modiloader | 89918f59012bfe8868fb7c72ba38c82c714123c605590eba3ce4563e86e131b9

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe
Size

728KB
MD5

188733e806b624d1326cc1696b57cdf5
SHA1

5be9beef75c55c533717acec241812ffeb845d94
SHA256

89918f59012bfe8868fb7c72ba38c82c714123c605590eba3ce4563e86e131b9
SHA512

01af6622cb4b6296ad8efdade7686c14eeeefdf64e593a50784abdc1cbc36fa52578ad973a8ede339ce8f3fc0cd02a3344552efe47d536ed9e4801db3fac60ce
SSDEEP

12288:RRKnmnC853ZRRJVBMU0lmMq41V2kI8v+lmMq4hU71:RRU6C853fR1MU0lmMq410MWlmMq4hU7

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
ModiLoader Second Stage 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/1724-15-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2
Executes dropped EXE 2 IoCs

Processes:

server.exeGlasTivaZ_V4zzzz.exe

pid process

2236 server.exe
2288 GlasTivaZ_V4zzzz.exe
Loads dropped DLL 4 IoCs

Processes:

188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exeGlasTivaZ_V4zzzz.exe

pid process

1724 188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe
1724 188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe
1724 188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe
2288 GlasTivaZ_V4zzzz.exe

resource	yara_rule
behavioral1/memory/1724-15-0x0000000000400000-0x00000000004BD000-memory.dmp	modiloader_stage2

pid	process
1724	188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe
1724	188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe
1724	188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe
2288	GlasTivaZ_V4zzzz.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe"	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20e8f17706c9da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000cf47288f28783348e1a63dfc8afc4783d41d2e0e5808755974213636b3e7b3e4000000000e8000000002000020000000287a035b73e6844e79892d1720417bdb6ce6748c86084b4e54e572723643a8ed90000000dd6e70dd3742785ab27e2c05e8757f1c60c1bcfa610904b5e8a97604fbc7f5ecf2220e90811a6cac676b39f72d26de5da4f9eb7d4c8e21300ba187764e55ffc1f0ca729781a0d1db2d76f3f43b13e9e4706fabf6f69a67fcc1738be7fad2359ca51ad0158773e3771cf18de94b2cf33e70cbd1a6c5001e18c1b8465f951d2834b0934f83af97495796e6be7a029d6faa40000000a400ed26862ece93c4f93a93467eb95bd9a38f10075afdaf21edd8edbe1cec8308eca85aba48c2031d525bda6dd107294bd4dc035c5fb47aad9bea276fde72e5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9510D4C1-34F9-11EF-906B-FA9381F5F0AB} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000c541f355472d26e6038928fd27102a2a29be6ff9f15a9dba0afec981d12d2c33000000000e8000000002000020000000e0e4632f72cb6e5b72c687ab1922db2d8a831805bcc093768b22a5c58a62210a20000000c422aabe667263ab3809f5c5b7c9ee1424d44d2b1de152ae7784b9e1ff1d874f40000000881d7b0e712bc60ce5cba8e33968ceea66c8c10a932deb58f7c16adbf2f507a07de8f77679b167b778ad5d5180fb6c7e4fe725c817fc73443a666aad8342aa79	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425705092"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

server.exe

pid	process
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe
2236	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

2236 server.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

server.exe

description pid process

Token: SeDebugPrivilege 2236 server.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2648 iexplore.exe
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

GlasTivaZ_V4zzzz.exeserver.exeiexplore.exeIEXPLORE.EXE

pid process

2288 GlasTivaZ_V4zzzz.exe
2288 GlasTivaZ_V4zzzz.exe
2236 server.exe
2648 iexplore.exe
2648 iexplore.exe
2532 IEXPLORE.EXE
2532 IEXPLORE.EXE
2532 IEXPLORE.EXE
2532 IEXPLORE.EXE

description	pid	process
Token: SeDebugPrivilege	2236	server.exe

pid	process
2648	iexplore.exe

pid	process
2288	GlasTivaZ_V4zzzz.exe
2288	GlasTivaZ_V4zzzz.exe
2236	server.exe
2648	iexplore.exe
2648	iexplore.exe
2532	IEXPLORE.EXE
2532	IEXPLORE.EXE
2532	IEXPLORE.EXE
2532	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exeGlasTivaZ_V4zzzz.exeiexplore.exe

description	pid	process	target process
PID 1724 wrote to memory of 2236	1724	188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe	server.exe
PID 1724 wrote to memory of 2236	1724	188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe	server.exe
PID 1724 wrote to memory of 2236	1724	188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe	server.exe
PID 1724 wrote to memory of 2236	1724	188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe	server.exe
PID 1724 wrote to memory of 2288	1724	188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe	GlasTivaZ_V4zzzz.exe
PID 1724 wrote to memory of 2288	1724	188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe	GlasTivaZ_V4zzzz.exe
PID 1724 wrote to memory of 2288	1724	188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe	GlasTivaZ_V4zzzz.exe
PID 1724 wrote to memory of 2288	1724	188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe	GlasTivaZ_V4zzzz.exe
PID 2288 wrote to memory of 2648	2288	GlasTivaZ_V4zzzz.exe	iexplore.exe
PID 2288 wrote to memory of 2648	2288	GlasTivaZ_V4zzzz.exe	iexplore.exe
PID 2288 wrote to memory of 2648	2288	GlasTivaZ_V4zzzz.exe	iexplore.exe
PID 2288 wrote to memory of 2648	2288	GlasTivaZ_V4zzzz.exe	iexplore.exe
PID 2648 wrote to memory of 2532	2648	iexplore.exe	IEXPLORE.EXE
PID 2648 wrote to memory of 2532	2648	iexplore.exe	IEXPLORE.EXE
PID 2648 wrote to memory of 2532	2648	iexplore.exe	IEXPLORE.EXE
PID 2648 wrote to memory of 2532	2648	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2236

C:\Users\Admin\AppData\Local\Temp\GlasTivaZ_V4zzzz.exe
"C:\Users\Admin\AppData\Local\Temp\GlasTivaZ_V4zzzz.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2288

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://cvg-bhlsk.blogspot.com/
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2648

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2648 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2532

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\GlasTivaZ_V4zzzz.exe
Filesize
564KB

MD5
beb514f205d5e3518d60ea6026010fdc

SHA1
605e5b9689b2eb7ed080999071ea12e7aca3d410

SHA256
64ccda1260bdd01763d2f2db929ce275e18ac5fd415226aa54a594b74c836694

SHA512
c019f3845d5e5cf6338d2a008dcbc290fb25a36f2b02df9999b5b890c695540aa5245a0752ae3fbf82c7a793373bf2850bc7c51a933afb48d60a34a8b3d95cbe

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
154KB

MD5
7d69b308a6e7bcf054e65333f28e3f6b

SHA1
335e77a91206201bb463883e8a8614eafdd49157

SHA256
655bcc23e3240b3b1d61eac6ec5c381b060e565103d310e449dc1be0fad37f0b

SHA512
e6212cdf3239f25f3e18d410f095f315413bb106ac2165b38536a127faa80e22dbc3672792880a7971bf8173a9caa6f018dc23571616d2a5990a1c108f2b85e9

Download Submit
memory/1724-15-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2236-7-0x000007FEF612E000-0x000007FEF612F000-memory.dmp

Filesize
4KB

Download
memory/2236-19-0x000007FEF5E70000-0x000007FEF680D000-memory.dmp

Filesize
9.6MB

Download
memory/2236-21-0x000007FEF5E70000-0x000007FEF680D000-memory.dmp

Filesize
9.6MB

Download
memory/2236-24-0x000007FEF612E000-0x000007FEF612F000-memory.dmp

Filesize
4KB

Download
memory/2236-25-0x000007FEF5E70000-0x000007FEF680D000-memory.dmp

Filesize
9.6MB

Download