modiloader | aecec29b477c1a6f99aa8c512cc3179ef577ce814f74dc87005407bdd1602601

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17/01/2025, 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe
Size

719KB
MD5

99b275b5cc5a6bb8d492490c6979bae9
SHA1

ab7301c148263996feaeff276bf9825be0d39659
SHA256

aecec29b477c1a6f99aa8c512cc3179ef577ce814f74dc87005407bdd1602601
SHA512

79022795c97a82b5737b63c169d33afeb3abf4b1b674b27a2b8b720468e1e736089987a8b2e6ddf2708a2b67d5ba2e74e10e440d98e8b6fe6422ef82f9b90469
SSDEEP

12288:UJv4sbmf230mGKBE6ONz7oCqqu5FP03W3LzO9cg8SjSIMaolh+mS:U1SlmGd6R3qu5FPAiLzARdSIMaN

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/2792-45-0x0000000000400000-0x000000000059D000-memory.dmp	modiloader_stage2
behavioral1/memory/2792-47-0x0000000000400000-0x000000000059D000-memory.dmp	modiloader_stage2

Executes dropped EXE 3 IoCs

pid	Process
2464	456.exe
2792	¸´¼þ Sx_server.exe
3016	NOTEPAD.EXE

Loads dropped DLL 9 IoCs

pid	Process
2376	JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe
2376	JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe
2464	456.exe
2464	456.exe
2464	456.exe
2376	JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe
2376	JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe
2792	¸´¼þ Sx_server.exe
3016	NOTEPAD.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\program files\common files\microsoft shared\msinfo\¸´¼þ Sx_server.jpg	456.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\2010.txt	¸´¼þ Sx_server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	456.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	¸´¼þ Sx_server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2464	2376	JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe	30
PID 2376 wrote to memory of 2464	2376	JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe	30
PID 2376 wrote to memory of 2464	2376	JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe	30
PID 2376 wrote to memory of 2464	2376	JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe	30
PID 2376 wrote to memory of 2464	2376	JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe	30
PID 2376 wrote to memory of 2464	2376	JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe	30
PID 2376 wrote to memory of 2464	2376	JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe	30
PID 2464 wrote to memory of 2792	2464	456.exe	31
PID 2464 wrote to memory of 2792	2464	456.exe	31
PID 2464 wrote to memory of 2792	2464	456.exe	31
PID 2464 wrote to memory of 2792	2464	456.exe	31
PID 2464 wrote to memory of 2792	2464	456.exe	31
PID 2464 wrote to memory of 2792	2464	456.exe	31
PID 2464 wrote to memory of 2792	2464	456.exe	31
PID 2376 wrote to memory of 3016	2376	JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe	32
PID 2376 wrote to memory of 3016	2376	JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe	32
PID 2376 wrote to memory of 3016	2376	JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe	32
PID 2376 wrote to memory of 3016	2376	JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe	32
PID 2376 wrote to memory of 3016	2376	JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe	32
PID 2376 wrote to memory of 3016	2376	JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe	32
PID 2376 wrote to memory of 3016	2376	JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe	32
PID 2792 wrote to memory of 1152	2792	¸´¼þ Sx_server.exe	33
PID 2792 wrote to memory of 1152	2792	¸´¼þ Sx_server.exe	33
PID 2792 wrote to memory of 1152	2792	¸´¼þ Sx_server.exe	33
PID 2792 wrote to memory of 1152	2792	¸´¼þ Sx_server.exe	33
PID 2792 wrote to memory of 1152	2792	¸´¼þ Sx_server.exe	33
PID 2792 wrote to memory of 1152	2792	¸´¼þ Sx_server.exe	33
PID 2792 wrote to memory of 1152	2792	¸´¼þ Sx_server.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\456.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\456.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\program files\common files\microsoft shared\msinfo\¸´¼þ Sx_server.exe
    "C:\program files\common files\microsoft shared\msinfo\¸´¼þ Sx_server.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\program files\internet explorer\IEXPLORE.EXE
      "C:\program files\internet explorer\IEXPLORE.EXE"
      4⤵
      PID:1152
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NOTEPAD.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NOTEPAD.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\¸´¼þ Sx_server.exe

Filesize
289KB

MD5
a8574aaf3427d0c468da1100fd1526ff

SHA1
012fefa0bb040c2528ef7266d535f2fe5cbf7707

SHA256
81bf66543e6ff717c9f26f0cf8740722f17ac175d1da3abe85a7dcab389459e8

SHA512
039e1ac5b8c324fba4be5a80128a0764336e790969c2b7ae22e308a12aed47e20c4a647c53cef2b353a3cf952c8e9dfb4c7a8edf16d00980caf8bcf34459bb22

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\456.exe

Filesize
634KB

MD5
73f2c3940d71ea34923e274b6935abfc

SHA1
0e79d8e82ccfeef2898b144188035cfde26616d4

SHA256
06f3c70980a2c6553c046c526fa18f282adeaa660eeedd16b85c7cbd4e888fea

SHA512
5b8ee88495cd14268923c0f4f64778c0ec0c9d435ec124e791fab21b59c9a98cdd78d47508a7b3ac3e5b4c071b4e894eff716cae8d9da1c594276bf430d04efe

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\NOTEPAD.EXE

Filesize
65KB

MD5
c9f225f98574759e377bce6d87958c9c

SHA1
3a23ac5865ea5ac89d87b4219646a1cee5820ac1

SHA256
7834f55bcff4d30d7b778bceea618cfd23cf4f184f7db6b74d1b49bbcf6c0560

SHA512
d9ffd8ba019cde8e7d71b6c208f2b949e271527373458fee48e461e49ff096d32361d372a48aaa84b153847dd75c79a99e23f8fa450c888aae180bb3e2dc4c1b

Download Submit
memory/2376-12-0x0000000000700000-0x00000000007AA000-memory.dmp

Filesize
680KB

Download
memory/2376-11-0x0000000000700000-0x00000000007AA000-memory.dmp

Filesize
680KB

Download
memory/2464-30-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2464-18-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2464-19-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2464-24-0x0000000003AF0000-0x0000000003B00000-memory.dmp

Filesize
64KB

Download
memory/2464-16-0x0000000000454000-0x0000000000455000-memory.dmp

Filesize
4KB

Download
memory/2464-13-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2464-31-0x0000000003C30000-0x0000000003DCD000-memory.dmp

Filesize
1.6MB

Download
memory/2464-17-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2792-43-0x0000000000400000-0x000000000059D000-memory.dmp

Filesize
1.6MB

Download
memory/2792-44-0x0000000000C10000-0x0000000000DAD000-memory.dmp

Filesize
1.6MB

Download
memory/2792-45-0x0000000000400000-0x000000000059D000-memory.dmp

Filesize
1.6MB

Download
memory/2792-47-0x0000000000400000-0x000000000059D000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads