modiloader | f44f73b42229ef30d09752e84d54f7fdb0e5c89afc0526fe705356b995ccaf80

General

Target

cf354d0be11ca0ce9b3e50accaead156_JaffaCakes118.exe
Size

309KB
MD5

cf354d0be11ca0ce9b3e50accaead156
SHA1

b04b7be723c80335d5cbf50f9b9e00d38dae317c
SHA256

f44f73b42229ef30d09752e84d54f7fdb0e5c89afc0526fe705356b995ccaf80
SHA512

d1992e4881a57a0b1c4982a3d7b9552c8fa66081fd80a15cd80eb2bc3a2ffbbe050fd0146deae14527f417f6db492c0731f19de3c019b44a90d80941d1df8561
SSDEEP

6144:hp2xIelQVkyFg8KdKBjqW0kJUtjkbRCXHwz/1Z2EMw3yMJR:hpVedGk0BjqpkJUtAbR4q32EMwD

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/memory/3972-16-0x0000000000400000-0x0000000000565000-memory.dmp	modiloader_stage2
behavioral2/memory/3988-15-0x0000000000400000-0x0000000000565000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
3988	systen.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_systen.exe	systen.exe
File opened for modification	C:\Windows\SysWOW64\_systen.exe	systen.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3988 set thread context of 1792	3988	systen.exe	88

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\systen.exe	cf354d0be11ca0ce9b3e50accaead156_JaffaCakes118.exe
File opened for modification	C:\Program Files\systen.exe	cf354d0be11ca0ce9b3e50accaead156_JaffaCakes118.exe
File created	C:\Program Files\ReDelBat.bat	cf354d0be11ca0ce9b3e50accaead156_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3516	1792	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf354d0be11ca0ce9b3e50accaead156_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 3988	3972	cf354d0be11ca0ce9b3e50accaead156_JaffaCakes118.exe	86
PID 3972 wrote to memory of 3988	3972	cf354d0be11ca0ce9b3e50accaead156_JaffaCakes118.exe	86
PID 3972 wrote to memory of 3988	3972	cf354d0be11ca0ce9b3e50accaead156_JaffaCakes118.exe	86
PID 3988 wrote to memory of 1792	3988	systen.exe	88
PID 3988 wrote to memory of 1792	3988	systen.exe	88
PID 3988 wrote to memory of 1792	3988	systen.exe	88
PID 3988 wrote to memory of 1792	3988	systen.exe	88
PID 3988 wrote to memory of 1792	3988	systen.exe	88
PID 3972 wrote to memory of 4896	3972	cf354d0be11ca0ce9b3e50accaead156_JaffaCakes118.exe	90
PID 3972 wrote to memory of 4896	3972	cf354d0be11ca0ce9b3e50accaead156_JaffaCakes118.exe	90
PID 3972 wrote to memory of 4896	3972	cf354d0be11ca0ce9b3e50accaead156_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\cf354d0be11ca0ce9b3e50accaead156_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cf354d0be11ca0ce9b3e50accaead156_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Program Files\systen.exe
  "C:\Program Files\systen.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    PID:1792
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 12
      4⤵
      Program crash
      PID:3516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files\ReDelBat.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1792 -ip 1792
1⤵
PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\ReDelBat.bat

Filesize
212B

MD5
e50cf895871b973fbe1ec32afe455d51

SHA1
cdc0d576f2e9e5b79a33043d352196e0f7d33b08

SHA256
dc17813e59d1da2809d06e13cabb399cb659bec9364e1dbd88774b0ad71579df

SHA512
8687d81c40f45c087f7e1b435fbe778897f6d5cb3e3c69560eaf3517644548cc337452b13c825544b1d7888e3e373012fd04663adde901d1cf7ccb0ae716b94c

Download Submit
C:\Program Files\systen.exe

Filesize
309KB

MD5
cf354d0be11ca0ce9b3e50accaead156

SHA1
b04b7be723c80335d5cbf50f9b9e00d38dae317c

SHA256
f44f73b42229ef30d09752e84d54f7fdb0e5c89afc0526fe705356b995ccaf80

SHA512
d1992e4881a57a0b1c4982a3d7b9552c8fa66081fd80a15cd80eb2bc3a2ffbbe050fd0146deae14527f417f6db492c0731f19de3c019b44a90d80941d1df8561

Download Submit
memory/1792-12-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/3972-0-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/3972-1-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/3972-2-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/3972-16-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/3988-8-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/3988-15-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing