modiloader | 4ba6491f8f01bc9a94782fcd0c55ccfbf48db0736d5b78677dc44e7dbb09cfa3

Analysis

max time kernel
74s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12-01-2025 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_10e64c93155b53a75226cdef3795c948.exe
Size

1.6MB
MD5

10e64c93155b53a75226cdef3795c948
SHA1

e62a70fc0a3f6ae135be671f3d18645007f649bb
SHA256

4ba6491f8f01bc9a94782fcd0c55ccfbf48db0736d5b78677dc44e7dbb09cfa3
SHA512

e988a00cdbc2c730c8c5cb8be3f96ca6086d73bc5a4450025ad9e6d1d0a82bb6429ecddaa606a0a27db2d579f31553c651a37cabb7a3d40d02fc96427c4a986c
SSDEEP

24576:0Pl9cThaekv6ixQZYk1gnBgGXXwn3AY2LHAV3WJ9dYqFHkgoUgaf+RDofl+nTPRS:49dFv6btK/wn3TIrxFEpUMRZTZn1akIj

Score

10^/10

modiloader aspackv2 discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader First Stage 11 IoCs

resource	yara_rule
behavioral1/memory/2908-476-0x0000000000400000-0x000000000075A000-memory.dmp	modiloader_stage1
behavioral1/memory/2908-477-0x0000000000400000-0x000000000075A000-memory.dmp	modiloader_stage1
behavioral1/memory/2908-478-0x0000000000400000-0x000000000075A000-memory.dmp	modiloader_stage1
behavioral1/memory/2908-479-0x0000000000400000-0x000000000075A000-memory.dmp	modiloader_stage1
behavioral1/memory/2908-480-0x0000000000400000-0x000000000075A000-memory.dmp	modiloader_stage1
behavioral1/memory/2908-481-0x0000000000400000-0x000000000075A000-memory.dmp	modiloader_stage1
behavioral1/memory/2908-482-0x0000000000400000-0x000000000075A000-memory.dmp	modiloader_stage1
behavioral1/memory/2908-483-0x0000000000400000-0x000000000075A000-memory.dmp	modiloader_stage1
behavioral1/memory/2908-484-0x0000000000400000-0x000000000075A000-memory.dmp	modiloader_stage1
behavioral1/memory/2908-485-0x0000000000400000-0x000000000075A000-memory.dmp	modiloader_stage1
behavioral1/memory/2908-486-0x0000000000400000-0x000000000075A000-memory.dmp	modiloader_stage1

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0005000000019659-447.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
2880	irsetup.exe
2908	freescan.exe

Loads dropped DLL 11 IoCs

pid	Process
2944	JaffaCakes118_10e64c93155b53a75226cdef3795c948.exe
2880	irsetup.exe
2880	irsetup.exe
2880	irsetup.exe
2880	irsetup.exe
2880	irsetup.exe
2880	irsetup.exe
2880	irsetup.exe
2908	freescan.exe
2908	freescan.exe
2908	freescan.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Spyware Begone = "c:\\freescan\\freescan.exe -FastScan"	freescan.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Spyware Begone Setup Log.txt	irsetup.exe
File created	C:\Windows\iun6002.exe	irsetup.exe
File opened for modification	C:\Windows\iun6002.exe	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	freescan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_10e64c93155b53a75226cdef3795c948.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2908	freescan.exe
2908	freescan.exe
2908	freescan.exe
2908	freescan.exe
2908	freescan.exe
2908	freescan.exe
2908	freescan.exe
2908	freescan.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2908	freescan.exe
2908	freescan.exe
2908	freescan.exe
2908	freescan.exe
2908	freescan.exe
2908	freescan.exe
2908	freescan.exe
2908	freescan.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2880	irsetup.exe
2880	irsetup.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2880	2944	JaffaCakes118_10e64c93155b53a75226cdef3795c948.exe	30
PID 2944 wrote to memory of 2880	2944	JaffaCakes118_10e64c93155b53a75226cdef3795c948.exe	30
PID 2944 wrote to memory of 2880	2944	JaffaCakes118_10e64c93155b53a75226cdef3795c948.exe	30
PID 2944 wrote to memory of 2880	2944	JaffaCakes118_10e64c93155b53a75226cdef3795c948.exe	30
PID 2944 wrote to memory of 2880	2944	JaffaCakes118_10e64c93155b53a75226cdef3795c948.exe	30
PID 2944 wrote to memory of 2880	2944	JaffaCakes118_10e64c93155b53a75226cdef3795c948.exe	30
PID 2944 wrote to memory of 2880	2944	JaffaCakes118_10e64c93155b53a75226cdef3795c948.exe	30
PID 2880 wrote to memory of 2908	2880	irsetup.exe	33
PID 2880 wrote to memory of 2908	2880	irsetup.exe	33
PID 2880 wrote to memory of 2908	2880	irsetup.exe	33
PID 2880 wrote to memory of 2908	2880	irsetup.exe	33
PID 2880 wrote to memory of 2908	2880	irsetup.exe	33
PID 2880 wrote to memory of 2908	2880	irsetup.exe	33
PID 2880 wrote to memory of 2908	2880	irsetup.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_10e64c93155b53a75226cdef3795c948.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_10e64c93155b53a75226cdef3795c948.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Users\Admin\AppData\Local\Temp\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\irsetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2880
- - \??\c:\freescan\freescan.exe
    c:\freescan\freescan.exe -ScanNow
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IRIMG1.BMP

Filesize
7KB

MD5
e29a24e189e95681bb41f73c16747fd8

SHA1
e9269bb9cb6f2b700fc78f92066f31b15a9c5c2a

SHA256
3973d354045be781eabf9114772fe2e5e96d1e557793de10c914d901b16e8c09

SHA512
4c6db25e04acb8349da29249f712b20c217d792e6d5fd40af9b398e2617d5168ef0afc2505a05b0833b90165d5e5eaf2e98d1821e855a99fc7833de52154ad94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IRIMG2.BMP

Filesize
51KB

MD5
51010ac6ff61a48c3f48e857504e478d

SHA1
b1789a2c52bdbe6872a529c8c5da749e9f7b0cd2

SHA256
cc553ab0e18a34b2a31e70aa6941aebdba0aad9777264b78eb19637fe620a534

SHA512
bacfa25f70c62918293247043f04a6164c2a9b6c957c70ef4e3a18d410de52a89f5e543c2461172e1944cb46020374b169e2052bc3777da38998cc3a802e865f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IRIMG3.BMP

Filesize
7KB

MD5
20a73ae628bcafe88fc6237b7de507bb

SHA1
7850d4d3822ef271c71e72887b40e6e16d07806a

SHA256
615387dce5431c84590407a192d7b99dc3a2ebc408df7b57796c9a5a33c572c3

SHA512
32ef670258cf331c20c62caf54799ce1f9d490f7055886536c3a24e88e97f5953cc462d407e729a1ca0400e1bb8ca4d8408690a779666504e8dc6e9e784e5d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.dat

Filesize
8KB

MD5
0cb093858fa18392ed7f9322a673dcff

SHA1
4737772cdd98c607401b3a0b8d943cb6743e3d5b

SHA256
fe24fa086d6008d317a6eb24381cd99f8176dc6a7766a80870dfba1f0dfd3727

SHA512
cbff96e5a5fa409664c07e1e4c7f91b243a030b522cb4e70e9d3ace17ec6bda82f22faa316ad7f7815f6225da99564a241c6e9e4450c54fd6a605465caa6859e

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.ini

Filesize
119B

MD5
5bd45c5633369a801d0d07af8a132187

SHA1
a185d3e9dca39f4bb32c2bad9631d4f7e73adeff

SHA256
bea06d66979361827a8b962738896d4614dfb55ab15a574c8d79fcc9d17eca6a

SHA512
88ea75a675a3c87d26f6d337b9b60151ce45441d32c7688115bb9464fc75a6666360ebce944c5155fd4d123cb1a70be4eca16a2f1b2bccb593ca092e8e118912

Download Submit
C:\Users\Admin\AppData\Local\Temp\suf6lng.9

Filesize
15KB

MD5
cedffa2264d312a7ca515e64ff34b814

SHA1
3f2c492765f8e6f50ec8b0d3580a8b81f2fe108c

SHA256
b13b8d36a80294fb22f2e166a307f6dab26cef2b7f4be3067571731d7cdf424a

SHA512
3c42ba97bac9aefeec0c1190c9375893eafb8f230339b141a1fdacb51ff994f9d362988273a53144e689f90ef62dbee0a2063e49523d73ce55a6e72673f9b638

Download Submit
C:\freescan\irunin.ini

Filesize
2KB

MD5
711eb6bac6416f2ebebe48da35612b48

SHA1
1ac7b9c0074aa404ff63095759bd427f23d08431

SHA256
56ef7601b912917c10015563d0e070fef18e66fcf6ddad62df29ca2b3dc2b155

SHA512
160cb05724ce1d3b0bf41c63298b8251bea5c785d42f8a166434c6c098fbbdfd69dc38b4d69594ab316187ad58a2976a5bb87e7d47bd75b46d2dc359e95d8699

Download Submit
C:\freescan\irunin.ini

Filesize
11KB

MD5
cb0c1e19e44e2f75396eca74f48cff37

SHA1
480cafb2189192a12fb59f5654ffe251ab00c5b0

SHA256
815da8349b477e32be389e24d2d698a8b5a4115d56a1f33011ca281d0f30bda1

SHA512
f4d5153eb8060edebeb43b3223cfdd095a3cc8704f81736d178af88fb39a9570ae1b8c9f33bbb04cf7d15a03bffbcfcade0a85162985055b7f391086961b1c0b

Download Submit
C:\freescan\irunin.ini

Filesize
245B

MD5
23672334dc1cc5efe2babd33fe429b86

SHA1
450387668742e7f7df8e2912e183cf2fd132ca88

SHA256
2557c38199ccb837190de264187a00750f4394d467464fd029ab604a13915060

SHA512
60f6ff59662312806becb2f7d6861225856bfcf9ed5bf6d5f574f9ee88a703f94e7e50404a837fd1d089f1e815ea6da7e6ba3602eecb0d873417d77fc78d0938

Download Submit
C:\freescan\irunin.ini

Filesize
570B

MD5
a95d526c3ec72268b07cc1227127d056

SHA1
94ae40e069e4842817e7324b4cde4829152fdf6c

SHA256
77dcc6b0db1e2d5e7be9288bcbf05b439843fff0f891c4491d4aadec1a57086d

SHA512
97cb580ceb93c946ddb5dda7097a04474de2659831c99f508985e7c67ec387e3ed8a237cd8c2f155e22ccda3598dc0cb51a4dd2f22fdff7e09383a840df454cb

Download Submit
\??\c:\freescan\DataBase\Master.enc

Filesize
215KB

MD5
74466221931cfb992633a52fa2aef259

SHA1
bf4ca706ef5caede49e853c6185ce9cfeca78365

SHA256
53a141902dbca169d6051527582e556183a93b32df571325268e123be818232e

SHA512
12790b12d178f89f2bc888997fd25e762163129fa4f309aeb1d4ac4f9421f199a6d57a45840b80a287c0c35da3bea42940e26713af5a85f2879a12a6123f3c84

Download Submit
\??\c:\freescan\DataBase\Url.enc

Filesize
8B

MD5
9682d296f78c0861fa45e2cc3405770f

SHA1
4706cb101aecb4fe1e286c421d7f40d57c9c8e81

SHA256
b95267752446a4a6db9b67f6578ee926f126b56cdf2e47f25b4004cb1de13879

SHA512
da3f4bb319cea53290db28f6706cc29347a07db91bb92d7133b6c01cf9ea69652d17128e228b0380278ed51abdd449588b247db88df89a3048cefb0e71911246

Download Submit
\Users\Admin\AppData\Local\Temp\irsetup.exe

Filesize
720KB

MD5
456462905091db042141487fe030e3c9

SHA1
bb57b4850528c3c8d9bf159fb5b9f414ddc7d5d7

SHA256
a93dc5e28d74ef40dd5d694aff7fb5f24c27dac4b59adae008cfdc5ca65587b0

SHA512
fdd82c126189454352b44c756be06e3e93ee26a93b56d99c3eb5254cac3f6d6ed71556765b76e65bd75efad461972044ce829443c006fc0816a28f7b4493296f

Download Submit
\freescan\freescan.exe

Filesize
969KB

MD5
cfa6ca35aa751c07804503736d130528

SHA1
47cd7efdbd119ff40d9fa490635bed675d700074

SHA256
81ee8c912de9feff626ca32036e4f943f1006982b76b69e676bd8a032ca8de7c

SHA512
b6beae8d390d5b475f3a9b8bd12be4b87509d48a5d33a27ed081953be278922f44c789a91d54d70424c48fcdae8ff06488c09e02c056959b5d872d7503ea81b2

Download Submit
memory/2908-476-0x0000000000400000-0x000000000075A000-memory.dmp

Filesize
3.4MB

Download
memory/2908-477-0x0000000000400000-0x000000000075A000-memory.dmp

Filesize
3.4MB

Download
memory/2908-478-0x0000000000400000-0x000000000075A000-memory.dmp

Filesize
3.4MB

Download
memory/2908-479-0x0000000000400000-0x000000000075A000-memory.dmp

Filesize
3.4MB

Download
memory/2908-480-0x0000000000400000-0x000000000075A000-memory.dmp

Filesize
3.4MB

Download
memory/2908-481-0x0000000000400000-0x000000000075A000-memory.dmp

Filesize
3.4MB

Download
memory/2908-482-0x0000000000400000-0x000000000075A000-memory.dmp

Filesize
3.4MB

Download
memory/2908-483-0x0000000000400000-0x000000000075A000-memory.dmp

Filesize
3.4MB

Download
memory/2908-484-0x0000000000400000-0x000000000075A000-memory.dmp

Filesize
3.4MB

Download
memory/2908-485-0x0000000000400000-0x000000000075A000-memory.dmp

Filesize
3.4MB

Download
memory/2908-486-0x0000000000400000-0x000000000075A000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads