modiloader | ffd62d08d9c05e8338e57004173042c3b04ae956806147c8cf2e8212f575d0fd

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 11:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe
Size

133KB
MD5

6c2f3538f66b754ec7440bed170592c0
SHA1

beb68651e7a4c23dcd47954ce4a08e848f618afc
SHA256

ffd62d08d9c05e8338e57004173042c3b04ae956806147c8cf2e8212f575d0fd
SHA512

41320f0e7c8e33af56f6c7ee2343fa40e49b3d79cf0ab4e9408cdeda0ad86eea29c3c06be93b3f36662ca0b2faf6dd1e7fedd23c7858a3e0f278348418d27aa7
SSDEEP

1536:yclMrS21aBfHHjS/9HCdRJ6fni0GgmDf3DHPw3nHtnckh/yi0m2DINg:XlMrSNh89HCdRqi01GfrK7/2m2DIN

Score

10^/10

modiloader defense_evasion discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 4 IoCs

resource	yara_rule
behavioral2/memory/3124-49-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral2/memory/3124-51-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral2/memory/3124-53-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral2/memory/3124-54-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KNGzR = "C:\\Users\\Admin\\AppData\\Roaming\\yPSjS.exe"	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2848 set thread context of 808	2848	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	88
PID 2848 set thread context of 3124	2848	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	91

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\yPSjS.exe:ZONE.identifier	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\yPSjS.exe:ZONE.identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
808	vbc.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 628	2848	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	82
PID 2848 wrote to memory of 628	2848	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	82
PID 2848 wrote to memory of 628	2848	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	82
PID 628 wrote to memory of 3760	628	vbc.exe	84
PID 628 wrote to memory of 3760	628	vbc.exe	84
PID 628 wrote to memory of 3760	628	vbc.exe	84
PID 2848 wrote to memory of 2136	2848	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	85
PID 2848 wrote to memory of 2136	2848	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	85
PID 2848 wrote to memory of 2136	2848	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	85
PID 2136 wrote to memory of 4612	2136	vbc.exe	87
PID 2136 wrote to memory of 4612	2136	vbc.exe	87
PID 2136 wrote to memory of 4612	2136	vbc.exe	87
PID 2848 wrote to memory of 808	2848	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	88
PID 2848 wrote to memory of 808	2848	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	88
PID 2848 wrote to memory of 808	2848	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	88
PID 2848 wrote to memory of 808	2848	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	88
PID 2848 wrote to memory of 808	2848	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	88
PID 2848 wrote to memory of 808	2848	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	88
PID 2848 wrote to memory of 808	2848	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	88
PID 2848 wrote to memory of 808	2848	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	88
PID 2848 wrote to memory of 1228	2848	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	89
PID 2848 wrote to memory of 1228	2848	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	89
PID 2848 wrote to memory of 1228	2848	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	89
PID 2848 wrote to memory of 3124	2848	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	91
PID 2848 wrote to memory of 3124	2848	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	91
PID 2848 wrote to memory of 3124	2848	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	91
PID 2848 wrote to memory of 3124	2848	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	91
PID 2848 wrote to memory of 3124	2848	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	91
PID 2848 wrote to memory of 3124	2848	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	91
PID 2848 wrote to memory of 3124	2848	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	91
PID 2848 wrote to memory of 3124	2848	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	91
PID 2848 wrote to memory of 3124	2848	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	91
PID 2848 wrote to memory of 3124	2848	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	91
PID 2848 wrote to memory of 3124	2848	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	91
PID 2848 wrote to memory of 3124	2848	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	91
PID 2848 wrote to memory of 3124	2848	JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe	91

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c2f3538f66b754ec7440bed170592c0.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q7mdngtu.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB66F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3170252C3BB14F74862EF095F45BBE6.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3760
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yklwbter.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB779.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc84DB4EEFA6CE4E3F9240948B5D472436.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4612
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:808
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:1228
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB66F.tmp

Filesize
1KB

MD5
885d54a1f6308d2946227cd73f22d8b0

SHA1
92f3c67390bafd1659f7df3ca9fce1216a65b004

SHA256
87c4191946f5463482d308a093334025fd9a7fb01ac9b3139d94c0b404a4767c

SHA512
4774564e622fa7cd60dd5edc98babd98482dbc7f15f9526b3083876a140f054f289b290427445ffd5581a4c9f73857c648e1f5be782d22691b6a8fdc4b7766a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB779.tmp

Filesize
1KB

MD5
10a0b10885254139aea418a0cc4e4891

SHA1
ff7ee07a5d3b30c5d48abd907540b443db03e149

SHA256
deb99053bef17a12babfa1d1defc1a1453a113717269c4d06d37566053a8b340

SHA512
0f50e2e3066c7c93eed935f22c8a31e0329c8f1b93220e5883f42a8b95c0c7572a050f65bc3a2594562539480cc68b9da776e4570a65de313f2193cc3301e316

Download Submit
C:\Users\Admin\AppData\Local\Temp\q7mdngtu.0.vb

Filesize
256B

MD5
9f362c5084b0126d5460310d3353d13e

SHA1
8617abc0a8c22a109b52e2e3c85b4400ed04b40e

SHA256
83ef5a38a9ddf6fcb030ef4f4f63c0e989a49c83691f18b07f851bf35544f2d0

SHA512
9f701a8cec9297f50533ee6cf72851f2400bc777013b663cacea1b531801446d08ffc9a3f5d120b7e81a0f363c7421b9c2103e26be6606f7fe29de3107c4cbbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\q7mdngtu.cmdline

Filesize
317B

MD5
f3b275e63d75f6983c582ede51964b38

SHA1
2e35860611b452006289e593ea9444c838e42195

SHA256
fa8b8f6c98cc944f735e0548bd93f67f5f5a9bbf62cd9f3469dfa73e7fc90c20

SHA512
2e6db87ccd157b5e4f3c722cc3395d423b24885b2c9ceb8a425ccff7df78af3b4404a52d8d3871a3a28491e0a672fda4f2c42d24612cea5d29c2e3e6700dba3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\q7mdngtu.dll

Filesize
6KB

MD5
b07a2e10da6b735e54c6c82b9cec0371

SHA1
fe15d0e2ecbf4177c09d5df897c849e4517a4182

SHA256
c2aec589ebf675ab8012b2611ae5b79d22192a3586cd872cfd69e519e8ecb9d0

SHA512
64f5e8d11258a67fce182e78fec116f2a8eee1f580aa79c4dfbe12e955f4104e3b7f8e0470cad0df107403626d26970ff8bd0b715cc2853b212c9784469d8928

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3170252C3BB14F74862EF095F45BBE6.TMP

Filesize
652B

MD5
06b5c84723d855f0b3756434fe40fe40

SHA1
cad21ffbcedffb1b6b5eb0c3204f56968400785b

SHA256
3840d1918c64e3cf03375dfa7656c1a984e9f15eb4b1a8f0935eb1e477e1f700

SHA512
52f7bb297acb49f6e3bc4178375756b39faadd13ea5dc24e7747bc56a6b1764b96533973cd4a2cd178b3f89718ece4a7444da264549d78e374459fcf58cd9d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc84DB4EEFA6CE4E3F9240948B5D472436.TMP

Filesize
652B

MD5
d5edf64417ca0356ed88d7d231ec9590

SHA1
f99bb4fb681014df9cf1635a0ba46c1625df72ed

SHA256
1a4472d2c66f050d4893dc3f3438ec7a0bf71ed75703ddd7eb7221fada105aa8

SHA512
0378e50e87486ddaccaa81cbfb4a4f8b5728bbfe6524dc265d39330e58335a5a9b31fc30878051da926ad2fdc51b6980bb9cae583fde91ddd1d1d0f367d8757e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yklwbter.cmdline

Filesize
317B

MD5
dc3a980d1bc2a3b861365c577b518c18

SHA1
b6a229f9c8b61c44c1ce2982a85d849516c3dcbb

SHA256
ca2d41635efe800bbf05daad0e54c44f70482f1b588e0fb4d8ce3fb9318d0fc5

SHA512
6b7ca84da3a81776b1bdfe47850013835484c28286fe80f5b3bc96c14bedaf19b4fd45cd330f8aa541906740e94d603e27ddcaa8ad4d169a88521b433961264c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yklwbter.dll

Filesize
6KB

MD5
aafb86dce6d942fdd4d45004bee3428e

SHA1
8d4b48963fec7443546991a250a009a01a33b2a4

SHA256
f4e17779d14a5189a8e561e3cc17cc99a1c620271f3eab3c2541ba51a2c12748

SHA512
5557962a05bec1a3662022f02072d80351eb54e0e518de98098cdbc57be917e83d52b9847700e0e42cc230ab2a859b09329f861225aee752bdef954edaf98362

Download Submit
C:\Users\Admin\AppData\Roaming\fp.txt

Filesize
98B

MD5
29f4345363b8e3d4f976a3a8943d3aa4

SHA1
deeadd588e36328fd04e8190916c49129080cb0d

SHA256
747c7d7fe14460a4f3cb8931d5f38228834e23d0ddb468ef6082719d1339936b

SHA512
33fa9b372c88e2ea026490c8b264a8d182b61b98af5ed56f87a0f300743bc78490b3da2dc987cc82c2579f07a842fa93e34b76dda7249dac6e7e4e94a6ee0caa

Download Submit
memory/628-16-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/628-7-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/808-46-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/808-36-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/808-38-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2136-32-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/2136-27-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/2848-1-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/2848-0-0x0000000075592000-0x0000000075593000-memory.dmp

Filesize
4KB

Download
memory/2848-2-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/2848-52-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/3124-49-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3124-51-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3124-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3124-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads