modiloader | ffd62d08d9c05e8338e57004173042c3b04ae956806147c8cf2e8212f575d0fd

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 11:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe
Size

133KB
MD5

6c2f3538f66b754ec7440bed170592c0
SHA1

beb68651e7a4c23dcd47954ce4a08e848f618afc
SHA256

ffd62d08d9c05e8338e57004173042c3b04ae956806147c8cf2e8212f575d0fd
SHA512

41320f0e7c8e33af56f6c7ee2343fa40e49b3d79cf0ab4e9408cdeda0ad86eea29c3c06be93b3f36662ca0b2faf6dd1e7fedd23c7858a3e0f278348418d27aa7
SSDEEP

1536:yclMrS21aBfHHjS/9HCdRJ6fni0GgmDf3DHPw3nHtnckh/yi0m2DINg:XlMrSNh89HCdRqi01GfrK7/2m2DIN

Score

10^/10

modiloader defense_evasion discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 9 IoCs

resource	yara_rule
behavioral1/memory/1448-58-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral1/memory/1448-60-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral1/memory/1448-62-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral1/memory/1448-64-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral1/memory/1448-66-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral1/memory/1448-68-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral1/memory/1448-70-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral1/memory/1448-69-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral1/memory/1448-72-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\KNGzR = "C:\\Users\\Admin\\AppData\\Roaming\\yPSjS.exe"	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1796 set thread context of 2500	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	36
PID 1796 set thread context of 1448	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	39

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\yPSjS.exe:ZONE.identifier	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\yPSjS.exe:ZONE.identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2500	vbc.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 2756	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	30
PID 1796 wrote to memory of 2756	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	30
PID 1796 wrote to memory of 2756	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	30
PID 1796 wrote to memory of 2756	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	30
PID 2756 wrote to memory of 2924	2756	vbc.exe	32
PID 2756 wrote to memory of 2924	2756	vbc.exe	32
PID 2756 wrote to memory of 2924	2756	vbc.exe	32
PID 2756 wrote to memory of 2924	2756	vbc.exe	32
PID 1796 wrote to memory of 2804	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	33
PID 1796 wrote to memory of 2804	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	33
PID 1796 wrote to memory of 2804	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	33
PID 1796 wrote to memory of 2804	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	33
PID 2804 wrote to memory of 2676	2804	vbc.exe	35
PID 2804 wrote to memory of 2676	2804	vbc.exe	35
PID 2804 wrote to memory of 2676	2804	vbc.exe	35
PID 2804 wrote to memory of 2676	2804	vbc.exe	35
PID 1796 wrote to memory of 2500	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	36
PID 1796 wrote to memory of 2500	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	36
PID 1796 wrote to memory of 2500	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	36
PID 1796 wrote to memory of 2500	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	36
PID 1796 wrote to memory of 2500	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	36
PID 1796 wrote to memory of 2500	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	36
PID 1796 wrote to memory of 2500	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	36
PID 1796 wrote to memory of 2500	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	36
PID 1796 wrote to memory of 2500	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	36
PID 1796 wrote to memory of 3004	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	37
PID 1796 wrote to memory of 3004	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	37
PID 1796 wrote to memory of 3004	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	37
PID 1796 wrote to memory of 3004	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	37
PID 1796 wrote to memory of 1448	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	39
PID 1796 wrote to memory of 1448	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	39
PID 1796 wrote to memory of 1448	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	39
PID 1796 wrote to memory of 1448	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	39
PID 1796 wrote to memory of 1448	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	39
PID 1796 wrote to memory of 1448	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	39
PID 1796 wrote to memory of 1448	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	39
PID 1796 wrote to memory of 1448	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	39
PID 1796 wrote to memory of 1448	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	39
PID 1796 wrote to memory of 1448	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	39
PID 1796 wrote to memory of 1448	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	39
PID 1796 wrote to memory of 1448	1796	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	39

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2wvvrk_v.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8650.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc864F.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2924
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tz-yuwoa.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES875A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8759.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2676
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2500
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:3004
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2wvvrk_v.0.vb

Filesize
256B

MD5
9f362c5084b0126d5460310d3353d13e

SHA1
8617abc0a8c22a109b52e2e3c85b4400ed04b40e

SHA256
83ef5a38a9ddf6fcb030ef4f4f63c0e989a49c83691f18b07f851bf35544f2d0

SHA512
9f701a8cec9297f50533ee6cf72851f2400bc777013b663cacea1b531801446d08ffc9a3f5d120b7e81a0f363c7421b9c2103e26be6606f7fe29de3107c4cbbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\2wvvrk_v.cmdline

Filesize
317B

MD5
059c2cca4319aa362dc116e64587aefe

SHA1
0939370a18f8ed66ad9d8e7cdcc10519a65dc67a

SHA256
b2d2460272470315de2072f0f06ee19e5e7fcb512624be1555743a4c03456216

SHA512
82ad78b12accdd032bd7e265debbcd17168f43a7e66debfbf40683359874f163f3ed80d4ef8b9a1523512e11a29868eb020738b5e8080479c1f230a1ed5a8d2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2wvvrk_v.dll

Filesize
6KB

MD5
13afb8416241661603287b30196e1b7e

SHA1
7814bcb1c82377995aa1f8735ea5ffeeca06f31e

SHA256
ac83d72e9e2ae341fe27f5470ddad84f10ad9979a05c28e4ba31c6943c60d39e

SHA512
aeeb939538c0f2d1156f8d7d56649fb78828cc6aa13a6a635b3006c66e58ce0fe1ec7a16a170f06c6029523a6d5f7117ea430360c6a1da789dd6884ccab941b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8650.tmp

Filesize
1KB

MD5
09de04820c8a6f7d4047358295080b70

SHA1
23bf51b53b5f2f73cdcc6329e0cf7ae3002fd236

SHA256
51b80aac50685fd0b933d1925319095dfea691d5270b5cc1a4a4fd968ee739fd

SHA512
de58b0702338bd6fc67a3511adedea5358010562543024dc2c0946c749a770b1df98a2c0f8362685880f28ef394c62b7c5a8789cbe25432858b7d65589b7549d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES875A.tmp

Filesize
1KB

MD5
7ea23b3b265e0af8182d05ae5cb07078

SHA1
1fb77310177be6b7ab93fb53e90d92830e5e3430

SHA256
0ecfafac56d6d475dbfadad46dba054fd9151b547ea20e680a342317e8153dad

SHA512
996a10a9aca9bbb5d7f4326a2b24e3af7a1c4e57ed082ec021da3d3bd9ad6d1940aed4fd42e2687f7b3ec2736b608b0232718998866229df083c80619948f53d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tz-yuwoa.cmdline

Filesize
317B

MD5
d5a3fcb4744cfd9e5836a86456820c95

SHA1
9d32f9ceb9ad4a7a99dd7e9ececbc93e863fa66f

SHA256
3fc9bc058e26721ea011c2082f833b8e307fa1104394ee4c3a91dc3e86001af8

SHA512
cf63a176b56c338b1b6ddb91f16cd02189d67ff5390e6c4b3c1c6da9fb8d01705c522eceb6327df6046c99279efdef6e6a0ff62657cdb5a5bfa3d85719763f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tz-yuwoa.dll

Filesize
6KB

MD5
2ff70d2a6cb501625995fdd5a2476069

SHA1
337824030e9e4433755bc2839fc8884336b13fca

SHA256
4f9ef30f6d9e2346daad04bb56c3122e137a12cada263dfa31dc58820a1839b4

SHA512
e2af94faf04a5aad046fd057914311a54e9bd2ea0f43c912ddea4ec639ae75db24870f58430bbf0b5f1e62f422ae49ed02e7f3ac708bc690e0cd5f063687d1cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc864F.tmp

Filesize
652B

MD5
ee78c6fda3d1e6fde0d55b2b17d9474a

SHA1
115d5bd5f97fc763a59801c6d71f703947365280

SHA256
d0bee848fa881c969a55a3c7e411fca337a6977afee0b3c189118093d2a6f915

SHA512
01a889f7a999447c1b4173d522c9c7155ea1fb64885d0a970fbe1e5412bb51fdcd18174b2e0ff2f92adbc2717675c7ac7dc32ebe05605fb607695be9e786eafc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8759.tmp

Filesize
652B

MD5
e7fdad2ce1bd7a69a50dc6330ab3cad6

SHA1
1889de9a5dae549089ee799d9801c45c8fe6be88

SHA256
523766a6a1b265d95559e6b4f565216db5efe099921a50709d66d634c9854b73

SHA512
4c7a85797275bdd3eaa8503376a541a4417132a4f1f1e3051476c41efd5261cefe44012773e835c853ace4967542a6b8046b7468956ccb35b91302a936b1c248

Download Submit
C:\Users\Admin\AppData\Roaming\fp.txt

Filesize
98B

MD5
29f4345363b8e3d4f976a3a8943d3aa4

SHA1
deeadd588e36328fd04e8190916c49129080cb0d

SHA256
747c7d7fe14460a4f3cb8931d5f38228834e23d0ddb468ef6082719d1339936b

SHA512
33fa9b372c88e2ea026490c8b264a8d182b61b98af5ed56f87a0f300743bc78490b3da2dc987cc82c2579f07a842fa93e34b76dda7249dac6e7e4e94a6ee0caa

Download Submit
C:\Users\Admin\AppData\Roaming\yPSjS.exe:ZONE.identifier

Filesize
27B

MD5
130a75a932a2fe57bfea6a65b88da8f6

SHA1
b66d7530d150d45c0a390bb3c2cd4ca4fc404d1c

SHA256
f2b79cae559d6772afc1c2ed9468988178f8b6833d5028a15dea73ce47d0196e

SHA512
6cd147c6f3af95803b7b0898e97ec2ed374c1f56a487b50e3d22003a67cec26a6fa12a3920b1b5624bde156f9601469ae3c7b7354fa8cf37be76c84121767eed

Download Submit
memory/1448-70-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1448-69-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1448-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1448-72-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1448-56-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1448-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1448-68-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1448-66-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1448-64-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1448-60-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1448-62-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1796-2-0x0000000073D40000-0x00000000742EB000-memory.dmp

Filesize
5.7MB

Download
memory/1796-0-0x0000000073D41000-0x0000000073D42000-memory.dmp

Filesize
4KB

Download
memory/1796-71-0x0000000073D40000-0x00000000742EB000-memory.dmp

Filesize
5.7MB

Download
memory/1796-1-0x0000000073D40000-0x00000000742EB000-memory.dmp

Filesize
5.7MB

Download
memory/2500-38-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2500-50-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2500-44-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2500-43-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2500-42-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2500-37-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2500-34-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2756-16-0x0000000073D40000-0x00000000742EB000-memory.dmp

Filesize
5.7MB

Download
memory/2756-7-0x0000000073D40000-0x00000000742EB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads