modiloader | d130fdac100c979365b3318e5ada35dead7e26e8c2df4f12b35b9977be903a10

General

Target

ce0345a835b0d9f8677f868d625d01ba_JaffaCakes118.exe
Size

272KB
MD5

ce0345a835b0d9f8677f868d625d01ba
SHA1

12d286dc70ede73826eb7d8ac30e33cd3929327e
SHA256

d130fdac100c979365b3318e5ada35dead7e26e8c2df4f12b35b9977be903a10
SHA512

fa2e2016587d9fe6573163708b6342232f40cc16c989369eef2c0779da362ebb0a5ab27fc9a8e5db0f6fc4ce006ded8cc8f02d4bee7d0c786bede58c9eaf1b2e
SSDEEP

6144:qZk7QaQAlGWAJGLV9RLwh2DYzyNhGOQZuCgkhJ:qyQriGWAJYVY01GO5y

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/memory/4120-13-0x0000000000400000-0x000000000050702E-memory.dmp	modiloader_stage2
behavioral2/memory/4692-14-0x0000000000400000-0x000000000050702E-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
4120	QQgame

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\_QQgame	QQgame
File created	C:\Windows\SysWOW64\_QQgame	QQgame

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4120 set thread context of 4356	4120	QQgame	87

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\QQgame	ce0345a835b0d9f8677f868d625d01ba_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\QQgame	ce0345a835b0d9f8677f868d625d01ba_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat	ce0345a835b0d9f8677f868d625d01ba_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4260	4356	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QQgame
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce0345a835b0d9f8677f868d625d01ba_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 4120	4692	ce0345a835b0d9f8677f868d625d01ba_JaffaCakes118.exe	86
PID 4692 wrote to memory of 4120	4692	ce0345a835b0d9f8677f868d625d01ba_JaffaCakes118.exe	86
PID 4692 wrote to memory of 4120	4692	ce0345a835b0d9f8677f868d625d01ba_JaffaCakes118.exe	86
PID 4120 wrote to memory of 4356	4120	QQgame	87
PID 4120 wrote to memory of 4356	4120	QQgame	87
PID 4120 wrote to memory of 4356	4120	QQgame	87
PID 4120 wrote to memory of 4356	4120	QQgame	87
PID 4120 wrote to memory of 4356	4120	QQgame	87
PID 4120 wrote to memory of 1120	4120	QQgame	88
PID 4120 wrote to memory of 1120	4120	QQgame	88
PID 4692 wrote to memory of 4968	4692	ce0345a835b0d9f8677f868d625d01ba_JaffaCakes118.exe	91
PID 4692 wrote to memory of 4968	4692	ce0345a835b0d9f8677f868d625d01ba_JaffaCakes118.exe	91
PID 4692 wrote to memory of 4968	4692	ce0345a835b0d9f8677f868d625d01ba_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\ce0345a835b0d9f8677f868d625d01ba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ce0345a835b0d9f8677f868d625d01ba_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\QQgame
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\QQgame"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\system32\calc.exe"
    3⤵
    PID:4356
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 12
      4⤵
      Program crash
      PID:4260
- - C:\program files\internet explorer\IEXPLORE.EXE
    "C:\program files\internet explorer\IEXPLORE.EXE"
    3⤵
    PID:1120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4356 -ip 4356
1⤵
PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat

Filesize
212B

MD5
2ded1da152bb9b1b2918ccb72111b788

SHA1
f7c079b8558edc1a11de169191f74e57763ac284

SHA256
04f8f259cf36df6db3840d1b7d8257e59940c418bfd2efecb8cddffcb42bc175

SHA512
7b717546e9ab7873c2f9dacec5a6eb8f6424879c472b53421e1586f9ba86e6f281837b6f1ca0bcc2c4c2ca27d4ac04c67ac1db524d97631a111bff0027ac62d8

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\QQgame

Filesize
272KB

MD5
ce0345a835b0d9f8677f868d625d01ba

SHA1
12d286dc70ede73826eb7d8ac30e33cd3929327e

SHA256
d130fdac100c979365b3318e5ada35dead7e26e8c2df4f12b35b9977be903a10

SHA512
fa2e2016587d9fe6573163708b6342232f40cc16c989369eef2c0779da362ebb0a5ab27fc9a8e5db0f6fc4ce006ded8cc8f02d4bee7d0c786bede58c9eaf1b2e

Download Submit
memory/4120-6-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/4120-13-0x0000000000400000-0x000000000050702E-memory.dmp

Filesize
1.0MB

Download
memory/4356-9-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/4692-0-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/4692-14-0x0000000000400000-0x000000000050702E-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing