modiloader | f97bddd1380e0fe2de7d2b6911ef65eff958027903a6cf66946357e390c6aa0d

Analysis

max time kernel
2s
max time network
3s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/03/2025, 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9688e52c652159a2de886e26f51cf2a4.exe
Size

373KB
MD5

9688e52c652159a2de886e26f51cf2a4
SHA1

47be034de1fa0d2ae4fe257d7dcf6e051d3adc9d
SHA256

f97bddd1380e0fe2de7d2b6911ef65eff958027903a6cf66946357e390c6aa0d
SHA512

041c38e939433649f162556236a1d934584fdd4917f6276f81bb8775f30a419f24a65745e4c46e16eb34bfa3325740221099df9875814d3e51d3b252247806fa
SSDEEP

3072:f1+MJKrUnFYY5z1i0Nmbi5fJBN2u+SXipe4fIout02kB7URGQQLFlWBMt:FIrPj0NmWtN2iXisKIoS0PgRzQZF

Score

10^/10

modiloader defense_evasion discovery trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/316-15-0x0000000000400000-0x00000000004D3000-memory.dmp	modiloader_stage2
behavioral1/memory/2196-14-0x0000000000400000-0x00000000004D3000-memory.dmp	modiloader_stage2

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JaffaCakes118_9688e52c652159a2de886e26f51cf2a4.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2196-0-0x0000000000400000-0x00000000004D3000-memory.dmp	upx
behavioral1/files/0x00060000000055cf-8.dat	upx
behavioral1/memory/316-15-0x0000000000400000-0x00000000004D3000-memory.dmp	upx
behavioral1/memory/2196-14-0x0000000000400000-0x00000000004D3000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9688e52c652159a2de886e26f51cf2a4.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	JaffaCakes118_9688e52c652159a2de886e26f51cf2a4.exe
Token: SeBackupPrivilege	372	vssvc.exe
Token: SeRestorePrivilege	372	vssvc.exe
Token: SeAuditPrivilege	372	vssvc.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9688e52c652159a2de886e26f51cf2a4.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9688e52c652159a2de886e26f51cf2a4.exe"
1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2196
- C:\Windows\mstwain32.exe
  "C:\Windows\mstwain32.exe"
  2⤵
  PID:316

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mstwain32.exe

Filesize
373KB

MD5
9688e52c652159a2de886e26f51cf2a4

SHA1
47be034de1fa0d2ae4fe257d7dcf6e051d3adc9d

SHA256
f97bddd1380e0fe2de7d2b6911ef65eff958027903a6cf66946357e390c6aa0d

SHA512
041c38e939433649f162556236a1d934584fdd4917f6276f81bb8775f30a419f24a65745e4c46e16eb34bfa3325740221099df9875814d3e51d3b252247806fa

Download Submit
memory/316-15-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2196-0-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2196-1-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2196-2-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

Filesize
4KB

Download
memory/2196-7-0x0000000003E90000-0x0000000003EA0000-memory.dmp

Filesize
64KB

Download
memory/2196-14-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download