modiloader | cf5327bbbacb93cffeaec747568bd760398ba862f947699b74259a795911e8a9

Analysis

max time kernel
51s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16fbe86af8e3534f5aabf2b320c649fb_JaffaCakes118.exe
Size

707KB
MD5

16fbe86af8e3534f5aabf2b320c649fb
SHA1

3ff3409e7e6922b4320132508f113a74a0cb6a59
SHA256

cf5327bbbacb93cffeaec747568bd760398ba862f947699b74259a795911e8a9
SHA512

d3853f07c8d8ffc8fe6a521d13f388a0b2aecf60c1cd2fa9eb1095ad603a54b8115d63e37da68bf278bd3ab209676922737e9b14627c9275a29e3f428f0cce8a
SSDEEP

12288:uchBW9KdYaaiP6/qX5LzmOPmUWlOwqlkA8MJ88S2Pklys1c2obY7cPN5sxuUFJG:uKBqKpPcq1CwmfXqlkFMJ88xcnocIPn1

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
ModiLoader Second Stage 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/2608-78-0x0000000000400000-0x00000000004C8200-memory.dmp modiloader_stage2
Executes dropped EXE 1 IoCs

Processes:

4.exe

pid process

2608 4.exe

resource	yara_rule
behavioral2/memory/2608-78-0x0000000000400000-0x00000000004C8200-memory.dmp	modiloader_stage2

pid	process
2608	4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

16fbe86af8e3534f5aabf2b320c649fb_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	16fbe86af8e3534f5aabf2b320c649fb_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

Processes:

4.exe

description ioc process

File created C:\Windows\SysWOW64\FieleWay.txt 4.exe

description	ioc	process
File created	C:\Windows\SysWOW64\FieleWay.txt	4.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

16fbe86af8e3534f5aabf2b320c649fb_JaffaCakes118.exe4.exe

description	pid	process	target process
PID 1052 wrote to memory of 2608	1052	16fbe86af8e3534f5aabf2b320c649fb_JaffaCakes118.exe	4.exe
PID 1052 wrote to memory of 2608	1052	16fbe86af8e3534f5aabf2b320c649fb_JaffaCakes118.exe	4.exe
PID 1052 wrote to memory of 2608	1052	16fbe86af8e3534f5aabf2b320c649fb_JaffaCakes118.exe	4.exe
PID 2608 wrote to memory of 1036	2608	4.exe	IEXPLORE.EXE
PID 2608 wrote to memory of 1036	2608	4.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\16fbe86af8e3534f5aabf2b320c649fb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\16fbe86af8e3534f5aabf2b320c649fb_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1052

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2608

C:\program files\internet explorer\IEXPLORE.EXE
"C:\program files\internet explorer\IEXPLORE.EXE"
3⤵
PID:1036

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
Filesize
723KB

MD5
eb8c254308d7f05ebff68ec6334033f5

SHA1
082e0a0e2d3578b8d17e2246869a57fdbf75ea40

SHA256
60f3c0990111f6bf4cecc4aba9c94512cf1a2ac96928405697656efc865e2713

SHA512
b377b5d2d6eb642b94b5f6756940f6288e34ad21cda7c61475f38307eb16544b3857211ad636899286eb0952a8d41b12db65d05ac5ad7c8721455a1591d2ed63

Download Submit
memory/1052-0-0x0000000001000000-0x0000000001126000-memory.dmp

Filesize
1.1MB

Download
memory/1052-1-0x0000000000550000-0x00000000005A0000-memory.dmp

Filesize
320KB

Download
memory/1052-9-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/1052-70-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-82-0x0000000000550000-0x00000000005A0000-memory.dmp

Filesize
320KB

Download
memory/1052-81-0x0000000001000000-0x0000000001126000-memory.dmp

Filesize
1.1MB

Download
memory/1052-79-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-69-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-68-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-67-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-66-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-65-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-64-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-63-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-62-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-61-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-60-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-59-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-58-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-57-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-56-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-55-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-54-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-53-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-52-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-51-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-50-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-49-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-48-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-47-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-46-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-45-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-44-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-43-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-42-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-41-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-40-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-39-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-38-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-37-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-36-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-35-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-34-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-33-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-32-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1052-31-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1052-30-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1052-29-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1052-28-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1052-27-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1052-26-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1052-25-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1052-24-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1052-23-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1052-22-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1052-21-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1052-20-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1052-19-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1052-18-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1052-17-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1052-16-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1052-15-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1052-14-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1052-13-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1052-12-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1052-11-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1052-10-0x00000000029C0000-0x0000000002AC0000-memory.dmp

Filesize
1024KB

Download
memory/1052-8-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/1052-7-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/1052-6-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/1052-5-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/1052-4-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1052-3-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1052-2-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/2608-78-0x0000000000400000-0x00000000004C8200-memory.dmp

Filesize
800KB

Download