modiloader | 1daf582e2b920ae25107fbce2288c2c6992e907be78966c69aa806aba4a51fb6

General

Target

cf46175dbaa28f85b0197a5b351bfa91_JaffaCakes118.exe
Size

132KB
MD5

cf46175dbaa28f85b0197a5b351bfa91
SHA1

eac98b5b5730c55fe43bd3b4535d1ebc79e654d4
SHA256

1daf582e2b920ae25107fbce2288c2c6992e907be78966c69aa806aba4a51fb6
SHA512

f00cb1275d969b08d6926250a311025e04f11b4478fbaccfcfe05c400f9660e6225c347d7b78f82259e659e0178b5875c1456d6055695a009d7ce57d2f87a0ba
SSDEEP

1536:TXfPAvzZEF28e6goZJpMRelkdXbvr2gbfT5D0Zwnd43oNhgWbNz/RNxpNoTvXQw+:TyzQc9ozpMjdrjlbTPJlNxpNop

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/1916-15-0x0000000000400000-0x0000000000428000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
568	server.exe

Loads dropped DLL 2 IoCs

pid	Process
1916	cf46175dbaa28f85b0197a5b351bfa91_JaffaCakes118.exe
1916	cf46175dbaa28f85b0197a5b351bfa91_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf46175dbaa28f85b0197a5b351bfa91_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
568	server.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2520	DllHost.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 568	1916	cf46175dbaa28f85b0197a5b351bfa91_JaffaCakes118.exe	31
PID 1916 wrote to memory of 568	1916	cf46175dbaa28f85b0197a5b351bfa91_JaffaCakes118.exe	31
PID 1916 wrote to memory of 568	1916	cf46175dbaa28f85b0197a5b351bfa91_JaffaCakes118.exe	31
PID 1916 wrote to memory of 568	1916	cf46175dbaa28f85b0197a5b351bfa91_JaffaCakes118.exe	31
PID 568 wrote to memory of 1208	568	server.exe	21
PID 568 wrote to memory of 1208	568	server.exe	21
PID 568 wrote to memory of 1208	568	server.exe	21
PID 568 wrote to memory of 1208	568	server.exe	21
PID 568 wrote to memory of 1208	568	server.exe	21
PID 568 wrote to memory of 1208	568	server.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\cf46175dbaa28f85b0197a5b351bfa91_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\cf46175dbaa28f85b0197a5b351bfa91_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:568

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\58.jpg

Filesize
59KB

MD5
a074165813090e88a2050f2541c8af18

SHA1
5c3b0280265ba7e972e278ce0fd3e27548cf7fbc

SHA256
6887f557ccc04e2c82c62b55d53786aa9e3aeb708cdfce84ddce60d9c039ed0e

SHA512
5e547f098f74696129827c0a488b9ece64d758f9f86bde36ecf0915c1a42dfb8ff1e0b04ccdf44f797c5fe59e5f4c45600ffa04cda8584d00d715b9c4e00e89a

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
62KB

MD5
1c9734b4b52cac620722d43c00663953

SHA1
54fd1c6cda6baa3ccac6f7efb1093b530cbfe640

SHA256
a824e8d17bac70a7651c9647cdf407204204912c991c96e4a99f8eb6fb1091d4

SHA512
a3f5f4296ab97251744de163dfe2380a8faa8cf8f2c89f7f012545cd6dd0d205e1a78556bff06c14df66e5ab428533fc9f037a4efd096ac34a52b714e309d7c0

Download Submit
memory/568-21-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/568-39-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/568-38-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/1208-18-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/1208-25-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

Filesize
24KB

Download
memory/1916-1-0x00000000020E0000-0x00000000020E2000-memory.dmp

Filesize
8KB

Download
memory/1916-13-0x00000000001C0000-0x00000000001CB000-memory.dmp

Filesize
44KB

Download
memory/1916-15-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1916-8-0x00000000001C0000-0x00000000001CB000-memory.dmp

Filesize
44KB

Download
memory/2520-4-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2520-2-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2520-40-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing