modiloader | 4ba6491f8f01bc9a94782fcd0c55ccfbf48db0736d5b78677dc44e7dbb09cfa3

Analysis

max time kernel
74s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2025, 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_10e64c93155b53a75226cdef3795c948.exe
Size

1.6MB
MD5

10e64c93155b53a75226cdef3795c948
SHA1

e62a70fc0a3f6ae135be671f3d18645007f649bb
SHA256

4ba6491f8f01bc9a94782fcd0c55ccfbf48db0736d5b78677dc44e7dbb09cfa3
SHA512

e988a00cdbc2c730c8c5cb8be3f96ca6086d73bc5a4450025ad9e6d1d0a82bb6429ecddaa606a0a27db2d579f31553c651a37cabb7a3d40d02fc96427c4a986c
SSDEEP

24576:0Pl9cThaekv6ixQZYk1gnBgGXXwn3AY2LHAV3WJ9dYqFHkgoUgaf+RDofl+nTPRS:49dFv6btK/wn3TIrxFEpUMRZTZn1akIj

Score

10^/10

modiloader aspackv2 discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader First Stage 11 IoCs

resource	yara_rule
behavioral2/memory/1196-458-0x0000000000400000-0x000000000075A000-memory.dmp	modiloader_stage1
behavioral2/memory/1196-460-0x0000000000400000-0x000000000075A000-memory.dmp	modiloader_stage1
behavioral2/memory/1196-461-0x0000000000400000-0x000000000075A000-memory.dmp	modiloader_stage1
behavioral2/memory/1196-462-0x0000000000400000-0x000000000075A000-memory.dmp	modiloader_stage1
behavioral2/memory/1196-463-0x0000000000400000-0x000000000075A000-memory.dmp	modiloader_stage1
behavioral2/memory/1196-464-0x0000000000400000-0x000000000075A000-memory.dmp	modiloader_stage1
behavioral2/memory/1196-465-0x0000000000400000-0x000000000075A000-memory.dmp	modiloader_stage1
behavioral2/memory/1196-466-0x0000000000400000-0x000000000075A000-memory.dmp	modiloader_stage1
behavioral2/memory/1196-467-0x0000000000400000-0x000000000075A000-memory.dmp	modiloader_stage1
behavioral2/memory/1196-468-0x0000000000400000-0x000000000075A000-memory.dmp	modiloader_stage1
behavioral2/memory/1196-469-0x0000000000400000-0x000000000075A000-memory.dmp	modiloader_stage1

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000023cd0-442.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
464	irsetup.exe
1196	freescan.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spyware Begone = "c:\\freescan\\freescan.exe -FastScan"	freescan.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Spyware Begone Setup Log.txt	irsetup.exe
File created	C:\Windows\iun6002.exe	irsetup.exe
File opened for modification	C:\Windows\iun6002.exe	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	freescan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_10e64c93155b53a75226cdef3795c948.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1196	freescan.exe
1196	freescan.exe
1196	freescan.exe
1196	freescan.exe
1196	freescan.exe
1196	freescan.exe
1196	freescan.exe
1196	freescan.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
1196	freescan.exe
1196	freescan.exe
1196	freescan.exe
1196	freescan.exe
1196	freescan.exe
1196	freescan.exe
1196	freescan.exe
1196	freescan.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
464	irsetup.exe
464	irsetup.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 464	384	JaffaCakes118_10e64c93155b53a75226cdef3795c948.exe	82
PID 384 wrote to memory of 464	384	JaffaCakes118_10e64c93155b53a75226cdef3795c948.exe	82
PID 384 wrote to memory of 464	384	JaffaCakes118_10e64c93155b53a75226cdef3795c948.exe	82
PID 464 wrote to memory of 1196	464	irsetup.exe	92
PID 464 wrote to memory of 1196	464	irsetup.exe	92
PID 464 wrote to memory of 1196	464	irsetup.exe	92

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_10e64c93155b53a75226cdef3795c948.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_10e64c93155b53a75226cdef3795c948.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:384
- C:\Users\Admin\AppData\Local\Temp\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\irsetup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:464
- - \??\c:\freescan\freescan.exe
    c:\freescan\freescan.exe -ScanNow
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IRIMG1.BMP

Filesize
7KB

MD5
e29a24e189e95681bb41f73c16747fd8

SHA1
e9269bb9cb6f2b700fc78f92066f31b15a9c5c2a

SHA256
3973d354045be781eabf9114772fe2e5e96d1e557793de10c914d901b16e8c09

SHA512
4c6db25e04acb8349da29249f712b20c217d792e6d5fd40af9b398e2617d5168ef0afc2505a05b0833b90165d5e5eaf2e98d1821e855a99fc7833de52154ad94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IRIMG2.BMP

Filesize
51KB

MD5
51010ac6ff61a48c3f48e857504e478d

SHA1
b1789a2c52bdbe6872a529c8c5da749e9f7b0cd2

SHA256
cc553ab0e18a34b2a31e70aa6941aebdba0aad9777264b78eb19637fe620a534

SHA512
bacfa25f70c62918293247043f04a6164c2a9b6c957c70ef4e3a18d410de52a89f5e543c2461172e1944cb46020374b169e2052bc3777da38998cc3a802e865f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IRIMG3.BMP

Filesize
7KB

MD5
20a73ae628bcafe88fc6237b7de507bb

SHA1
7850d4d3822ef271c71e72887b40e6e16d07806a

SHA256
615387dce5431c84590407a192d7b99dc3a2ebc408df7b57796c9a5a33c572c3

SHA512
32ef670258cf331c20c62caf54799ce1f9d490f7055886536c3a24e88e97f5953cc462d407e729a1ca0400e1bb8ca4d8408690a779666504e8dc6e9e784e5d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.dat

Filesize
8KB

MD5
0cb093858fa18392ed7f9322a673dcff

SHA1
4737772cdd98c607401b3a0b8d943cb6743e3d5b

SHA256
fe24fa086d6008d317a6eb24381cd99f8176dc6a7766a80870dfba1f0dfd3727

SHA512
cbff96e5a5fa409664c07e1e4c7f91b243a030b522cb4e70e9d3ace17ec6bda82f22faa316ad7f7815f6225da99564a241c6e9e4450c54fd6a605465caa6859e

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.exe

Filesize
720KB

MD5
456462905091db042141487fe030e3c9

SHA1
bb57b4850528c3c8d9bf159fb5b9f414ddc7d5d7

SHA256
a93dc5e28d74ef40dd5d694aff7fb5f24c27dac4b59adae008cfdc5ca65587b0

SHA512
fdd82c126189454352b44c756be06e3e93ee26a93b56d99c3eb5254cac3f6d6ed71556765b76e65bd75efad461972044ce829443c006fc0816a28f7b4493296f

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.ini

Filesize
119B

MD5
5bd45c5633369a801d0d07af8a132187

SHA1
a185d3e9dca39f4bb32c2bad9631d4f7e73adeff

SHA256
bea06d66979361827a8b962738896d4614dfb55ab15a574c8d79fcc9d17eca6a

SHA512
88ea75a675a3c87d26f6d337b9b60151ce45441d32c7688115bb9464fc75a6666360ebce944c5155fd4d123cb1a70be4eca16a2f1b2bccb593ca092e8e118912

Download Submit
C:\Users\Admin\AppData\Local\Temp\suf6lng.9

Filesize
15KB

MD5
cedffa2264d312a7ca515e64ff34b814

SHA1
3f2c492765f8e6f50ec8b0d3580a8b81f2fe108c

SHA256
b13b8d36a80294fb22f2e166a307f6dab26cef2b7f4be3067571731d7cdf424a

SHA512
3c42ba97bac9aefeec0c1190c9375893eafb8f230339b141a1fdacb51ff994f9d362988273a53144e689f90ef62dbee0a2063e49523d73ce55a6e72673f9b638

