modiloader | 941589d10a1999b6e54ed89429608561367ac3b0b6640560171186e2405d8c10

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_63e7a822efca9542556fbfd0349b3170.exe
Size

332KB
MD5

63e7a822efca9542556fbfd0349b3170
SHA1

104b8bca0822cfe803f359629308c7069ccefd4f
SHA256

941589d10a1999b6e54ed89429608561367ac3b0b6640560171186e2405d8c10
SHA512

71473092078f99381b100a1df81235f1ddb6abab932354a328341bbf22c6aa2ee9ec62ce5551900ebb99b258cb54d2a2582888eb54abacbbdea111e9f093512a
SSDEEP

1536:c1DMz1DQvXLq6t7awFONecenlLnQHIG5R9c73P600tFnc9cenC3P600aLnQHIG5+:9eGw9A0rC00tm8C00MAKrc00bE

Score

10^/10

modiloader discovery persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/2796-772-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral1/memory/2900-1490-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2

Executes dropped EXE 8 IoCs

pid	Process
2768	svhust.exe
2796	svhust.exe
2316	svhust.exe
2008	AdobeART.exe
2656	AdobeART.exe
1596	svhust.exe
2220	svhust.exe
2900	svhust.exe

Loads dropped DLL 9 IoCs

pid	Process
812	JaffaCakes118_63e7a822efca9542556fbfd0349b3170.exe
812	JaffaCakes118_63e7a822efca9542556fbfd0349b3170.exe
812	JaffaCakes118_63e7a822efca9542556fbfd0349b3170.exe
812	JaffaCakes118_63e7a822efca9542556fbfd0349b3170.exe
2796	svhust.exe
2796	svhust.exe
2656	AdobeART.exe
2656	AdobeART.exe
2656	AdobeART.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhust = "C:\\Users\\Admin\\AppData\\Roaming\\svhust\\svhust.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeART = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeART.exe"	svhust.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2204 set thread context of 812	2204	JaffaCakes118_63e7a822efca9542556fbfd0349b3170.exe	30
PID 2768 set thread context of 2316	2768	svhust.exe	35
PID 2768 set thread context of 2796	2768	svhust.exe	36
PID 2008 set thread context of 2656	2008	AdobeART.exe	38
PID 1596 set thread context of 2220	1596	svhust.exe	40
PID 1596 set thread context of 2900	1596	svhust.exe	41

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/812-360-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2316-773-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2796-772-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/812-776-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2900-1478-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2656-1483-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2316-1487-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2220-1489-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2900-1490-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhust.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeART.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeART.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhust.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhust.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_63e7a822efca9542556fbfd0349b3170.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhust.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhust.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhust.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_63e7a822efca9542556fbfd0349b3170.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	svhust.exe
Token: SeDebugPrivilege	2316	svhust.exe
Token: SeDebugPrivilege	2220	svhust.exe
Token: SeDebugPrivilege	2316	svhust.exe
Token: SeDebugPrivilege	2220	svhust.exe
Token: SeDebugPrivilege	2316	svhust.exe
Token: SeDebugPrivilege	2220	svhust.exe
Token: SeDebugPrivilege	2316	svhust.exe
Token: SeDebugPrivilege	2220	svhust.exe
Token: SeDebugPrivilege	2316	svhust.exe
Token: SeDebugPrivilege	2220	svhust.exe
Token: SeDebugPrivilege	2316	svhust.exe
Token: SeDebugPrivilege	2220	svhust.exe
Token: SeDebugPrivilege	2316	svhust.exe
Token: SeDebugPrivilege	2220	svhust.exe
Token: SeDebugPrivilege	2316	svhust.exe
Token: SeDebugPrivilege	2220	svhust.exe
Token: SeDebugPrivilege	2316	svhust.exe
Token: SeDebugPrivilege	2220	svhust.exe
Token: SeDebugPrivilege	2316	svhust.exe
Token: SeDebugPrivilege	2220	svhust.exe
Token: SeDebugPrivilege	2316	svhust.exe
Token: SeDebugPrivilege	2316	svhust.exe
Token: SeDebugPrivilege	2220	svhust.exe
Token: SeDebugPrivilege	2220	svhust.exe
Token: SeDebugPrivilege	2316	svhust.exe
Token: SeDebugPrivilege	2220	svhust.exe
Token: SeDebugPrivilege	2316	svhust.exe
Token: SeDebugPrivilege	2220	svhust.exe
Token: SeDebugPrivilege	2316	svhust.exe
Token: SeDebugPrivilege	2220	svhust.exe
Token: SeDebugPrivilege	2316	svhust.exe
Token: SeDebugPrivilege	2316	svhust.exe
Token: SeDebugPrivilege	2220	svhust.exe
Token: SeDebugPrivilege	2220	svhust.exe
Token: SeDebugPrivilege	2316	svhust.exe
Token: SeDebugPrivilege	2220	svhust.exe
Token: SeDebugPrivilege	2316	svhust.exe
Token: SeDebugPrivilege	2220	svhust.exe
Token: SeDebugPrivilege	2316	svhust.exe
Token: SeDebugPrivilege	2220	svhust.exe
Token: SeDebugPrivilege	2316	svhust.exe
Token: SeDebugPrivilege	2220	svhust.exe
Token: SeDebugPrivilege	2316	svhust.exe
Token: SeDebugPrivilege	2316	svhust.exe
Token: SeDebugPrivilege	2220	svhust.exe
Token: SeDebugPrivilege	2220	svhust.exe
Token: SeDebugPrivilege	2316	svhust.exe
Token: SeDebugPrivilege	2220	svhust.exe
Token: SeDebugPrivilege	2316	svhust.exe
Token: SeDebugPrivilege	2220	svhust.exe
Token: SeDebugPrivilege	2316	svhust.exe
Token: SeDebugPrivilege	2220	svhust.exe
Token: SeDebugPrivilege	2316	svhust.exe
Token: SeDebugPrivilege	2220	svhust.exe
Token: SeDebugPrivilege	2316	svhust.exe
Token: SeDebugPrivilege	2316	svhust.exe
Token: SeDebugPrivilege	2220	svhust.exe
Token: SeDebugPrivilege	2220	svhust.exe
Token: SeDebugPrivilege	2316	svhust.exe
Token: SeDebugPrivilege	2220	svhust.exe
Token: SeDebugPrivilege	2316	svhust.exe
Token: SeDebugPrivilege	2316	svhust.exe
Token: SeDebugPrivilege	2220	svhust.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2204	JaffaCakes118_63e7a822efca9542556fbfd0349b3170.exe
812	JaffaCakes118_63e7a822efca9542556fbfd0349b3170.exe
2768	svhust.exe
2316	svhust.exe
2008	AdobeART.exe
2656	AdobeART.exe
1596	svhust.exe
2220	svhust.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 812	2204	JaffaCakes118_63e7a822efca9542556fbfd0349b3170.exe	30
PID 2204 wrote to memory of 812	2204	JaffaCakes118_63e7a822efca9542556fbfd0349b3170.exe	30
PID 2204 wrote to memory of 812	2204	JaffaCakes118_63e7a822efca9542556fbfd0349b3170.exe	30
PID 2204 wrote to memory of 812	2204	JaffaCakes118_63e7a822efca9542556fbfd0349b3170.exe	30
PID 2204 wrote to memory of 812	2204	JaffaCakes118_63e7a822efca9542556fbfd0349b3170.exe	30
PID 2204 wrote to memory of 812	2204	JaffaCakes118_63e7a822efca9542556fbfd0349b3170.exe	30
PID 2204 wrote to memory of 812	2204	JaffaCakes118_63e7a822efca9542556fbfd0349b3170.exe	30
PID 2204 wrote to memory of 812	2204	JaffaCakes118_63e7a822efca9542556fbfd0349b3170.exe	30
PID 812 wrote to memory of 3068	812	JaffaCakes118_63e7a822efca9542556fbfd0349b3170.exe	31
PID 812 wrote to memory of 3068	812	JaffaCakes118_63e7a822efca9542556fbfd0349b3170.exe	31
PID 812 wrote to memory of 3068	812	JaffaCakes118_63e7a822efca9542556fbfd0349b3170.exe	31
PID 812 wrote to memory of 3068	812	JaffaCakes118_63e7a822efca9542556fbfd0349b3170.exe	31
PID 3068 wrote to memory of 2848	3068	cmd.exe	33
PID 3068 wrote to memory of 2848	3068	cmd.exe	33
PID 3068 wrote to memory of 2848	3068	cmd.exe	33
PID 3068 wrote to memory of 2848	3068	cmd.exe	33
PID 812 wrote to memory of 2768	812	JaffaCakes118_63e7a822efca9542556fbfd0349b3170.exe	34
PID 812 wrote to memory of 2768	812	JaffaCakes118_63e7a822efca9542556fbfd0349b3170.exe	34
PID 812 wrote to memory of 2768	812	JaffaCakes118_63e7a822efca9542556fbfd0349b3170.exe	34
PID 812 wrote to memory of 2768	812	JaffaCakes118_63e7a822efca9542556fbfd0349b3170.exe	34
PID 2768 wrote to memory of 2316	2768	svhust.exe	35
PID 2768 wrote to memory of 2316	2768	svhust.exe	35
PID 2768 wrote to memory of 2316	2768	svhust.exe	35
PID 2768 wrote to memory of 2316	2768	svhust.exe	35
PID 2768 wrote to memory of 2316	2768	svhust.exe	35
PID 2768 wrote to memory of 2316	2768	svhust.exe	35
PID 2768 wrote to memory of 2316	2768	svhust.exe	35
PID 2768 wrote to memory of 2316	2768	svhust.exe	35
PID 2768 wrote to memory of 2796	2768	svhust.exe	36
PID 2768 wrote to memory of 2796	2768	svhust.exe	36
PID 2768 wrote to memory of 2796	2768	svhust.exe	36
PID 2768 wrote to memory of 2796	2768	svhust.exe	36
PID 2768 wrote to memory of 2796	2768	svhust.exe	36
PID 2768 wrote to memory of 2796	2768	svhust.exe	36
PID 2768 wrote to memory of 2796	2768	svhust.exe	36
PID 2768 wrote to memory of 2796	2768	svhust.exe	36
PID 2796 wrote to memory of 2008	2796	svhust.exe	37
PID 2796 wrote to memory of 2008	2796	svhust.exe	37
PID 2796 wrote to memory of 2008	2796	svhust.exe	37
PID 2796 wrote to memory of 2008	2796	svhust.exe	37
PID 2008 wrote to memory of 2656	2008	AdobeART.exe	38
PID 2008 wrote to memory of 2656	2008	AdobeART.exe	38
PID 2008 wrote to memory of 2656	2008	AdobeART.exe	38
PID 2008 wrote to memory of 2656	2008	AdobeART.exe	38
PID 2008 wrote to memory of 2656	2008	AdobeART.exe	38
PID 2008 wrote to memory of 2656	2008	AdobeART.exe	38
PID 2008 wrote to memory of 2656	2008	AdobeART.exe	38
PID 2008 wrote to memory of 2656	2008	AdobeART.exe	38
PID 2656 wrote to memory of 1596	2656	AdobeART.exe	39
PID 2656 wrote to memory of 1596	2656	AdobeART.exe	39
PID 2656 wrote to memory of 1596	2656	AdobeART.exe	39
PID 2656 wrote to memory of 1596	2656	AdobeART.exe	39
PID 1596 wrote to memory of 2220	1596	svhust.exe	40
PID 1596 wrote to memory of 2220	1596	svhust.exe	40
PID 1596 wrote to memory of 2220	1596	svhust.exe	40
PID 1596 wrote to memory of 2220	1596	svhust.exe	40
PID 1596 wrote to memory of 2220	1596	svhust.exe	40
PID 1596 wrote to memory of 2220	1596	svhust.exe	40
PID 1596 wrote to memory of 2220	1596	svhust.exe	40
PID 1596 wrote to memory of 2220	1596	svhust.exe	40
PID 1596 wrote to memory of 2900	1596	svhust.exe	41
PID 1596 wrote to memory of 2900	1596	svhust.exe	41
PID 1596 wrote to memory of 2900	1596	svhust.exe	41
PID 1596 wrote to memory of 2900	1596	svhust.exe	41

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63e7a822efca9542556fbfd0349b3170.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63e7a822efca9542556fbfd0349b3170.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63e7a822efca9542556fbfd0349b3170.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63e7a822efca9542556fbfd0349b3170.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:812
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\OERNL.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "svhust" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svhust\svhust.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2848
- - C:\Users\Admin\AppData\Roaming\svhust\svhust.exe
    "C:\Users\Admin\AppData\Roaming\svhust\svhust.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Users\Admin\AppData\Roaming\svhust\svhust.exe
      "C:\Users\Admin\AppData\Roaming\svhust\svhust.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2316
  - - C:\Users\Admin\AppData\Roaming\svhust\svhust.exe
      "C:\Users\Admin\AppData\Roaming\svhust\svhust.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Users\Admin\AppData\Roaming\AdobeART.exe
        
        "C:\Users\Admin\AppData\Roaming\AdobeART.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2008
      - C:\Users\Admin\AppData\Roaming\AdobeART.exe
        
        "C:\Users\Admin\AppData\Roaming\AdobeART.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Users\Admin\AppData\Roaming\svhust\svhust.exe
        
        "C:\Users\Admin\AppData\Roaming\svhust\svhust.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Users\Admin\AppData\Roaming\svhust\svhust.exe
        
        "C:\Users\Admin\AppData\Roaming\svhust\svhust.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2220
        
        C:\Users\Admin\AppData\Roaming\svhust\svhust.exe
        
        "C:\Users\Admin\AppData\Roaming\svhust\svhust.exe"
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OERNL.bat

Filesize
141B

MD5
e83a2e0b3c1e03dfb96ffd9924117a45

SHA1
27a3e4ba115ba1bad0bf094f5b97e768d1ece33e

SHA256
655407d94fff9e707712a588d97a2017cc1c9d690a67c688ed0abcb79e452b13

SHA512
5f61686a3b7db3544d83a4f2ce1a75868c7dc266709f72a34eafecc3a26696a985b1912a559aed8f5a2cacbfe26be9beae2374340d1801bb18473de785557480

Download Submit
\Users\Admin\AppData\Roaming\svhust\svhust.exe

Filesize
332KB

MD5
b4a9f38fdc4cd9540d20b8db0eccff9a

SHA1
e6b18ae7a4f482fa39e965971fdd8e24db63ac52

SHA256
7ba73e546493e7fed8c156a672d16f57562e55a136acb7169ddbb978b594f3dc

SHA512
05c1bf5829a96ede45ac52d351f18cfd7105a3fd346db937172cb0baac15c66ba88eb88387485dad028a56a133654c36ae99308862323918ac45529397acfd61

Download Submit
memory/812-360-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/812-776-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2204-10-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2204-346-0x0000000001D90000-0x0000000001D91000-memory.dmp

Filesize
4KB

Download
memory/2204-4-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2204-16-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2204-20-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2204-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2220-1489-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2316-773-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2316-1487-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2656-1483-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2796-772-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2900-1478-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2900-1490-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads