modiloader | b13cb35df6bb3047503dcb851185549160c114eb0ae511604d660e9b13651850

General

Target

d4c78b07615060668383f748381d1c9c_JaffaCakes118.exe
Size

1.7MB
MD5

d4c78b07615060668383f748381d1c9c
SHA1

a1b2a71f4944a1604f7c4d3b23cff25671e1b5f9
SHA256

b13cb35df6bb3047503dcb851185549160c114eb0ae511604d660e9b13651850
SHA512

d3d03809d4ba3e264c4d0115435f31e4ac026e6dbec7a4513368b0b6112ca83638d525a04fe622363dc428dd7e542538bf45e50e3b1275d986040d98777436f8
SSDEEP

24576:RWtMWhP2t1s5x3qeG4KUchcg2PRm6F3TITk+t:oOW+s5xDghZwbhTIo+

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/files/0x00070000000186f8-9.dat	modiloader_stage2
behavioral1/memory/3060-20-0x0000000000400000-0x00000000004D0000-memory.dmp	modiloader_stage2
behavioral1/memory/1764-21-0x0000000000400000-0x00000000004D0000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
1524	×öºÃ×¼±¸,²»Òª¼¤¶¯Å¶!.EXE
1764	2.exe

Loads dropped DLL 3 IoCs

pid	Process
2672	d4c78b07615060668383f748381d1c9c_JaffaCakes118.exe
2672	d4c78b07615060668383f748381d1c9c_JaffaCakes118.exe
2672	d4c78b07615060668383f748381d1c9c_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1764 set thread context of 3060	1764	2.exe	32

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\2010.txt	2.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4c78b07615060668383f748381d1c9c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	×öºÃ×¼±¸,²»Òª¼¤¶¯Å¶!.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2672	d4c78b07615060668383f748381d1c9c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 1524	2672	d4c78b07615060668383f748381d1c9c_JaffaCakes118.exe	30
PID 2672 wrote to memory of 1524	2672	d4c78b07615060668383f748381d1c9c_JaffaCakes118.exe	30
PID 2672 wrote to memory of 1524	2672	d4c78b07615060668383f748381d1c9c_JaffaCakes118.exe	30
PID 2672 wrote to memory of 1524	2672	d4c78b07615060668383f748381d1c9c_JaffaCakes118.exe	30
PID 2672 wrote to memory of 1764	2672	d4c78b07615060668383f748381d1c9c_JaffaCakes118.exe	31
PID 2672 wrote to memory of 1764	2672	d4c78b07615060668383f748381d1c9c_JaffaCakes118.exe	31
PID 2672 wrote to memory of 1764	2672	d4c78b07615060668383f748381d1c9c_JaffaCakes118.exe	31
PID 2672 wrote to memory of 1764	2672	d4c78b07615060668383f748381d1c9c_JaffaCakes118.exe	31
PID 1764 wrote to memory of 3060	1764	2.exe	32
PID 1764 wrote to memory of 3060	1764	2.exe	32
PID 1764 wrote to memory of 3060	1764	2.exe	32
PID 1764 wrote to memory of 3060	1764	2.exe	32
PID 1764 wrote to memory of 3060	1764	2.exe	32
PID 1764 wrote to memory of 3060	1764	2.exe	32

C:\Users\Admin\AppData\Local\Temp\d4c78b07615060668383f748381d1c9c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d4c78b07615060668383f748381d1c9c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\×öºÃ×¼±¸,²»Òª¼¤¶¯Å¶!.EXE
  "C:\Users\Admin\AppData\Local\Temp\×öºÃ×¼±¸,²»Òª¼¤¶¯Å¶!.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1524
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SysWOW64\mstsc.exe
    "C:\Windows\system32\mstsc.exe"
    3⤵
    PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\×öºÃ×¼±¸,²»Òª¼¤¶¯Å¶!.EXE

Filesize
895KB

MD5
38ca55c7c695e14bc80cfa46c80d64b3

SHA1
86d38ad2070e5f1eefa040a2a3aabc21eb2e5a14

SHA256
1b889e649c17ab62571ca14a436878772367b8554dcc4dfd86c2734dffa2e463

SHA512
c373306112142529f9830da4fe9ac4a3659e708425f8ed94eac86fc86598ab5f5676da1909afb864bc34bb42af511928989c4d9f4eb3d28e0b6b40e0eaf66245

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe

Filesize
801KB

MD5
dae0176dc89cdd014677dd638ca72f17

SHA1
a8679b4ea6e1e1a86d6db0dbd4f877e61c5a893f

SHA256
c3185cc26393102a95c26fd309c72bf3b24416e0a4828507b1ed2fb245f93686

SHA512
fd47aa0b5ff9a873d06c662c23948edfb8016761dce3ad5cc2fc7e83ff0a72666e8e5560c33ff345ccec69d9c29f0ca899fc2be55cc6888eaf9019a2c9c4a2d4

Download Submit
memory/1524-30-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1524-26-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1524-35-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1524-34-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1524-33-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1524-22-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1524-23-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1524-24-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1524-25-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1524-32-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1524-27-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1524-28-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1524-29-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1524-31-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1764-13-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1764-21-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3060-19-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3060-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3060-20-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download

Analysis

Sharing