Download Submit
C:\freescan\freescan.exe

Filesize
969KB

MD5
cfa6ca35aa751c07804503736d130528

SHA1
47cd7efdbd119ff40d9fa490635bed675d700074

SHA256
81ee8c912de9feff626ca32036e4f943f1006982b76b69e676bd8a032ca8de7c

SHA512
b6beae8d390d5b475f3a9b8bd12be4b87509d48a5d33a27ed081953be278922f44c789a91d54d70424c48fcdae8ff06488c09e02c056959b5d872d7503ea81b2

Download Submit
C:\freescan\irunin.ini

Filesize
9KB

MD5
ee4be80440eaa8f349996456ec82bc3c

SHA1
9b6c0a72534a6820d42bad1619276d9a0b26376a

SHA256
2248b93d8103a5d3c8cd99bc1292d1bad5b8a51554d946e07f7e2b3ce96292a1

SHA512
1fa9e6e07e829fbba269a375f6b2baa58b38568b08925dec9f796428c10e09b5b3dacc4ab8cde66f865f5468de892c1d55ca57ee87c64fe74689a68aa5598165

Download Submit
C:\freescan\irunin.ini

Filesize
4KB

MD5
faf5e6ebf0e9623a98e9c0a015c839d7

SHA1
d29b885304523c53c5504093ea1bcad5830550ff

SHA256
848b24b583fbf0b44cbb1cb29e03ca7f5eef5e1ac52abb5deeb0fc1f7d946cce

SHA512
f05998b3396a001252712f80f6c93a6f51027f1601bcdcedfe07cf8db209997fa96cf78bb06bc464312f3e867d25f2384e4839af478a2c01a5ff23db2a3edef7

Download Submit
\??\c:\freescan\DataBase\Master.enc

Filesize
215KB

MD5
74466221931cfb992633a52fa2aef259

SHA1
bf4ca706ef5caede49e853c6185ce9cfeca78365

SHA256
53a141902dbca169d6051527582e556183a93b32df571325268e123be818232e

SHA512
12790b12d178f89f2bc888997fd25e762163129fa4f309aeb1d4ac4f9421f199a6d57a45840b80a287c0c35da3bea42940e26713af5a85f2879a12a6123f3c84

Download Submit
\??\c:\freescan\DataBase\Url.enc

Filesize
8B

MD5
9682d296f78c0861fa45e2cc3405770f

SHA1
4706cb101aecb4fe1e286c421d7f40d57c9c8e81

SHA256
b95267752446a4a6db9b67f6578ee926f126b56cdf2e47f25b4004cb1de13879

SHA512
da3f4bb319cea53290db28f6706cc29347a07db91bb92d7133b6c01cf9ea69652d17128e228b0380278ed51abdd449588b247db88df89a3048cefb0e71911246

Download Submit
memory/1196-463-0x0000000000400000-0x000000000075A000-memory.dmp

Filesize
3.4MB

Download
memory/1196-459-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/1196-458-0x0000000000400000-0x000000000075A000-memory.dmp

Filesize
3.4MB

Download
memory/1196-460-0x0000000000400000-0x000000000075A000-memory.dmp

Filesize
3.4MB

Download
memory/1196-461-0x0000000000400000-0x000000000075A000-memory.dmp

Filesize
3.4MB

Download
memory/1196-462-0x0000000000400000-0x000000000075A000-memory.dmp

Filesize
3.4MB

Download
memory/1196-451-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/1196-464-0x0000000000400000-0x000000000075A000-memory.dmp

Filesize
3.4MB

Download
memory/1196-465-0x0000000000400000-0x000000000075A000-memory.dmp

Filesize
3.4MB

Download
memory/1196-466-0x0000000000400000-0x000000000075A000-memory.dmp

Filesize
3.4MB

Download
memory/1196-467-0x0000000000400000-0x000000000075A000-memory.dmp

Filesize
3.4MB

Download
memory/1196-468-0x0000000000400000-0x000000000075A000-memory.dmp

Filesize
3.4MB

Download
memory/1196-469-0x0000000000400000-0x000000000075A000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads