modiloader | 2f9cc01ee10c3d1602e159e79b00323cc8f3f170d38a3f73bcfa8f6a8464907b

Analysis

max time kernel
119s
max time network
133s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/03/2025, 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_48ea48e3082156140da98eb1d2cc4211.exe
Size

468KB
MD5

48ea48e3082156140da98eb1d2cc4211
SHA1

c412d7bdfd4913a4f2a683f511d7dd25705a4167
SHA256

2f9cc01ee10c3d1602e159e79b00323cc8f3f170d38a3f73bcfa8f6a8464907b
SHA512

e9b30d3087b9d80aac4caf428c6d2c23e092ebc457a46e18d601da42617f978b399595381c4b21cf097a7cbc8f08ce8e1a38d87426c09c9d797c33418ef02535
SSDEEP

12288:ReWnwMUioIZIOCDOAn5zNrjgwUktrNEU/k4ndC:RdnwH9IZN2OK5BHgwU8K

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2496-358-0x0000000000400000-0x0000000000542000-memory.dmp	modiloader_stage2

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2496 set thread context of 2756	2496	JaffaCakes118_48ea48e3082156140da98eb1d2cc4211.exe	30

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt	JaffaCakes118_48ea48e3082156140da98eb1d2cc4211.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_48ea48e3082156140da98eb1d2cc4211.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "447194553"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AF25E4A1-F86B-11EF-A17D-4A174794FC88} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2756	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2732	IEXPLORE.EXE
2732	IEXPLORE.EXE
2732	IEXPLORE.EXE
2732	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2756	2496	JaffaCakes118_48ea48e3082156140da98eb1d2cc4211.exe	30
PID 2496 wrote to memory of 2756	2496	JaffaCakes118_48ea48e3082156140da98eb1d2cc4211.exe	30
PID 2496 wrote to memory of 2756	2496	JaffaCakes118_48ea48e3082156140da98eb1d2cc4211.exe	30
PID 2496 wrote to memory of 2756	2496	JaffaCakes118_48ea48e3082156140da98eb1d2cc4211.exe	30
PID 2496 wrote to memory of 2756	2496	JaffaCakes118_48ea48e3082156140da98eb1d2cc4211.exe	30
PID 2756 wrote to memory of 2732	2756	IEXPLORE.EXE	31
PID 2756 wrote to memory of 2732	2756	IEXPLORE.EXE	31
PID 2756 wrote to memory of 2732	2756	IEXPLORE.EXE	31
PID 2756 wrote to memory of 2732	2756	IEXPLORE.EXE	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48ea48e3082156140da98eb1d2cc4211.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48ea48e3082156140da98eb1d2cc4211.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496
- C:\program files\internet explorer\IEXPLORE.EXE
  "C:\program files\internet explorer\IEXPLORE.EXE"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2756 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bfc37174d795cc4314790fa4b399df68

SHA1
d5a4227aac07c01db6b8b02cf4cd96dceebff946

SHA256
67960edb2773a79ffd51e90ae00b6d0543052bedf7622230b85ef16ccca2b834

SHA512
0e7c3217528d3da10e2b680baa0019516f9d68f4b257ab0a971d0fa8c6a546a073c3da44cc8f0c8a5515ed5fbf07399be97307d1dca9d80ce6e2e575e25ca596

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
898ba60e1be808728c903c99377cc313

SHA1
f76b305e6f7bc41f01f36ad106766e06c74e4cc5

SHA256
a44833ecb3242517fe6126aec5b57e354ee350dfa2ec99eae6a2d843b08bce63

SHA512
a7dc642e7389fe15b41c8edf198e0eb301ab630baca6572e5f05fae1f134cede94fc71b0ec5575b76e0ac4d5bad4776e3808ca3802164fe68237a42af7ad9919

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
80377c7a8d1ba8860445cd22e52eaceb

SHA1
49bb55be1cf6c5217858fa415adebcd191e8b88b

SHA256
40f919cd8daf800cb055c2f8ffbac1a99f6170b63586065f8301f88e9ee9cb3d

SHA512
f5cd0461bf556e929bfb0051a7875944f1f2bd4b6e925173d947c6e684867a8b3b29fb01eaae4c40310618c98f7f795960febd4e2dc9526ca95879091ae9e2c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a80ddd6dce480737c48b830b2d1a39c7

SHA1
6539986183c71275d42a618829438de4b330042b

SHA256
7657e73ffecbf6af83b5ed637dd182aa3c370e89eed78653843960e5a9ba7fac

SHA512
12fc4a8da8c9a5abcff06104a580de123ce530be23c4693c4a4e616a5b13687a4aad4c0cf7a8178c99f3015fd64c4a57e7ca5a11bbf39b8c093511671b2a6596

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
01a8e66b7331835a5b841911c52d676f

SHA1
8130af7d13d8e240c90e20a05cd921fa0d9ed9a9

SHA256
36c9088249df40dd8ccce3c5dd6d0a485af9e4a840dbcfcd9da6e1da86e88811

SHA512
5e488761455ae24fbc3b2f11402dd925ca9a0e07641a8ec5d21900cab189f046ffdd1d3c371b9a9ccd8d53747640e0ddd0d20e4e2e2c37d5e038276f65a1fd0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
61c04797ad1a57597b99f6a8a98de182

SHA1
23dfde782b9b662546a6cba25e3505b08e551cad

SHA256
7441a0817e9d2403d83fd5156e2f3ca624b719e209a5e5b0d43db9cc62d327e4

SHA512
2aef2afa80e9df1638065e61b0b0d0974d44829f63349991927fba53ea1c8502618b0f5618a16fff67413d1b2cd08986add905dd630ed296e92ba5eafc993f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
95a014d07cffaa4c686b7969b125a2c1

SHA1
848bad450da99fc1b0cc3ae3b52e296e1e236566

SHA256
630ba1e4f12dcb3a5e923d60eba3649e873c1cf7deae643d2bc45322c06f49db

SHA512
f7a4e149d5367973bc5d0cc6a790d248b21f8db1cc0c02602a4cde1a5404680ef2c0ac549aa6f6a6ac7817164cb304e58b51879b1703df41ccd0f26f71a21bb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b7e3c998758f89ded86adbbe5d5cc128

SHA1
91be1adddffda797b1ae70732f1510641f4f46dd

SHA256
2aa6965b17501cb8d9dd7f2e5ac99d5db9865b3c90dd7769eeba23b4622d9f99

SHA512
f8fe4bb2611580d8a5d058542510a68312038b07fa5c56b26b7ac0dbacb5ec8bdb3e0e04b64614c3285ccb30d6a389094e84a6267053a90b0f86e81eb6f7daa7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
88fb25489cfd841e4893a4a43c9b310f

SHA1
491e4ab2f860eb57dd80044d026b48c19ab0ba3a

SHA256
221b9b34b59920b9f8399c48174c8eea9e7edf6a4d5b903ff104425a151bdae1

SHA512
acff490f35da2c06fb866f2d817cac72835a8a1848a4e8b69c834689ae03de1ef51e96f4f0ea9474b91ad45f373321a94da0b25b44caa0b3f819c3d40b7d22ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
70a94c352470d94e3156e56611842405

SHA1
e90f2f8ba64275b9584c6c684d76c44c619f4449

SHA256
fd54d8a7fcd7ee5218ec1d164b472e9f854637d0cc1b8a3199ce1f901edab88b

SHA512
1deb9ad0c31e1a221f1669c88a88b59b201c96c3cfe4b3e1a92870855479a1924cb1e4abf3c6d4d44763beee57f77455262da3ed1627daa08af3df5ad8932e8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eda3563667043037a3c078c2d2e6fc4e

SHA1
0a397310da84fb16ac27dd7c6df362667b345a2b

SHA256
7707b5be8fb545a9b08ee7d9e3fb4422846ebaa76b26c1b67c5e0d828ad4fa3d

SHA512
d761021ea60ee9de661fd738c3e7b9f869bed8de2afbd4f68556414361ac0ff376d7953f784b61e81092ddb71a5b0d89ae5f5012ce28c08eac1959d2812713ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1cdb421933e057862871f9d363dfb40f

SHA1
ed2ae3530f0f341f2592d11054d4f77a931a91d7

SHA256
0efcb385a18a72ddf27ce0b3bc737745b4fba8762884c04c44e812c1ebeb94fa

SHA512
6b131dea6a316c9dddd466fe12b3c338e052fb4af65aafb1afbdd526e168d3b212ec2ad338c676f97f6f06435bb744162e4c246a5221283f1fc0ad9d8b5ca0ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2DD6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2E8A.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
memory/2496-0-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2496-1-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2496-358-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2756-3-0x0000000000290000-0x00000000003D2000-memory.dmp

Filesize
1.3MB

Download