modiloader | 1a44c7aaab3241a17b5eee3c8de4ad31529eef7fbdf0f4ac71d8487a37bbf194

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcb384acff1cfd7e4e2a48b718e366af_JaffaCakes118.exe
Size

129KB
MD5

fcb384acff1cfd7e4e2a48b718e366af
SHA1

2e32a791ec31fb5b0b48fa5e480be5ac7de6b211
SHA256

1a44c7aaab3241a17b5eee3c8de4ad31529eef7fbdf0f4ac71d8487a37bbf194
SHA512

0529c9f71b2af92a446997f851088f87a88791aa1799516f3023e52943376c7fb936e6a0f1f274025a75cb6d08314379c4c8a2e83a4ca3846538138b70e79764
SSDEEP

1536:pbVUj1vrDLyUXhB/qRPJC08fqhGulxEuroRMx6oLtGztaI42aqS004Aaia8NYxcj:zO1jywv/iP3cjMNGBaIos04AaiFNOhg

Score

10^/10

modiloader discovery evasion trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/2804-12-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	fcb384acff1cfd7e4e2a48b718e366af_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2804	Decrypted.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Decrypted.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c000000023b3b-6.dat	upx
behavioral2/memory/2804-10-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/2804-12-0x0000000000400000-0x0000000000450000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcb384acff1cfd7e4e2a48b718e366af_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Decrypted.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	Decrypted.exe
Token: SeBackupPrivilege	1136	vssvc.exe
Token: SeRestorePrivilege	1136	vssvc.exe
Token: SeAuditPrivilege	1136	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2804	Decrypted.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4468	fcb384acff1cfd7e4e2a48b718e366af_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 2804	4468	fcb384acff1cfd7e4e2a48b718e366af_JaffaCakes118.exe	83
PID 4468 wrote to memory of 2804	4468	fcb384acff1cfd7e4e2a48b718e366af_JaffaCakes118.exe	83
PID 4468 wrote to memory of 2804	4468	fcb384acff1cfd7e4e2a48b718e366af_JaffaCakes118.exe	83

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\fcb384acff1cfd7e4e2a48b718e366af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fcb384acff1cfd7e4e2a48b718e366af_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Users\Admin\AppData\Local\Temp\Decrypted.exe
  "C:\Users\Admin\AppData\Local\Temp\Decrypted.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2804

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Decrypted.exe

Filesize
109KB

MD5
23a2df9e6ed91a2ba64069e9f73c20e0

SHA1
403ad5b7363f22d765f887cb63b04db8cede4d2f

SHA256
d4af3e43f84ba80a463cafabf7c0af356f5fddfa183d1fa495791ff14eec8fa9

SHA512
98b23730f288c7440badcc9e3156a0f5edbd48894cccb4621ff0405bfb7f73e495d33264752e67291b0af3b8d87a4cb6e0186abfd9664f3e628702f5e83f1480

Download Submit
memory/2804-10-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2804-11-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/2804-12-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads