modiloader | 75faf0f399d54ca80a73cdf19668db270044b2f0397e8236de3064bc7d81c5aa

Analysis

max time kernel
136s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bb53a0474ca84455096ced24df6e27e_JaffaCakes118.exe
Size

395KB
MD5

1bb53a0474ca84455096ced24df6e27e
SHA1

39d6ba87aa3ddda458422054d0ada4a0b05c7156
SHA256

75faf0f399d54ca80a73cdf19668db270044b2f0397e8236de3064bc7d81c5aa
SHA512

092ae628a13925220c85e395a0d9dc56197478e156fb52a80babeccc3e369d18cb6377bf49fced35d6a4d8daef16748077bc852e7ae241a99826f3ba7116a722
SSDEEP

6144:TCBljPlNn6RVwHsA6nIRmxy9XZj6Lv0BUwuLNYafwsU3yylogJCcmFsluASMw2K1:GB5Pr6MFBXsQBUws+WU3dlo4CcmGXKe

Score

10^/10

modiloader persistence trojan vmprotect

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SX_SER~1.EXE	modiloader_stage2
behavioral2/memory/1840-9-0x0000000000400000-0x00000000004BF400-memory.dmp	modiloader_stage2
behavioral2/memory/1840-13-0x0000000000400000-0x00000000004BF400-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

SX_SER~1.EXE

pid process

1840 SX_SER~1.EXE

pid	process
1840	SX_SER~1.EXE

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/60-0-0x0000000001000000-0x00000000010C4000-memory.dmp	vmprotect
behavioral2/memory/60-3-0x0000000001000000-0x00000000010C4000-memory.dmp	vmprotect
behavioral2/memory/60-14-0x0000000001000000-0x00000000010C4000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1bb53a0474ca84455096ced24df6e27e_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1bb53a0474ca84455096ced24df6e27e_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

Processes:

SX_SER~1.EXE

description ioc process

File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\2010.txt SX_SER~1.EXE

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\2010.txt	SX_SER~1.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

1bb53a0474ca84455096ced24df6e27e_JaffaCakes118.exeSX_SER~1.EXE

description	pid	process	target process
PID 60 wrote to memory of 1840	60	1bb53a0474ca84455096ced24df6e27e_JaffaCakes118.exe	SX_SER~1.EXE
PID 60 wrote to memory of 1840	60	1bb53a0474ca84455096ced24df6e27e_JaffaCakes118.exe	SX_SER~1.EXE
PID 60 wrote to memory of 1840	60	1bb53a0474ca84455096ced24df6e27e_JaffaCakes118.exe	SX_SER~1.EXE
PID 1840 wrote to memory of 3780	1840	SX_SER~1.EXE	IEXPLORE.EXE
PID 1840 wrote to memory of 3780	1840	SX_SER~1.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\1bb53a0474ca84455096ced24df6e27e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1bb53a0474ca84455096ced24df6e27e_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:60

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SX_SER~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SX_SER~1.EXE
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1840

C:\program files\internet explorer\IEXPLORE.EXE
"C:\program files\internet explorer\IEXPLORE.EXE"
3⤵
PID:3780

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SX_SER~1.EXE
Filesize
686KB

MD5
af91da5a4d64f8f9e83fecbf3279d1ec

SHA1
b8ead09a62a86930039519518a6c3bebadb4764d

SHA256
09f426a939617e995169227865a202cb952907c842b5a602e7ea29b013fb5b62

SHA512
7e3bd63c7c25735d7c77c636201ffbd93ff3792a86331a870bf0e57cf796a2000e4d983e3a1bcc7b9bbcdecb957cfccabf5f56c72537d5396b2140fd8c3dbcc9

Download Submit
memory/60-0-0x0000000001000000-0x00000000010C4000-memory.dmp

Filesize
784KB

Download
memory/60-1-0x00000000010B3000-0x00000000010B5000-memory.dmp

Filesize
8KB

Download
memory/60-3-0x0000000001000000-0x00000000010C4000-memory.dmp

Filesize
784KB

Download
memory/60-14-0x0000000001000000-0x00000000010C4000-memory.dmp

Filesize
784KB

Download
memory/1840-9-0x0000000000400000-0x00000000004BF400-memory.dmp

Filesize
765KB

Download
memory/1840-13-0x0000000000400000-0x00000000004BF400-memory.dmp

Filesize
765KB

Download
memory/1840-11-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download