modiloader | 3dbf1b6087ddfb765a6a798aad70929304835188355178b4a207f9e574d02515

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/03/2025, 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe
Size

685KB
MD5

9707baa95b63eb59ebc04ee31d440cba
SHA1

497ebbf02c3a7e92a7da538a064a2e652e0a2d4b
SHA256

3dbf1b6087ddfb765a6a798aad70929304835188355178b4a207f9e574d02515
SHA512

93640607bbe26402bf47f4b39eb5a07206e300228c210eaf73b621b52caaee6df20d39cce7cbcc92d696047e3783b1a97e1192ef1e8a1edb0401a49b50870f6c
SSDEEP

12288:gVKOrsDpsGzfTO+qsDpahahFERXMKYHI0ckB8DgJRLstRGSs5zQtQ5:gY4qa+mM7b8MNIHkxjK6r5

Score

10^/10

modiloader discovery trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 6 IoCs

resource	yara_rule
behavioral1/memory/2412-1-0x0000000000400000-0x000000000041F000-memory.dmp	modiloader_stage2
behavioral1/memory/2412-21-0x0000000000400000-0x000000000041F000-memory.dmp	modiloader_stage2
behavioral1/memory/2932-22-0x0000000000400000-0x000000000041F000-memory.dmp	modiloader_stage2
behavioral1/memory/2932-38-0x0000000000400000-0x000000000041F000-memory.dmp	modiloader_stage2
behavioral1/memory/2664-39-0x0000000000400000-0x000000000041F000-memory.dmp	modiloader_stage2
behavioral1/memory/2664-44-0x0000000000400000-0x000000000041F000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2932	winupdate.exe
2664	winupdate.exe

Loads dropped DLL 8 IoCs

pid	Process
2412	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe
2932	winupdate.exe
2932	winupdate.exe
2932	winupdate.exe
2932	winupdate.exe
2664	winupdate.exe
2664	winupdate.exe
2664	winupdate.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Security\1.mzp	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe
File opened for modification	C:\Windows\SysWOW64\Security\1.mzp	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe
File created	C:\Windows\SysWOW64\Security\winupdate.exe	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2412-0-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2412-1-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00060000000186fd-12.dat	upx
behavioral1/memory/2932-16-0x0000000000020000-0x000000000003F000-memory.dmp	upx
behavioral1/memory/2412-21-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2932-22-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2664-31-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2932-38-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2664-39-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2664-44-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\1.mzp	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe
File opened for modification	C:\Windows\1.mzp	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe
File created	C:\Windows\1.mzp	winupdate.exe
File opened for modification	C:\Windows\1.mzp	winupdate.exe
File opened for modification	C:\Windows\1.mzp	winupdate.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2412	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe
Token: SeSecurityPrivilege	2412	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe
Token: SeTakeOwnershipPrivilege	2412	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe
Token: SeLoadDriverPrivilege	2412	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe
Token: SeSystemProfilePrivilege	2412	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe
Token: SeSystemtimePrivilege	2412	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe
Token: SeProfSingleProcessPrivilege	2412	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe
Token: SeIncBasePriorityPrivilege	2412	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe
Token: SeCreatePagefilePrivilege	2412	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe
Token: SeBackupPrivilege	2412	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe
Token: SeRestorePrivilege	2412	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe
Token: SeShutdownPrivilege	2412	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe
Token: SeDebugPrivilege	2412	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe
Token: SeSystemEnvironmentPrivilege	2412	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe
Token: SeRemoteShutdownPrivilege	2412	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe
Token: SeUndockPrivilege	2412	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe
Token: SeManageVolumePrivilege	2412	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe
Token: 33	2412	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe
Token: 34	2412	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe
Token: 35	2412	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe
Token: SeIncreaseQuotaPrivilege	2932	winupdate.exe
Token: SeSecurityPrivilege	2932	winupdate.exe
Token: SeTakeOwnershipPrivilege	2932	winupdate.exe
Token: SeLoadDriverPrivilege	2932	winupdate.exe
Token: SeSystemProfilePrivilege	2932	winupdate.exe
Token: SeSystemtimePrivilege	2932	winupdate.exe
Token: SeProfSingleProcessPrivilege	2932	winupdate.exe
Token: SeIncBasePriorityPrivilege	2932	winupdate.exe
Token: SeCreatePagefilePrivilege	2932	winupdate.exe
Token: SeBackupPrivilege	2932	winupdate.exe
Token: SeRestorePrivilege	2932	winupdate.exe
Token: SeShutdownPrivilege	2932	winupdate.exe
Token: SeDebugPrivilege	2932	winupdate.exe
Token: SeSystemEnvironmentPrivilege	2932	winupdate.exe
Token: SeRemoteShutdownPrivilege	2932	winupdate.exe
Token: SeUndockPrivilege	2932	winupdate.exe
Token: SeManageVolumePrivilege	2932	winupdate.exe
Token: 33	2932	winupdate.exe
Token: 34	2932	winupdate.exe
Token: 35	2932	winupdate.exe
Token: SeIncreaseQuotaPrivilege	2664	winupdate.exe
Token: SeSecurityPrivilege	2664	winupdate.exe
Token: SeTakeOwnershipPrivilege	2664	winupdate.exe
Token: SeLoadDriverPrivilege	2664	winupdate.exe
Token: SeSystemProfilePrivilege	2664	winupdate.exe
Token: SeSystemtimePrivilege	2664	winupdate.exe
Token: SeProfSingleProcessPrivilege	2664	winupdate.exe
Token: SeIncBasePriorityPrivilege	2664	winupdate.exe
Token: SeCreatePagefilePrivilege	2664	winupdate.exe
Token: SeBackupPrivilege	2664	winupdate.exe
Token: SeRestorePrivilege	2664	winupdate.exe
Token: SeShutdownPrivilege	2664	winupdate.exe
Token: SeDebugPrivilege	2664	winupdate.exe
Token: SeSystemEnvironmentPrivilege	2664	winupdate.exe
Token: SeRemoteShutdownPrivilege	2664	winupdate.exe
Token: SeUndockPrivilege	2664	winupdate.exe
Token: SeManageVolumePrivilege	2664	winupdate.exe
Token: 33	2664	winupdate.exe
Token: 34	2664	winupdate.exe
Token: 35	2664	winupdate.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2932	2412	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe	31
PID 2412 wrote to memory of 2932	2412	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe	31
PID 2412 wrote to memory of 2932	2412	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe	31
PID 2412 wrote to memory of 2932	2412	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe	31
PID 2412 wrote to memory of 2932	2412	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe	31
PID 2412 wrote to memory of 2932	2412	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe	31
PID 2412 wrote to memory of 2932	2412	JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe	31
PID 2932 wrote to memory of 2664	2932	winupdate.exe	32
PID 2932 wrote to memory of 2664	2932	winupdate.exe	32
PID 2932 wrote to memory of 2664	2932	winupdate.exe	32
PID 2932 wrote to memory of 2664	2932	winupdate.exe	32
PID 2932 wrote to memory of 2664	2932	winupdate.exe	32
PID 2932 wrote to memory of 2664	2932	winupdate.exe	32
PID 2932 wrote to memory of 2664	2932	winupdate.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9707baa95b63eb59ebc04ee31d440cba.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\Security\winupdate.exe
  C:\Windows\system32\Security\winupdate.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\SysWOW64\Security\winupdate.exe
    C:\Windows\system32\Security\winupdate.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Security\1.mzp

Filesize
643KB

MD5
eb51d3e90a9168579f90c8fa2e4d6c0b

SHA1
94aab8419b08c80ed5987e29cd5518540345a51d

SHA256
d0773ec6d9365733069010d133360f5c3b89cef93524c5009ff0fcd02f7bc6f4

SHA512
0ad17fab589f07c230a47ae05571016fc83f92ecb759b43bc6fd2e559b46d6e0fb146f436d1ec091de19d9bc495ace3bc1ebcfa04690054bdf10a80f6d70ae82

Download Submit
C:\Windows\SysWOW64\Security\winupdate.exe

Filesize
685KB

MD5
9707baa95b63eb59ebc04ee31d440cba

SHA1
497ebbf02c3a7e92a7da538a064a2e652e0a2d4b

SHA256
3dbf1b6087ddfb765a6a798aad70929304835188355178b4a207f9e574d02515

SHA512
93640607bbe26402bf47f4b39eb5a07206e300228c210eaf73b621b52caaee6df20d39cce7cbcc92d696047e3783b1a97e1192ef1e8a1edb0401a49b50870f6c

Download Submit
memory/2412-1-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2412-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2412-21-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2664-31-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2664-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2664-42-0x0000000000020000-0x000000000003F000-memory.dmp

Filesize
124KB

Download
memory/2664-40-0x0000000000020000-0x000000000003F000-memory.dmp

Filesize
124KB

Download
memory/2664-39-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2664-35-0x0000000000020000-0x000000000003F000-memory.dmp

Filesize
124KB

Download
memory/2664-36-0x0000000000020000-0x000000000003F000-memory.dmp

Filesize
124KB

Download
memory/2932-19-0x0000000000020000-0x000000000003F000-memory.dmp

Filesize
124KB

Download
memory/2932-26-0x0000000000020000-0x000000000003F000-memory.dmp

Filesize
124KB

Download
memory/2932-38-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2932-24-0x0000000000020000-0x000000000003F000-memory.dmp

Filesize
124KB

Download
memory/2932-23-0x0000000000020000-0x000000000003F000-memory.dmp

Filesize
124KB

Download
memory/2932-22-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2932-18-0x0000000000020000-0x000000000003F000-memory.dmp

Filesize
124KB

Download
memory/2932-16-0x0000000000020000-0x000000000003F000-memory.dmp

Filesize
124KB

Download