modiloader | ac78ba618423bab080b9ef85bad13c84b8134c2ed324cb7244605bae8d321e7e

Analysis

max time kernel
93s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0fb5fed6b0db1ded1b6dc5096c193b83.dll
Size

148KB
MD5

0fb5fed6b0db1ded1b6dc5096c193b83
SHA1

fc79274a10d01ad3ae4f1fbf92af0125caaf2bf1
SHA256

ac78ba618423bab080b9ef85bad13c84b8134c2ed324cb7244605bae8d321e7e
SHA512

76bae11fea1354d1cb3df9f27c4ff79e00e91279d6be54139dc193215a19ef20342f9a085ea6c325beaa7323c05a9ac9502a6220026c42cd97448f9665a68000
SSDEEP

1536:BAqMQ2mieCvDHMcviHCj/uLRClBfb7puP+HgSDx:2PTRDHjQLRgBfblVpDx

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/3604-0-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 3604	1736	regsvr32.exe	83
PID 1736 wrote to memory of 3604	1736	regsvr32.exe	83
PID 1736 wrote to memory of 3604	1736	regsvr32.exe	83

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0fb5fed6b0db1ded1b6dc5096c193b83.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0fb5fed6b0db1ded1b6dc5096c193b83.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3604-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download