modiloader | a1b70467f4d7e2117e23f241e7ab1ce1f6242ecad34a633b4f06a3aafacf150b

Analysis

max time kernel
119s
max time network
126s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

185e0165efd08ed6272f1d39a599e76c_JaffaCakes118.exe
Size

670KB
MD5

185e0165efd08ed6272f1d39a599e76c
SHA1

b285e37ca121f76e1f1bb00f5e291571ab8c755e
SHA256

a1b70467f4d7e2117e23f241e7ab1ce1f6242ecad34a633b4f06a3aafacf150b
SHA512

186f54863a57b78c794304442f5eb0be7c7feabeb8b0c75aa1eef37d39083081cec21909cfa1529e68e0b217094b7257d732050bd9e2c10ace564c82890048f1
SSDEEP

12288:QZ7L5N6PVZZ8Xf58jfkE4CVF3Z4mxxAhsV4AOwf7DGj7XC2:0GtZ88jfzVQmX6Ytfujp

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1884-22-0x0000000000400000-0x0000000000512000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-24-0x0000000000400000-0x0000000000512000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

1.exe

pid process

1884 1.exe
Loads dropped DLL 3 IoCs

Processes:

185e0165efd08ed6272f1d39a599e76c_JaffaCakes118.exe1.exe

pid process

3000 185e0165efd08ed6272f1d39a599e76c_JaffaCakes118.exe
3000 185e0165efd08ed6272f1d39a599e76c_JaffaCakes118.exe
1884 1.exe

pid	process
1884	1.exe

pid	process
3000	185e0165efd08ed6272f1d39a599e76c_JaffaCakes118.exe
3000	185e0165efd08ed6272f1d39a599e76c_JaffaCakes118.exe
1884	1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

185e0165efd08ed6272f1d39a599e76c_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	185e0165efd08ed6272f1d39a599e76c_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

Processes:

1.exe

description ioc process

File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt 1.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt	1.exe

pid	process
468

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

185e0165efd08ed6272f1d39a599e76c_JaffaCakes118.exe1.exe

description	pid	process	target process
PID 3000 wrote to memory of 1884	3000	185e0165efd08ed6272f1d39a599e76c_JaffaCakes118.exe	1.exe
PID 3000 wrote to memory of 1884	3000	185e0165efd08ed6272f1d39a599e76c_JaffaCakes118.exe	1.exe
PID 3000 wrote to memory of 1884	3000	185e0165efd08ed6272f1d39a599e76c_JaffaCakes118.exe	1.exe
PID 3000 wrote to memory of 1884	3000	185e0165efd08ed6272f1d39a599e76c_JaffaCakes118.exe	1.exe
PID 3000 wrote to memory of 1884	3000	185e0165efd08ed6272f1d39a599e76c_JaffaCakes118.exe	1.exe
PID 3000 wrote to memory of 1884	3000	185e0165efd08ed6272f1d39a599e76c_JaffaCakes118.exe	1.exe
PID 3000 wrote to memory of 1884	3000	185e0165efd08ed6272f1d39a599e76c_JaffaCakes118.exe	1.exe
PID 1884 wrote to memory of 2652	1884	1.exe	IEXPLORE.EXE
PID 1884 wrote to memory of 2652	1884	1.exe	IEXPLORE.EXE
PID 1884 wrote to memory of 2652	1884	1.exe	IEXPLORE.EXE
PID 1884 wrote to memory of 2652	1884	1.exe	IEXPLORE.EXE
PID 1884 wrote to memory of 2652	1884	1.exe	IEXPLORE.EXE
PID 1884 wrote to memory of 2652	1884	1.exe	IEXPLORE.EXE
PID 1884 wrote to memory of 2652	1884	1.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\185e0165efd08ed6272f1d39a599e76c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\185e0165efd08ed6272f1d39a599e76c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3000

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1884

C:\program files\internet explorer\IEXPLORE.EXE
"C:\program files\internet explorer\IEXPLORE.EXE"
3⤵
PID:2652

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
Filesize
310KB

MD5
53ad6caca8360cace4fd9ac45711ccb5

SHA1
eb00e5ebdde8ac2cf2e98f66849ad6547253749a

SHA256
91e5300da61ece7ef20955ded83ca4660c61f5cff59fb1666f3e9faee24a6756

SHA512
a65840841f4f43f7ff0b7e0d6b4b3cd7befb527fe7be1b14665bdbae5bba9f3721d4246562065ec248ba8af4a8c0d86d97806b5145a46e1ac9e2cba6eb20c1eb

Download Submit
memory/1884-17-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1884-24-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1884-22-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1884-16-0x00000000004C3000-0x00000000004C4000-memory.dmp

Filesize
4KB

Download
memory/3000-3-0x0000000001000000-0x00000000010B2000-memory.dmp

Filesize
712KB

Download
memory/3000-8-0x0000000003660000-0x0000000003772000-memory.dmp

Filesize
1.1MB

Download
memory/3000-0-0x0000000001000000-0x00000000010B2000-memory.dmp

Filesize
712KB

Download
memory/3000-18-0x0000000001000000-0x00000000010B2000-memory.dmp

Filesize
712KB

Download
memory/3000-21-0x0000000000730000-0x00000000007E2000-memory.dmp

Filesize
712KB

Download
memory/3000-2-0x0000000001000000-0x00000000010B2000-memory.dmp

Filesize
712KB

Download
memory/3000-1-0x000000000105E000-0x000000000105F000-memory.dmp

Filesize
4KB

Download
memory/3000-26-0x0000000001000000-0x00000000010B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads