modiloader | 1b3fadc458c740215d96904cbd3be13bd5cc0664d9318016bc0bf17cb1ee9c58

Analysis

max time kernel
95s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f50868f65ddb1b12178bb7c7d4e4b3ec_JaffaCakes118.exe
Size

152KB
MD5

f50868f65ddb1b12178bb7c7d4e4b3ec
SHA1

e0cefd600294779b6886332b151faa30862007de
SHA256

1b3fadc458c740215d96904cbd3be13bd5cc0664d9318016bc0bf17cb1ee9c58
SHA512

fc05dd6f5d27ad250c812a6f8fc32fa4c525d9af13f4d127120d9962122e74b8520443903d239e038532c4d7c63d60afcaa4124f63c706934e9234c1d46291d3
SSDEEP

1536:a6E47mqYUQp7cIYp2SuNXqAtUsDEIa5Q5ENksepHpq2t0raJJjnMmXAv:a6GU2cIYpIXbaI+Q5eCpHpq2t0EjMmwv

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/memory/4076-9-0x00000000009D0000-0x00000000009EF000-memory.dmp	modiloader_stage2
behavioral2/memory/4076-11-0x00000000009D0000-0x00000000009EF000-memory.dmp	modiloader_stage2

Loads dropped DLL 2 IoCs

pid	Process
4076	f50868f65ddb1b12178bb7c7d4e4b3ec_JaffaCakes118.exe
4076	f50868f65ddb1b12178bb7c7d4e4b3ec_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\atmQQ2.dll	f50868f65ddb1b12178bb7c7d4e4b3ec_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f50868f65ddb1b12178bb7c7d4e4b3ec_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4076	f50868f65ddb1b12178bb7c7d4e4b3ec_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f50868f65ddb1b12178bb7c7d4e4b3ec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f50868f65ddb1b12178bb7c7d4e4b3ec_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\MSInfo\atmQQ2.dll

Filesize
25KB

MD5
ceb758b473c9783a3237df80a2df5fbe

SHA1
2d13e557e00df7b6ccb4324229ed71a6b6fb309f

SHA256
72241d2f9e7981f55db01f0c561277a56c9ec01e4fb430b5e9406e4f512d32dc

SHA512
425666da44b76958f2da870f8ae65506c3c6dea23ce10c1cdd588ab05ffb989e6e2b1413cf95b9717f8a25159fc6e1ee30f2f9449d3598fbda6806ea1730f570

Download Submit
memory/4076-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4076-6-0x00000000009D0000-0x00000000009EF000-memory.dmp

Filesize
124KB

Download
memory/4076-8-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/4076-9-0x00000000009D0000-0x00000000009EF000-memory.dmp

Filesize
124KB

Download
memory/4076-10-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4076-11-0x00000000009D0000-0x00000000009EF000-memory.dmp

Filesize
124KB

Download
memory/4076-12-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download