modiloader | 7589ceea4574effa89e246b33c3660a1e1cc0ae80874b22207de4343511a372e

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-01-2025 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_56942163db21e0409b92fc16c5f40d03.exe
Size

1.0MB
MD5

56942163db21e0409b92fc16c5f40d03
SHA1

c92f50c8c3f425fa2a53242d4b2795f55afcb684
SHA256

7589ceea4574effa89e246b33c3660a1e1cc0ae80874b22207de4343511a372e
SHA512

b0f2250cc9e29b2961266affc98bc99e530f4303361a690b46536bcbaa28d9dcb432b897522eb9e843b894c313aba603ae5b42688d5ad2c340c3971c2d7ecdec
SSDEEP

24576:O9sFUm6PN/7+6Qsz5Y4nOcCCKQmXri2kGsdGbhkP:Y1m6PNT+6Qs9OchrmuP

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2908-76-0x0000000000400000-0x00000000004D1000-memory.dmp	modiloader_stage2

Executes dropped EXE 3 IoCs

pid	Process
2796	1.exe
2616	SCRAMB~1.EXE
2908	temp.exe

Loads dropped DLL 6 IoCs

pid	Process
1740	JaffaCakes118_56942163db21e0409b92fc16c5f40d03.exe
1740	JaffaCakes118_56942163db21e0409b92fc16c5f40d03.exe
2796	1.exe
2616	SCRAMB~1.EXE
2616	SCRAMB~1.EXE
2908	temp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"F:\\msdownld.tmp\\IXP000.TMP\\\""	1.exe

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	1.exe
File opened (read-only)	\??\B:	1.exe
File opened (read-only)	\??\E:	1.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\program files\common files\microsoft shared\msinfo\1.jpg	JaffaCakes118_56942163db21e0409b92fc16c5f40d03.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupWay.txt	temp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_56942163db21e0409b92fc16c5f40d03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCRAMB~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	temp.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2796	1740	JaffaCakes118_56942163db21e0409b92fc16c5f40d03.exe	30
PID 1740 wrote to memory of 2796	1740	JaffaCakes118_56942163db21e0409b92fc16c5f40d03.exe	30
PID 1740 wrote to memory of 2796	1740	JaffaCakes118_56942163db21e0409b92fc16c5f40d03.exe	30
PID 1740 wrote to memory of 2796	1740	JaffaCakes118_56942163db21e0409b92fc16c5f40d03.exe	30
PID 1740 wrote to memory of 2796	1740	JaffaCakes118_56942163db21e0409b92fc16c5f40d03.exe	30
PID 1740 wrote to memory of 2796	1740	JaffaCakes118_56942163db21e0409b92fc16c5f40d03.exe	30
PID 1740 wrote to memory of 2796	1740	JaffaCakes118_56942163db21e0409b92fc16c5f40d03.exe	30
PID 2796 wrote to memory of 2616	2796	1.exe	31
PID 2796 wrote to memory of 2616	2796	1.exe	31
PID 2796 wrote to memory of 2616	2796	1.exe	31
PID 2796 wrote to memory of 2616	2796	1.exe	31
PID 2796 wrote to memory of 2616	2796	1.exe	31
PID 2796 wrote to memory of 2616	2796	1.exe	31
PID 2796 wrote to memory of 2616	2796	1.exe	31
PID 2616 wrote to memory of 2908	2616	SCRAMB~1.EXE	32
PID 2616 wrote to memory of 2908	2616	SCRAMB~1.EXE	32
PID 2616 wrote to memory of 2908	2616	SCRAMB~1.EXE	32
PID 2616 wrote to memory of 2908	2616	SCRAMB~1.EXE	32
PID 2616 wrote to memory of 2908	2616	SCRAMB~1.EXE	32
PID 2616 wrote to memory of 2908	2616	SCRAMB~1.EXE	32
PID 2616 wrote to memory of 2908	2616	SCRAMB~1.EXE	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56942163db21e0409b92fc16c5f40d03.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56942163db21e0409b92fc16c5f40d03.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740
- C:\program files\common files\microsoft shared\msinfo\1.exe
  "C:\program files\common files\microsoft shared\msinfo\1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2796
- - F:\msdownld.tmp\IXP000.TMP\SCRAMB~1.EXE
    F:\msdownld.tmp\IXP000.TMP\SCRAMB~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Users\Admin\AppData\Local\Temp\temp.exe
      "C:\Users\Admin\AppData\Local\Temp\temp.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\program files\common files\microsoft shared\msinfo\1.exe

Filesize
685KB

MD5
cb91cdde00b2b14457452ce500a1464c

SHA1
55cb59431b6ef3674807685eaee850cbebca70a9

SHA256
7fa395ea70bceace2ef09ce951f552037ee7be40e60d7a73c14f369c2f481881

SHA512
94470f2135cfbc5d6c31b38906cac41b462c6c5ada0089cd51cdcf00a920ecf91aea7dc5e2ac3728586837b75b78ebd234ec31d7594b0f03d19df18f6d9bdd21

Download Submit
F:\msdownld.tmp\IXP000.TMP\SCRAMB~1.EXE

Filesize
1.0MB

MD5
8e96ae1689c8304b0e7e4471c59a4af4

SHA1
ebb92e313266b1c3e46365a1760f059762fc6aaa

SHA256
ec841c7c5be91900df380af0243c6454e5f3f085a29cea2e13817cb887d35fc9

SHA512
9daec4d1053e154e0fa0621bf03edcdfc45227b4f9ee293dcacd5fc61884d55621d64e6c68b356c475f2d6445a769d52571625caf1aec3d3daff40bf10b0e10f

Download Submit
\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
737KB

MD5
14062d42b65c1ab7affd8c156e5e9244

SHA1
459a296b77c98f3bf76166a0c7b85d83fd5bfa0d

SHA256
279005932ed768eca5d8426f8b7905dc04a66527defafbe55d09d6352606f023

SHA512
66632b2e0e694087a52db63b7a446543c01db20839ada59f258f801963b985363b13ace3438f52ccb8e4a7d8f5cdbc241afdabd4aee8cb1b3ecd210a3ef3686f

Download Submit
memory/1740-18-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1740-5-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1740-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1740-16-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1740-4-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1740-3-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1740-2-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1740-30-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1740-29-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1740-28-0x0000000003210000-0x0000000003215000-memory.dmp

Filesize
20KB

Download
memory/1740-27-0x0000000001F20000-0x0000000001F21000-memory.dmp

Filesize
4KB

Download
memory/1740-26-0x0000000001F30000-0x0000000001F31000-memory.dmp

Filesize
4KB

Download
memory/1740-25-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

Filesize
4KB

Download
memory/1740-24-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/1740-23-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

Filesize
4KB

Download
memory/1740-15-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/1740-21-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1740-20-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/1740-19-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1740-1-0x0000000000280000-0x00000000002D4000-memory.dmp

Filesize
336KB

Download
memory/1740-17-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1740-7-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/1740-22-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/1740-14-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/1740-13-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1740-12-0x0000000003220000-0x0000000003222000-memory.dmp

Filesize
8KB

Download
memory/1740-11-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1740-10-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/1740-34-0x0000000003B10000-0x0000000003B20000-memory.dmp

Filesize
64KB

Download
memory/1740-41-0x0000000003C50000-0x0000000003F04000-memory.dmp

Filesize
2.7MB

Download
memory/1740-46-0x0000000000280000-0x00000000002D4000-memory.dmp

Filesize
336KB

Download
memory/1740-47-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/1740-8-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1740-42-0x0000000003C50000-0x0000000003F04000-memory.dmp

Filesize
2.7MB

Download
memory/1740-0-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/1740-9-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/2616-63-0x0000000003540000-0x0000000003611000-memory.dmp

Filesize
836KB

Download
memory/2616-69-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/2796-50-0x0000000001000000-0x00000000012B4000-memory.dmp

Filesize
2.7MB

Download
memory/2796-49-0x0000000001000000-0x00000000012B4000-memory.dmp

Filesize
2.7MB

Download
memory/2796-71-0x0000000001000000-0x00000000012B4000-memory.dmp

Filesize
2.7MB

Download
memory/2908-70-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2908-76-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads