modiloader | 41064f46efbd85824697f4675ff6d70e9b47107891fcc5a966361deb370a70cf

General

Target

da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
Size

2.1MB
MD5

da4e0703a34085c2fa77d86492273381
SHA1

6905a25afa412c21528fa601c121c957d0436248
SHA256

41064f46efbd85824697f4675ff6d70e9b47107891fcc5a966361deb370a70cf
SHA512

98d339c8e915f8d967641eafc22ee14216a9d5dd61e660d0aba557af622667b52eeacb9d54a043b04bae6079937986d4b7ad219077ceea348de328b6520d6327
SSDEEP

24576:IbYUSrlwjSVB9y81hXlEM2Iu9VYRj/1rRiVzC2:Is3zy4u9WD1twzC

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/2216-15-0x0000000000400000-0x0000000000615000-memory.dmp	modiloader_stage2
behavioral1/memory/2216-24-0x0000000000400000-0x0000000000615000-memory.dmp	modiloader_stage2

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2178DF1-BDA4-421D-B03E-EA1B3A25F281}	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2178DF1-BDA4-421D-B03E-EA1B3A25F281}\Info	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2178DF1-BDA4-421D-B03E-EA1B3A25F281}\Info\Data = 0062d4772462d477867c8e7834fb180098fad27768fa1800f8f91800aafad27774fb1800cd1ed8770e48450ffeffffff2462d477fc1e8177340000c00d096e77c0fb1800091f81774c0100005cfb180064fb18006ce3d37760fb18000200000000000000000000004c0100000000000068fa1800340000c0e003000000000101a8f918000000000030fb1800cd1ed877e64e450f000000000000000021106e77acfa1800f87dd47700000000000000000000000000007e00986a8300200000002cfb18001e0023002c00000008fb180032e7d377986a83009069830001000000906a8300ecfa180003e0d377c0fb180034fb180000000000906a830000fb180088e6d37700007e0000000000986a830010fb18000995ac11e40b00003e4b49f7cc58ba0d3cfb18000005d7770995ac11290c00000eb967faeb50d7c61a000000000000000000000078fb1800000000005cfb18006805d7773c000000000000000000000000000000090000000b0000000100e64009f194020900000190fb1800cfa5400088fb1800d1011800b42dee0168ffef0104322e30300c89a2f20ae03f1e00000060aa4000d101180089a2f20a89a2f20a1041e64003000b000c000100	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{B2178DF1-BDA4-421D-B03E-EA1B3A25F281}\Info	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 33	2216	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2216	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
Token: 33	2216	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2216	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
Token: 33	2216	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2216	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
Token: 33	2216	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2216	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
2216	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
2216	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
2216	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
2216	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
2216	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
2216	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
2216	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
2216	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
2216	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
2216	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
2216	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
2216	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
2216	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
2216	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
2216	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
2216	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
2216	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
2216	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2264	2216	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe	30
PID 2216 wrote to memory of 2264	2216	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe	30
PID 2216 wrote to memory of 2264	2216	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe	30
PID 2216 wrote to memory of 2264	2216	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\~RomDmp1\RomDump.com > C:\Users\Admin\AppData\Local\Temp\~RomDmp1\Rom.dmp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wake.ini

Filesize
30B

MD5
ebfe4b94ac788c0f0d61c7f2cbc8e1b6

SHA1
5d0e3e95f1a8d750928378f97a844e64a9c96d4e

SHA256
90a6387cb6130b3b01768766981740c3cde56181234c526185fe6c079430e164

SHA512
1f6ba345063a12e4ba04a1327ecad089b5636eda3cf74f6858ca2e7a657ea827ec0c3d6648800b55e49c6bb87346cdf1fe364322fbe238667755b34fdf1e14ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\wake.ini

Filesize
16B

MD5
01cd931d712a7d4b7943ca0ae8e6d774

SHA1
0f5e5ab9c138f0616fb9e3f09e6561d5ec9bae20

SHA256
83047afb974e165e3fa9f0f2173f0f94dee2497b96dc363ad34a4226bc2f54fa

SHA512
2342aed3603c9600be887791ab6516267110f74f8dab53ee0c8a453b7b5c7c8379d05c837aafcf0a7e3ed75275f4550c3b89d8cf357396ba063ca7b5970b0296

Download Submit
memory/2216-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2216-16-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2216-15-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/2216-24-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing