modiloader | 31cb74b13fd8a47a6695519ef0eb72d58e44cbc20e79f36fdbb76a64932dbfa7

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/03/2025, 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
Size

30KB
MD5

96edd38829fe0b9921bbfa91cd5e2811
SHA1

93d1a44d125b55c8ffe1e0d717821a6c2cbf7cf6
SHA256

31cb74b13fd8a47a6695519ef0eb72d58e44cbc20e79f36fdbb76a64932dbfa7
SHA512

a8769e9f7d0ec8ec835e736dbcf2b756b9336e734afbeed7cfc506c9464fbe93a1776a08fa2c0efa50074337c3b7bf9839779bab76bf3f6dc7db41db086074a2
SSDEEP

768:KhGC2uTOMxIEhhG2mE12HXyCNRewmcsuuM:Kh32bMlkE12CCjewmQl

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/2316-2-0x0000000000400000-0x0000000000421000-memory.dmp	modiloader_stage2
behavioral1/memory/2316-4-0x0000000000400000-0x0000000000421000-memory.dmp	modiloader_stage2

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msmsgs = "C:\\Program Files\\Internet Explorer\\explorer.exe"	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\explorer.exe	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
File opened for modification	C:\Program Files\Internet Explorer\explorer.exe	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
2316	JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2868	explorer.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2868	explorer.exe
Token: SeShutdownPrivilege	2868	explorer.exe
Token: SeShutdownPrivilege	2868	explorer.exe
Token: SeShutdownPrivilege	2868	explorer.exe
Token: SeShutdownPrivilege	2868	explorer.exe
Token: SeShutdownPrivilege	2868	explorer.exe
Token: SeShutdownPrivilege	2868	explorer.exe
Token: SeShutdownPrivilege	2868	explorer.exe
Token: SeShutdownPrivilege	2868	explorer.exe
Token: SeShutdownPrivilege	2868	explorer.exe
Token: SeShutdownPrivilege	2868	explorer.exe
Token: SeShutdownPrivilege	2868	explorer.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_96edd38829fe0b9921bbfa91cd5e2811.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2316

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2316-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2316-2-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2316-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2316-4-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2868-8-0x00000000006D0000-0x00000000006E0000-memory.dmp

Filesize
64KB

Download