modiloader | 755f6ae84c6762aea0573a5137f8ee0343d4611fc67443ee9947d25b99f9addf

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 04:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_62b44587697da9bdcfb22a702e477ec0.exe
Size

92KB
MD5

62b44587697da9bdcfb22a702e477ec0
SHA1

9b8080dd2b5decd0951c7f515c0b73c6747bf9a8
SHA256

755f6ae84c6762aea0573a5137f8ee0343d4611fc67443ee9947d25b99f9addf
SHA512

f5f7e4c792627396f284a5f64096738a243318e4bad94f4919f1ab73fd0c18d23f93732381eee68c674d164d3db975f5ced0617d898701fb63b6b33e1912ad41
SSDEEP

1536:ooDzOJtnrMJl33H7vYuh0OjrfeqRpyD7nbHcR+kyTVRwUQ:vqJRIJl7YuOOfpyHnb8RkTVRwb

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/memory/2112-5-0x0000000000400000-0x0000000000419000-memory.dmp	modiloader_stage2
behavioral1/files/0x0006000000019403-10.dat	modiloader_stage2
behavioral1/memory/2112-14-0x0000000000400000-0x0000000000419000-memory.dmp	modiloader_stage2

Loads dropped DLL 2 IoCs

pid	Process
2112	JaffaCakes118_62b44587697da9bdcfb22a702e477ec0.exe
2792	DllHost.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.dll	JaffaCakes118_62b44587697da9bdcfb22a702e477ec0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.dll	JaffaCakes118_62b44587697da9bdcfb22a702e477ec0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.wmp	JaffaCakes118_62b44587697da9bdcfb22a702e477ec0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.wmp	JaffaCakes118_62b44587697da9bdcfb22a702e477ec0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_62b44587697da9bdcfb22a702e477ec0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2792	DllHost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2792	DllHost.exe
2792	DllHost.exe
2112	JaffaCakes118_62b44587697da9bdcfb22a702e477ec0.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62b44587697da9bdcfb22a702e477ec0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62b44587697da9bdcfb22a702e477ec0.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2112

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{21BED8CE-D519-492F-9B9B-61EDDB7DA0F4}0.jpg

Filesize
17KB

MD5
4d81541c4815d3706b1db162488528bd

SHA1
0dee46dfed6286fb4c89d002e36f3a4f6378b518

SHA256
8eacf81fa0e7d72925a3448d09df2e3c2efc4fa674ebff5da35637c888583f66

SHA512
baf733611c14164150e3b6410aaa0f4f54e15e52ff32e6ab9bedef1aacd047243efb024926b56866f90a1e39d938a421597fba3a0fcdf122d56119f546a984e0

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\SysInfo.wmp

Filesize
45KB

MD5
d3379b9e5e37d567a9d7a2f04181da32

SHA1
b5fb36e241daaba1d2a7794ddd98eb01e05b4af3

SHA256
aac6634b19056f879d41ec9c32b1b347dab7d916ae1d01f3b6b2521bd3fc1cfc

SHA512
4072eec307aa5045a6de9ba182aeff885dc411b5d2ef1adcb4d616c83cb442731253470199fdcbdf0f681cf1949a3bcdc2e587a171e047e0ee423889c5307c3a

Download Submit
memory/2112-1-0x0000000003250000-0x0000000003252000-memory.dmp

Filesize
8KB

Download
memory/2112-5-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2112-14-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2792-2-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2792-3-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2792-6-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download