9c03e893a
SHA512

48407def86dccb9a570d156f64542af7371d11d7c0b22ec4815041cb940df38eeb7225b376e766356c7e1a6dcf7ac7b0554eb3ca1ec9628e5f9d29723df0653f
SSDEEP

768:1IRbFW5xQO+/JVHRo71DuSV7pNzkoT7wxeu5qBcE7JhC4z/3KKnDw239q+/bZ43i:OsqFtRq1DuS5zhwxeuc5jzyPGmi

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/392-6-0x0000000010000000-0x0000000010021000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
2844	cmd.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\f3e0c7308f933365b61bb899ec2f2c43_JaffaCakes118.dll	f3e0c7308f933365b61bb899ec2f2c43_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 392 set thread context of 2380	392	f3e0c7308f933365b61bb899ec2f2c43_JaffaCakes118.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3e0c7308f933365b61bb899ec2f2c43_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3e0c7308f933365b61bb899ec2f2c43_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 2380	392	f3e0c7308f933365b61bb899ec2f2c43_JaffaCakes118.exe	29
PID 392 wrote to memory of 2380	392	f3e0c7308f933365b61bb899ec2f2c43_JaffaCakes118.exe	29
PID 392 wrote to memory of 2380	392	f3e0c7308f933365b61bb899ec2f2c43_JaffaCakes118.exe	29
PID 392 wrote to memory of 2380	392	f3e0c7308f933365b61bb899ec2f2c43_JaffaCakes118.exe	29
PID 392 wrote to memory of 2380	392	f3e0c7308f933365b61bb899ec2f2c43_JaffaCakes118.exe	29
PID 392 wrote to memory of 2380	392	f3e0c7308f933365b61bb899ec2f2c43_JaffaCakes118.exe	29
PID 2380 wrote to memory of 2944	2380	f3e0c7308f933365b61bb899ec2f2c43_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2944	2380	f3e0c7308f933365b61bb899ec2f2c43_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2944	2380	f3e0c7308f933365b61bb899ec2f2c43_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2944	2380	f3e0c7308f933365b61bb899ec2f2c43_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2944	2380	f3e0c7308f933365b61bb899ec2f2c43_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2944	2380	f3e0c7308f933365b61bb899ec2f2c43_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2944	2380	f3e0c7308f933365b61bb899ec2f2c43_JaffaCakes118.exe	30
PID 2380 wrote to memory of 2844	2380	f3e0c7308f933365b61bb899ec2f2c43_JaffaCakes118.exe	32
PID 2380 wrote to memory of 2844	2380	f3e0c7308f933365b61bb899ec2f2c43_JaffaCakes118.exe	32
PID 2380 wrote to memory of 2844	2380	f3e0c7308f933365b61bb899ec2f2c43_JaffaCakes118.exe	32
PID 2380 wrote to memory of 2844	2380	f3e0c7308f933365b61bb899ec2f2c43_JaffaCakes118.exe	32
PID 2944 wrote to memory of 2936	2944	cmd.exe	35
PID 2944 wrote to memory of 2936	2944	cmd.exe	35
PID 2944 wrote to memory of 2936	2944	cmd.exe	35
PID 2944 wrote to memory of 2936	2944	cmd.exe	35
PID 2944 wrote to memory of 2936	2944	cmd.exe	35
PID 2944 wrote to memory of 2936	2944	cmd.exe	35
PID 2944 wrote to memory of 2936	2944	cmd.exe	35
PID 2844 wrote to memory of 2636	2844	cmd.exe	34
PID 2844 wrote to memory of 2636	2844	cmd.exe	34
PID 2844 wrote to memory of 2636	2844	cmd.exe	34
PID 2844 wrote to memory of 2636	2844	cmd.exe	34

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2636	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f3e0c7308f933365b61bb899ec2f2c43_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f3e0c7308f933365b61bb899ec2f2c43_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:392
- C:\Users\Admin\AppData\Local\Temp\f3e0c7308f933365b61bb899ec2f2c43_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f3e0c7308f933365b61bb899ec2f2c43_JaffaCakes118.exe
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\259535322_install.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 C:\Windows\system32\f3e0c7308f933365b61bb899ec2f2c43_JaffaCakes118.dll,InstallSB NtmsSvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:2936
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\\259535649_selfdel.bat
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h "C:\Users\Admin\AppData\Local\Temp\f3e0c7308f933365b61bb899ec2f2c43_JaffaCakes118.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259535322_install.bat

Filesize
112B

MD5
011d37e506cf2e584ad5e2669a1f09d3

SHA1
44b0ade138e4d2bc86afabb36f990a83b85ae4b4

SHA256
57e7e06bbfd3daf4deeddb37c34a30a13e6253cc0ff9cc9a7c042333f2109af9

SHA512
89dac1542da68368aceff596428fbdc5d7779453cf7072e91eeb2889c86301560ef320aa535b7406670400cc64c5e3feff64431309fed31f1a8da6915ef6599e

Download Submit
C:\Users\Admin\AppData\Local\Temp\259535649_selfdel.bat

Filesize
346B

MD5
6aa0fc0984968a6450e1dccbd6ad32ac

SHA1
e4323010a8845ca57028be8f608250f71a25d0c1

SHA256
ddec168c1d7863694646db0916cb02e8a9b332da73f2e108959dd7931022fe33

SHA512
fef18149102aac942fe0ed814e6bf1e5ac0d48e86dc6513f7aee242531c7e4aef81feb8ae19486ee6f184001a3295ec1280a56a26804a185c767ab54c8e7416e

Download Submit
C:\Windows\SysWOW64\f3e0c7308f933365b61bb899ec2f2c43_JaffaCakes118.dll

Filesize
20B

MD5
6551b8bf0ed982e15cc6022849e385f3

SHA1
54e502e3ebf60ee0dde3ed4eb556b742d0e22d5f

SHA256
e339144e57071fd9db78cc24e9c7302fc7f09162bbe743ead6241d9fecbb7196

SHA512
85a5cb9980020fada99aba6f8d727457ed676ab0ba206b4560f9168a6e6818f729ebf61882b28825bc2b9fb8f4113ed8f7393755c61f4d1ad05d4e4e8ebbc5e1

Download Submit
memory/392-0-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/392-6-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/392-1-0x00000000001B0000-0x00000000001D1000-memory.dmp

Filesize
132KB

Download
memory/2380-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2380-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2380-2-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2380-8-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2380-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2380-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download