modiloader | db4ba35b3aeae2d07b87004b202663bc3d78e29b0188db0d9321ffcfe7ded1c5

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/01/2025, 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_020b40f01a98e5b6ed96705163529faa.exe
Size

72KB
MD5

020b40f01a98e5b6ed96705163529faa
SHA1

4240b02cf37ab867e786f69f038401852dc1ac0e
SHA256

db4ba35b3aeae2d07b87004b202663bc3d78e29b0188db0d9321ffcfe7ded1c5
SHA512

afbd52f371bf514f7f87ed0ff1aacec8820f16c90b6e716d4a2f8d3c845aedc745235c58183740b773c824c1db606719bbcdfed971eeb62cb1942061f4eee46d
SSDEEP

1536:adAyopai/zkM6ZTeCgZliNFJVPZ9kUbjS9M0um23ji:aOUQMJxgVW0u9W

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2980-10-0x0000000000400000-0x0000000000419000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
2996	server.exe

Loads dropped DLL 5 IoCs

pid	Process
2980	JaffaCakes118_020b40f01a98e5b6ed96705163529faa.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2928	2996	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_020b40f01a98e5b6ed96705163529faa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2316	DllHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2316	DllHost.exe
2316	DllHost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2996	2980	JaffaCakes118_020b40f01a98e5b6ed96705163529faa.exe	31
PID 2980 wrote to memory of 2996	2980	JaffaCakes118_020b40f01a98e5b6ed96705163529faa.exe	31
PID 2980 wrote to memory of 2996	2980	JaffaCakes118_020b40f01a98e5b6ed96705163529faa.exe	31
PID 2980 wrote to memory of 2996	2980	JaffaCakes118_020b40f01a98e5b6ed96705163529faa.exe	31
PID 2996 wrote to memory of 2928	2996	server.exe	32
PID 2996 wrote to memory of 2928	2996	server.exe	32
PID 2996 wrote to memory of 2928	2996	server.exe	32
PID 2996 wrote to memory of 2928	2996	server.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_020b40f01a98e5b6ed96705163529faa.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_020b40f01a98e5b6ed96705163529faa.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 120
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2928

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\images.jpg

Filesize
1KB

MD5
8279cbb7205a50d5402952084a5fc6a3

SHA1
1949fea5e51b28cbdab449259109a039d9706d09

SHA256
44d386d70b7553f398619c9a474992291f9a6db31722ca88978a53ed0661ec49

SHA512
3557731d95bca36323ff9560082e571acf4ae7c4b443c73121c668de9f100ac4e4c978e88904db68e53e2f0118fbddedc905de63356fd7f7fd824223379a6690

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
58KB

MD5
94832d355493f1b02c02bfb4f17a4173

SHA1
7d70ab91c42dd5c20178abbae3f8cafcbac3a8c2

SHA256
f020dabf321c5090a7fe4b50a46c15de10740ac677bce0c0af54ebbae5c78c8d

SHA512
ec5c570b35f5082cd771b659968f4e1d38a234860ea24ab4b275e5f22269a4a8862e56bc9e70696d39a12553eb76028f2d527e564314d2a977f4dc2c4744623f

Download Submit
memory/2316-2-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2316-4-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/2316-16-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/2980-1-0x0000000000B20000-0x0000000000B22000-memory.dmp

Filesize
8KB

Download
memory/2980-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download