modiloader | f016ca0df3328d1c9e1a700005a868e138be98b21e9057bb779ee46f1f41976b

Analysis

max time kernel
148s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-01-2025 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0b611c2a068464b5e159c42a52323e8f.exe
Size

204KB
MD5

0b611c2a068464b5e159c42a52323e8f
SHA1

90cb86e2e5795a8266b6a416f017fb8aa08454c0
SHA256

f016ca0df3328d1c9e1a700005a868e138be98b21e9057bb779ee46f1f41976b
SHA512

f6cee97f346e319b18d2703589df7e974dd1f464a87a04d3df9efc82efb8223473725b5f45aa4095d059afff9d80e0d6f1e88b1d06a39b3542d49f55cbb6d77a
SSDEEP

3072:IVLWUJOubym6q/iU0XrxIh1V/mxIPTB+7GBuZmr/xo7vpavphHD6q:gp6q/iU0Xr+hGATEaBuZKC7vYh9O

Score

10^/10

modiloader discovery trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 25 IoCs

resource	yara_rule
behavioral1/memory/2800-14-0x0000000000400000-0x000000000046D000-memory.dmp	modiloader_stage2
behavioral1/memory/2800-13-0x0000000000400000-0x000000000046D000-memory.dmp	modiloader_stage2
behavioral1/memory/2800-12-0x0000000000400000-0x000000000046D000-memory.dmp	modiloader_stage2
behavioral1/memory/2800-16-0x0000000000400000-0x000000000046D000-memory.dmp	modiloader_stage2
behavioral1/memory/2800-15-0x0000000000400000-0x000000000046D000-memory.dmp	modiloader_stage2
behavioral1/memory/2800-26-0x0000000000400000-0x000000000046D000-memory.dmp	modiloader_stage2
behavioral1/memory/2964-43-0x0000000000400000-0x000000000046D000-memory.dmp	modiloader_stage2
behavioral1/memory/2964-44-0x0000000000400000-0x000000000046D000-memory.dmp	modiloader_stage2
behavioral1/memory/2964-45-0x0000000000400000-0x000000000046D000-memory.dmp	modiloader_stage2
behavioral1/memory/2964-46-0x0000000000400000-0x000000000046D000-memory.dmp	modiloader_stage2
behavioral1/memory/2964-48-0x0000000000400000-0x000000000046D000-memory.dmp	modiloader_stage2
behavioral1/memory/2964-49-0x0000000000400000-0x000000000046D000-memory.dmp	modiloader_stage2
behavioral1/memory/2964-50-0x0000000000400000-0x000000000046D000-memory.dmp	modiloader_stage2
behavioral1/memory/2964-51-0x0000000000400000-0x000000000046D000-memory.dmp	modiloader_stage2
behavioral1/memory/2964-52-0x0000000000400000-0x000000000046D000-memory.dmp	modiloader_stage2
behavioral1/memory/2964-53-0x0000000000400000-0x000000000046D000-memory.dmp	modiloader_stage2
behavioral1/memory/2964-54-0x0000000000400000-0x000000000046D000-memory.dmp	modiloader_stage2
behavioral1/memory/2964-55-0x0000000000400000-0x000000000046D000-memory.dmp	modiloader_stage2
behavioral1/memory/2964-56-0x0000000000400000-0x000000000046D000-memory.dmp	modiloader_stage2
behavioral1/memory/2964-57-0x0000000000400000-0x000000000046D000-memory.dmp	modiloader_stage2
behavioral1/memory/2964-58-0x0000000000400000-0x000000000046D000-memory.dmp	modiloader_stage2
behavioral1/memory/2964-59-0x0000000000400000-0x000000000046D000-memory.dmp	modiloader_stage2
behavioral1/memory/2964-60-0x0000000000400000-0x000000000046D000-memory.dmp	modiloader_stage2
behavioral1/memory/2964-61-0x0000000000400000-0x000000000046D000-memory.dmp	modiloader_stage2
behavioral1/memory/2964-62-0x0000000000400000-0x000000000046D000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
2964	javascheds.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SunJavaUpdateSched.lnk	JaffaCakes118_0b611c2a068464b5e159c42a52323e8f.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SunJavaUpdateSched.lnk	JaffaCakes118_0b611c2a068464b5e159c42a52323e8f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SunJavaUpdateSched.lnk	javascheds.exe

Executes dropped EXE 2 IoCs

pid	Process
2640	javascheds.exe
2964	javascheds.exe

Loads dropped DLL 2 IoCs

pid	Process
2800	JaffaCakes118_0b611c2a068464b5e159c42a52323e8f.exe
2800	JaffaCakes118_0b611c2a068464b5e159c42a52323e8f.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	javascheds.exe
File opened (read-only)	\??\I:	javascheds.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wins\setup\javascheds.exe	JaffaCakes118_0b611c2a068464b5e159c42a52323e8f.exe
File opened for modification	C:\Windows\SysWOW64\wins\setup\javascheds.exe	JaffaCakes118_0b611c2a068464b5e159c42a52323e8f.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2084 set thread context of 2800	2084	JaffaCakes118_0b611c2a068464b5e159c42a52323e8f.exe	31
PID 2640 set thread context of 2964	2640	javascheds.exe	33

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2800-4-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2800-11-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2800-14-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2800-13-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2800-12-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2800-10-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2800-9-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2800-6-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2800-16-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2800-15-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2800-26-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2964-43-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2964-42-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2964-44-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2964-45-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2964-46-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2964-48-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2964-49-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2964-50-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2964-51-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2964-52-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2964-53-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2964-54-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2964-55-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2964-56-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2964-57-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2964-58-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2964-59-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2964-60-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2964-61-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/2964-62-0x0000000000400000-0x000000000046D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javascheds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0b611c2a068464b5e159c42a52323e8f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javascheds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0b611c2a068464b5e159c42a52323e8f.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2084	JaffaCakes118_0b611c2a068464b5e159c42a52323e8f.exe
2800	JaffaCakes118_0b611c2a068464b5e159c42a52323e8f.exe
2800	JaffaCakes118_0b611c2a068464b5e159c42a52323e8f.exe
2640	javascheds.exe
2964	javascheds.exe
2964	javascheds.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2800	2084	JaffaCakes118_0b611c2a068464b5e159c42a52323e8f.exe	31
PID 2084 wrote to memory of 2800	2084	JaffaCakes118_0b611c2a068464b5e159c42a52323e8f.exe	31
PID 2084 wrote to memory of 2800	2084	JaffaCakes118_0b611c2a068464b5e159c42a52323e8f.exe	31
PID 2084 wrote to memory of 2800	2084	JaffaCakes118_0b611c2a068464b5e159c42a52323e8f.exe	31
PID 2084 wrote to memory of 2800	2084	JaffaCakes118_0b611c2a068464b5e159c42a52323e8f.exe	31
PID 2084 wrote to memory of 2800	2084	JaffaCakes118_0b611c2a068464b5e159c42a52323e8f.exe	31
PID 2084 wrote to memory of 2800	2084	JaffaCakes118_0b611c2a068464b5e159c42a52323e8f.exe	31
PID 2084 wrote to memory of 2800	2084	JaffaCakes118_0b611c2a068464b5e159c42a52323e8f.exe	31
PID 2800 wrote to memory of 2640	2800	JaffaCakes118_0b611c2a068464b5e159c42a52323e8f.exe	32
PID 2800 wrote to memory of 2640	2800	JaffaCakes118_0b611c2a068464b5e159c42a52323e8f.exe	32
PID 2800 wrote to memory of 2640	2800	JaffaCakes118_0b611c2a068464b5e159c42a52323e8f.exe	32
PID 2800 wrote to memory of 2640	2800	JaffaCakes118_0b611c2a068464b5e159c42a52323e8f.exe	32
PID 2640 wrote to memory of 2964	2640	javascheds.exe	33
PID 2640 wrote to memory of 2964	2640	javascheds.exe	33
PID 2640 wrote to memory of 2964	2640	javascheds.exe	33
PID 2640 wrote to memory of 2964	2640	javascheds.exe	33
PID 2640 wrote to memory of 2964	2640	javascheds.exe	33
PID 2640 wrote to memory of 2964	2640	javascheds.exe	33
PID 2640 wrote to memory of 2964	2640	javascheds.exe	33
PID 2640 wrote to memory of 2964	2640	javascheds.exe	33
PID 2964 wrote to memory of 2796	2964	javascheds.exe	34
PID 2964 wrote to memory of 2796	2964	javascheds.exe	34
PID 2964 wrote to memory of 2796	2964	javascheds.exe	34
PID 2964 wrote to memory of 2796	2964	javascheds.exe	34
PID 2964 wrote to memory of 2944	2964	javascheds.exe	35
PID 2964 wrote to memory of 2944	2964	javascheds.exe	35
PID 2964 wrote to memory of 2944	2964	javascheds.exe	35
PID 2964 wrote to memory of 2944	2964	javascheds.exe	35
PID 2964 wrote to memory of 1896	2964	javascheds.exe	37
PID 2964 wrote to memory of 1896	2964	javascheds.exe	37
PID 2964 wrote to memory of 1896	2964	javascheds.exe	37
PID 2964 wrote to memory of 1896	2964	javascheds.exe	37
PID 2944 wrote to memory of 1812	2944	cmd.exe	42
PID 2944 wrote to memory of 1812	2944	cmd.exe	42
PID 2944 wrote to memory of 1812	2944	cmd.exe	42
PID 2944 wrote to memory of 1812	2944	cmd.exe	42
PID 2944 wrote to memory of 1812	2944	cmd.exe	42
PID 2944 wrote to memory of 1812	2944	cmd.exe	42
PID 2944 wrote to memory of 1812	2944	cmd.exe	42
PID 1896 wrote to memory of 2128	1896	cmd.exe	40
PID 1896 wrote to memory of 2128	1896	cmd.exe	40
PID 1896 wrote to memory of 2128	1896	cmd.exe	40
PID 1896 wrote to memory of 2128	1896	cmd.exe	40
PID 1896 wrote to memory of 2128	1896	cmd.exe	40
PID 1896 wrote to memory of 2128	1896	cmd.exe	40
PID 1896 wrote to memory of 2128	1896	cmd.exe	40
PID 2796 wrote to memory of 1652	2796	cmd.exe	41
PID 2796 wrote to memory of 1652	2796	cmd.exe	41
PID 2796 wrote to memory of 1652	2796	cmd.exe	41
PID 2796 wrote to memory of 1652	2796	cmd.exe	41
PID 2796 wrote to memory of 1652	2796	cmd.exe	41
PID 2796 wrote to memory of 1652	2796	cmd.exe	41
PID 2796 wrote to memory of 1652	2796	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b611c2a068464b5e159c42a52323e8f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b611c2a068464b5e159c42a52323e8f.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b611c2a068464b5e159c42a52323e8f.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b611c2a068464b5e159c42a52323e8f.exe
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\wins\setup\javascheds.exe
    "C:\Windows\system32\wins\setup\javascheds.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\SysWOW64\wins\setup\javascheds.exe
      C:\Windows\SysWOW64\wins\setup\javascheds.exe
      4⤵
      Deletes itself
      Drops startup file
      Executes dropped EXE
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2964
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe + command.com /c regsvr32 /u /s %WINDIR%/"Downloaded Program Files"/JaguarEditControl.dll
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2796
      - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /u /s C:\Windows/"Downloaded Program Files"/JaguarEditControl.dll
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1652
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe + command.com /c regsvr32 /u /s %WINDIR%/"Downloaded Program Files"/tebedit.ocx
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2944
      - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /u /s C:\Windows/"Downloaded Program Files"/tebedit.ocx
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1812
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe + command.com /c regsvr32 /u /s %WINDIR%/"Downloaded Program Files"/JaguarEdit4ISB.dll
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1896
      - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /u /s C:\Windows/"Downloaded Program Files"/JaguarEdit4ISB.dll
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\wins\setup\javascheds.exe

Filesize
204KB

MD5
0b611c2a068464b5e159c42a52323e8f

SHA1
90cb86e2e5795a8266b6a416f017fb8aa08454c0

SHA256
f016ca0df3328d1c9e1a700005a868e138be98b21e9057bb779ee46f1f41976b

SHA512
f6cee97f346e319b18d2703589df7e974dd1f464a87a04d3df9efc82efb8223473725b5f45aa4095d059afff9d80e0d6f1e88b1d06a39b3542d49f55cbb6d77a

Download Submit
memory/2800-10-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2800-11-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2800-14-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2800-13-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2800-12-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2800-2-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2800-9-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2800-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2800-6-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2800-16-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2800-15-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2800-4-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2800-26-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2964-44-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2964-52-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2964-43-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2964-45-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2964-46-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2964-48-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2964-49-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2964-50-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2964-51-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2964-42-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2964-53-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2964-54-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2964-55-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2964-56-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2964-57-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2964-58-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2964-59-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2964-60-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2964-61-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2964-62-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download