modiloader | 660ba8f32c96a618aa9e8ee472a742564a0dd02d4dc1ce4131dfc36ab1a52c0c

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe
Size

282KB
MD5

1a7f966efc28f7db47e99f4cad688a5e
SHA1

315556a44bf5937cb4c031c06e733cd0ea87b475
SHA256

660ba8f32c96a618aa9e8ee472a742564a0dd02d4dc1ce4131dfc36ab1a52c0c
SHA512

32af17f6157c2523160691f06299ccd6c670f03ffac01eac57c1f398eb04b8b7452889df9704a7089382a0bd6112c100f0d3dbe0c5f5cbe6e4e4c18f64afb048
SSDEEP

6144:h8X1kpAxaXKXKwg0Uop6e+EGGB7JolHqN3x6km0r:il0AxaX/if6BocHY3r

Score

10^/10

modiloader persistence privilege_escalation trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2908-13-0x0000000000400000-0x000000000054E4EC-memory.dmp	modiloader_stage2
behavioral1/memory/3060-23-0x0000000000400000-0x000000000054E4EC-memory.dmp	modiloader_stage2
behavioral1/memory/2908-19-0x00000000030D0000-0x000000000321F000-memory.dmp	modiloader_stage2
behavioral1/memory/3060-27-0x0000000000400000-0x000000000054E4EC-memory.dmp	modiloader_stage2
behavioral1/memory/2908-34-0x0000000000400000-0x000000000054E4EC-memory.dmp	modiloader_stage2
behavioral1/memory/3060-36-0x0000000000400000-0x000000000054E4EC-memory.dmp	modiloader_stage2
behavioral1/memory/2908-44-0x0000000000400000-0x000000000054E4EC-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2720 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

re101.exe

pid process

3060 re101.exe

pid	process
2720	cmd.exe

pid	process
3060	re101.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe

description	ioc	process
File opened (read-only)	\??\T:	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe
File opened (read-only)	\??\Y:	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe
File opened (read-only)	\??\B:	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe
File opened (read-only)	\??\K:	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe
File opened (read-only)	\??\L:	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe
File opened (read-only)	\??\O:	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe
File opened (read-only)	\??\R:	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe
File opened (read-only)	\??\S:	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe
File opened (read-only)	\??\G:	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe
File opened (read-only)	\??\P:	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe
File opened (read-only)	\??\W:	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe
File opened (read-only)	\??\U:	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe
File opened (read-only)	\??\V:	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe
File opened (read-only)	\??\A:	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe
File opened (read-only)	\??\E:	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe
File opened (read-only)	\??\H:	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe
File opened (read-only)	\??\I:	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe
File opened (read-only)	\??\J:	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe
File opened (read-only)	\??\N:	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe
File opened (read-only)	\??\Z:	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe
File opened (read-only)	\??\M:	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe
File opened (read-only)	\??\Q:	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe
File opened (read-only)	\??\X:	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe

description	ioc	process
File created	C:\AutoRun.inf	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe
File opened for modification	C:\AutoRun.inf	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe
File created	F:\AutoRun.inf	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe
File opened for modification	F:\AutoRun.inf	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

Processes:

re101.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\_re101.exe re101.exe
File created C:\Windows\SysWOW64\_re101.exe re101.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

re101.exe

description pid process target process

PID 3060 set thread context of 2712 3060 re101.exe osk.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\_re101.exe	re101.exe
File created	C:\Windows\SysWOW64\_re101.exe	re101.exe

description	pid	process	target process
PID 3060 set thread context of 2712	3060	re101.exe	osk.exe

Drops file in Windows directory 3 IoCs

Processes:

