modiloader | d29b0556e49fe17164f0f3e0016b9e5083ec1627c1d0406dd431659470ef6303

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-12-2024 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_d29b0556e49fe17164f0f3e0016b9e5083ec1627c1d0406dd431659470ef6303.exe
Size

967KB
MD5

d55a0b188884ef45eeef7dda636a6b62
SHA1

cb7d509630dc72b29df21b17331a6db91989e65f
SHA256

d29b0556e49fe17164f0f3e0016b9e5083ec1627c1d0406dd431659470ef6303
SHA512

ec1f489936b45faf27e761cb15efa3f11ea11c7d526a42ac831a7431ca0898f8975643ce7c60e1ddd8ccbe6f55a4c13c7630368284de39084eb6737c415ab7a1
SSDEEP

24576:1rNcbqhAPsRd94ccC1cKgTcn5SMVh9+p2u:RfhAkhXcC2KgTESuzm2

Score

10^/10

modiloader bootkit discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader First Stage 3 IoCs

resource	yara_rule
behavioral1/memory/2536-29-0x0000000000080000-0x00000000000DA000-memory.dmp	modiloader_stage1
behavioral1/memory/2536-32-0x0000000000080000-0x00000000000DA000-memory.dmp	modiloader_stage1
behavioral1/memory/2536-33-0x0000000000080000-0x00000000000DA000-memory.dmp	modiloader_stage1

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oskdsfzynC.url	Benedetto.exe.com

Executes dropped EXE 3 IoCs

pid	Process
2588	Benedetto.exe.com
2700	Benedetto.exe.com
2536	Benedetto.exe.com

Loads dropped DLL 3 IoCs

pid	Process
2720	cmd.exe
2588	Benedetto.exe.com
2700	Benedetto.exe.com

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	JaffaCakes118_d29b0556e49fe17164f0f3e0016b9e5083ec1627c1d0406dd431659470ef6303.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Benedetto.exe.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2700 set thread context of 2536	2700	Benedetto.exe.com	37

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Benedetto.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Benedetto.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d29b0556e49fe17164f0f3e0016b9e5083ec1627c1d0406dd431659470ef6303.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Benedetto.exe.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2092	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2092	PING.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2588	Benedetto.exe.com
2588	Benedetto.exe.com
2588	Benedetto.exe.com
2700	Benedetto.exe.com
2700	Benedetto.exe.com
2700	Benedetto.exe.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2588	Benedetto.exe.com
2588	Benedetto.exe.com
2588	Benedetto.exe.com
2700	Benedetto.exe.com
2700	Benedetto.exe.com
2700	Benedetto.exe.com

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 3036	2080	JaffaCakes118_d29b0556e49fe17164f0f3e0016b9e5083ec1627c1d0406dd431659470ef6303.exe	28
PID 2080 wrote to memory of 3036	2080	JaffaCakes118_d29b0556e49fe17164f0f3e0016b9e5083ec1627c1d0406dd431659470ef6303.exe	28
PID 2080 wrote to memory of 3036	2080	JaffaCakes118_d29b0556e49fe17164f0f3e0016b9e5083ec1627c1d0406dd431659470ef6303.exe	28
PID 2080 wrote to memory of 3036	2080	JaffaCakes118_d29b0556e49fe17164f0f3e0016b9e5083ec1627c1d0406dd431659470ef6303.exe	28
PID 2080 wrote to memory of 2608	2080	JaffaCakes118_d29b0556e49fe17164f0f3e0016b9e5083ec1627c1d0406dd431659470ef6303.exe	30
PID 2080 wrote to memory of 2608	2080	JaffaCakes118_d29b0556e49fe17164f0f3e0016b9e5083ec1627c1d0406dd431659470ef6303.exe	30
PID 2080 wrote to memory of 2608	2080	JaffaCakes118_d29b0556e49fe17164f0f3e0016b9e5083ec1627c1d0406dd431659470ef6303.exe	30
PID 2080 wrote to memory of 2608	2080	JaffaCakes118_d29b0556e49fe17164f0f3e0016b9e5083ec1627c1d0406dd431659470ef6303.exe	30
PID 2608 wrote to memory of 2720	2608	cmd.exe	32
PID 2608 wrote to memory of 2720	2608	cmd.exe	32
PID 2608 wrote to memory of 2720	2608	cmd.exe	32
PID 2608 wrote to memory of 2720	2608	cmd.exe	32
PID 2720 wrote to memory of 2848	2720	cmd.exe	33
PID 2720 wrote to memory of 2848	2720	cmd.exe	33
PID 2720 wrote to memory of 2848	2720	cmd.exe	33
PID 2720 wrote to memory of 2848	2720	cmd.exe	33
PID 2720 wrote to memory of 2588	2720	cmd.exe	34
PID 2720 wrote to memory of 2588	2720	cmd.exe	34
PID 2720 wrote to memory of 2588	2720	cmd.exe	34
PID 2720 wrote to memory of 2588	2720	cmd.exe	34
PID 2720 wrote to memory of 2092	2720	cmd.exe	35
PID 2720 wrote to memory of 2092	2720	cmd.exe	35
PID 2720 wrote to memory of 2092	2720	cmd.exe	35
PID 2720 wrote to memory of 2092	2720	cmd.exe	35
PID 2588 wrote to memory of 2700	2588	Benedetto.exe.com	36
PID 2588 wrote to memory of 2700	2588	Benedetto.exe.com	36
PID 2588 wrote to memory of 2700	2588	Benedetto.exe.com	36
PID 2588 wrote to memory of 2700	2588	Benedetto.exe.com	36
PID 2700 wrote to memory of 2536	2700	Benedetto.exe.com	37
PID 2700 wrote to memory of 2536	2700	Benedetto.exe.com	37
PID 2700 wrote to memory of 2536	2700	Benedetto.exe.com	37
PID 2700 wrote to memory of 2536	2700	Benedetto.exe.com	37
PID 2700 wrote to memory of 2536	2700	Benedetto.exe.com	37
PID 2700 wrote to memory of 2536	2700	Benedetto.exe.com	37

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d29b0556e49fe17164f0f3e0016b9e5083ec1627c1d0406dd431659470ef6303.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d29b0556e49fe17164f0f3e0016b9e5083ec1627c1d0406dd431659470ef6303.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\expand.exe
  expand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cmd < Sogni.xlm
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^RLOwHDcqeFrExqUNHlxnLMRVxwYxcqWVXNHUzuvYvVIaWxirXweuhnntUTGFEqEeIiGGzqzANvwPtnZqUVbzXQHmfCZAA$" Una.xlm
      4⤵
      System Location Discovery: System Language Discovery
      PID:2848
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Benedetto.exe.com
      Benedetto.exe.com C
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Benedetto.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Benedetto.exe.com C
        5⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2700
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Benedetto.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Benedetto.exe.com
        6⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:2536
  - - C:\Windows\SysWOW64\PING.EXE
      ping JSMURNPT
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ricordate.xlm

Filesize
1.0MB

MD5
0d632f2cd30bb58747564d2ccba56852

SHA1
8354e1cce0ae7f5e5c010fd8d8fc95d4f6a7bf25

SHA256
427e7cb763a791d9ecdbb504ccd1066b48fd5c212de79665fc2d2fcaa19520e1

SHA512
6806d273b0e8af1a38929883dbe52004039b49a04638af98346025bffbb909f219ab4d5013320cfee5714739121b2854bfda46810c5b1aad360599b63ae360af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sogni.xlm

Filesize
318B

MD5
721eabbca90b2cdf19185a23ecbf3fc8

SHA1
02a254933b860ed7c86625c897f4de22734e2469

SHA256
433daa4dfba2f4b083d913945e8ac4c29fc235af4878396f7fc9b4e97e6c7ae4

SHA512
11ca0a578362f72cc5ef293b4cb0d7454eeb8b55fb4a6eb4c939809fa06aa78bf9402266e7e9995bd3e78de922105d9adcf03cb3eabc07d3f30bac46b226463a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Una.xlm

Filesize
872KB

MD5
0e6979e856547f4ab1c2ebb842d7d5f3

SHA1
7849fb74f845eea33a235552777f6882dd74bbae

SHA256
beda2839edc3179065dcad7d6cd4a9f68e1fb0e0bc41b0baf07d4ad7b159050c

SHA512
83ba7bd80b6ad21fb10a5f2f0b52f9b37c6874c3a84ba2aa4c9649a7038c7890f7222c925a608d9cfd4f81b420a2a587c12a5f29c8c0b93f4e39550d2ad3f554

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Benedetto.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/2536-27-0x0000000000080000-0x00000000000DA000-memory.dmp

Filesize
360KB

Download
memory/2536-28-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2536-29-0x0000000000080000-0x00000000000DA000-memory.dmp

Filesize
360KB

Download
memory/2536-32-0x0000000000080000-0x00000000000DA000-memory.dmp

Filesize
360KB

Download
memory/2536-33-0x0000000000080000-0x00000000000DA000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads