modiloader | 5a65e6273b9245dca62c3b5ccb748fb53898827074f3f2609ba9b39ea3e1cedb

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe
Size

44KB
MD5

19e08011fb339f18cbb5d2c2c85db3a6
SHA1

c7f2ff109124c4fcd12c1578da3ec07d0061644f
SHA256

5a65e6273b9245dca62c3b5ccb748fb53898827074f3f2609ba9b39ea3e1cedb
SHA512

e67eae6681499334394f9a68baea629c8c8510f23dd129dffa644ea702f797aae23890af42a3b43390860f9f61c41968fdaf768fb5b01fc99b8b0d4a9eb1d0d1
SSDEEP

768:TzB4YaZ6uCKMrsRP1kQOvi7Q7uWPFz0EJ0PtuOi68FD7X9M9s8ecZuff/Ym6/IB4:TCYaZ9hRP8vi74FgEJ017i9FnONAfYmE

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
ModiLoader Second Stage 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/2092-14-0x0000000000400000-0x000000000042B000-memory.dmp modiloader_stage2
Drops file in Drivers directory 1 IoCs

Processes:

19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts 19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2668 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\SOFTWARE\Microsoft\Internet Explorer\Main reg.exe
Modifies Internet Explorer start page 1 TTPs 1 IoCs
stealer

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\start page = "www.hao123.cn" reg.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe

description pid process

Token: SeSystemtimePrivilege 2092 19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe
Token: SeSystemtimePrivilege 2092 19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe

resource	yara_rule
behavioral1/memory/2092-14-0x0000000000400000-0x000000000042B000-memory.dmp	modiloader_stage2

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe

pid	process
2668	cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\SOFTWARE\Microsoft\Internet Explorer\Main	reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\start page = "www.hao123.cn"	reg.exe

description	pid	process
Token: SeSystemtimePrivilege	2092	19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2092	19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 2092 wrote to memory of 2164	2092	19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe	cmd.exe
PID 2092 wrote to memory of 2164	2092	19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe	cmd.exe
PID 2092 wrote to memory of 2164	2092	19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe	cmd.exe
PID 2092 wrote to memory of 2164	2092	19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe	cmd.exe
PID 2164 wrote to memory of 2612	2164	cmd.exe	reg.exe
PID 2164 wrote to memory of 2612	2164	cmd.exe	reg.exe
PID 2164 wrote to memory of 2612	2164	cmd.exe	reg.exe
PID 2164 wrote to memory of 2612	2164	cmd.exe	reg.exe
PID 2092 wrote to memory of 2668	2092	19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe	cmd.exe
PID 2092 wrote to memory of 2668	2092	19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe	cmd.exe
PID 2092 wrote to memory of 2668	2092	19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe	cmd.exe
PID 2092 wrote to memory of 2668	2092	19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19e08011fb339f18cbb5d2c2c85db3a6_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main" /v "start page" /t REG_SZ /d www.hao123.cn /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main" /v "start page" /t REG_SZ /d www.hao123.cn /f
3⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:2612

C:\Windows\SysWOW64\cmd.exe
cmd /c t4nk.bat
2⤵
- Deletes itself
PID:2668

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\t4nk.bat
Filesize
225B

MD5
eb92d19e767e89b8cb2d0b7b834c4bcb

SHA1
5268f1debd4cb0390d0b6f476cf1da774cfe78f4

SHA256
0a5c60ee6c25d835380c2efa49d268ca07184b2de7251b62c79adb84632e8a05

SHA512
c5883c131653a3180749de5de8f4210ed1076d5016f5656e3293ef58b67f5b4e1e2e9e45a2fbc517626b7ee2dd64d298d1a0fc5034b07e34e0c5e267f6106fdd

Download Submit
memory/2092-14-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download