1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\re101.exe	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe
File opened for modification	C:\Windows\re101.exe	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe
File created	C:\Windows\DelSvel.bat	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2792 3060 WerFault.exe re101.exe

pid	pid_target	process	target process
2792	3060	WerFault.exe	re101.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exere101.exe

description	pid	process	target process
PID 2908 wrote to memory of 3060	2908	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe	re101.exe
PID 2908 wrote to memory of 3060	2908	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe	re101.exe
PID 2908 wrote to memory of 3060	2908	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe	re101.exe
PID 2908 wrote to memory of 3060	2908	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe	re101.exe
PID 3060 wrote to memory of 2712	3060	re101.exe	osk.exe
PID 3060 wrote to memory of 2712	3060	re101.exe	osk.exe
PID 3060 wrote to memory of 2712	3060	re101.exe	osk.exe
PID 3060 wrote to memory of 2712	3060	re101.exe	osk.exe
PID 3060 wrote to memory of 2712	3060	re101.exe	osk.exe
PID 3060 wrote to memory of 2712	3060	re101.exe	osk.exe
PID 3060 wrote to memory of 2792	3060	re101.exe	WerFault.exe
PID 3060 wrote to memory of 2792	3060	re101.exe	WerFault.exe
PID 3060 wrote to memory of 2792	3060	re101.exe	WerFault.exe
PID 3060 wrote to memory of 2792	3060	re101.exe	WerFault.exe
PID 2908 wrote to memory of 2720	2908	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe	cmd.exe
PID 2908 wrote to memory of 2720	2908	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe	cmd.exe
PID 2908 wrote to memory of 2720	2908	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe	cmd.exe
PID 2908 wrote to memory of 2720	2908	1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1a7f966efc28f7db47e99f4cad688a5e_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2908

C:\Windows\re101.exe
C:\Windows\re101.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\SysWOW64\osk.exe
"C:\Windows\system32\osk.exe"
3⤵
PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 280
3⤵
- Program crash
PID:2792

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\DelSvel.bat
2⤵
- Deletes itself
PID:2720

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\DelSvel.bat
Filesize
212B

MD5
c952f506817ab0a64ccb7f5318ef451e

SHA1
a0d41cbfbb6195a612b0fd8f22b336399c0b3e16

SHA256
cbd55ed4294429cd13699aed7ef7dfdd77f81c6751c928afb65738813cc0a088

SHA512
b0f4836976b46b8cb6f93c07064a516d5a22a89616c74bb6efd99a5351be5feeebf8d5f1d8dece4474b4ff033d568ac26f35bcab3ea4e278441c77a4e1bbb3de

Download Submit
F:\re101.exe
Filesize
282KB

MD5
1a7f966efc28f7db47e99f4cad688a5e

SHA1
315556a44bf5937cb4c031c06e733cd0ea87b475

SHA256
660ba8f32c96a618aa9e8ee472a742564a0dd02d4dc1ce4131dfc36ab1a52c0c

SHA512
32af17f6157c2523160691f06299ccd6c670f03ffac01eac57c1f398eb04b8b7452889df9704a7089382a0bd6112c100f0d3dbe0c5f5cbe6e4e4c18f64afb048

Download Submit
memory/2712-32-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/2712-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2908-0-0x0000000000400000-0x000000000054E4EC-memory.dmp

Filesize
1.3MB

Download
memory/2908-35-0x000000000054B000-0x000000000054D000-memory.dmp

Filesize
8KB

Download
memory/2908-44-0x0000000000400000-0x000000000054E4EC-memory.dmp

Filesize
1.3MB

Download
memory/2908-1-0x000000000054B000-0x000000000054D000-memory.dmp

Filesize
8KB

Download
memory/2908-20-0x00000000030D0000-0x000000000321F000-memory.dmp

Filesize
1.3MB

Download
memory/2908-19-0x00000000030D0000-0x000000000321F000-memory.dmp

Filesize
1.3MB

Download
memory/2908-2-0x0000000000400000-0x000000000054E4EC-memory.dmp

Filesize
1.3MB

Download
memory/2908-34-0x0000000000400000-0x000000000054E4EC-memory.dmp

Filesize
1.3MB

Download
memory/2908-13-0x0000000000400000-0x000000000054E4EC-memory.dmp

Filesize
1.3MB

Download
memory/3060-27-0x0000000000400000-0x000000000054E4EC-memory.dmp

Filesize
1.3MB

Download
memory/3060-23-0x0000000000400000-0x000000000054E4EC-memory.dmp

Filesize
1.3MB

Download
memory/3060-36-0x0000000000400000-0x000000000054E4EC-memory.dmp

Filesize
1.3MB

Download
memory/3060-21-0x0000000000400000-0x000000000054E4EC-memory.dmp

Filesize
1.3MB

Download
memory/3060-22-0x0000000000400000-0x000000000054E4EC-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads