modiloader | 41064f46efbd85824697f4675ff6d70e9b47107891fcc5a966361deb370a70cf

General

Target

da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
Size

2.1MB
MD5

da4e0703a34085c2fa77d86492273381
SHA1

6905a25afa412c21528fa601c121c957d0436248
SHA256

41064f46efbd85824697f4675ff6d70e9b47107891fcc5a966361deb370a70cf
SHA512

98d339c8e915f8d967641eafc22ee14216a9d5dd61e660d0aba557af622667b52eeacb9d54a043b04bae6079937986d4b7ad219077ceea348de328b6520d6327
SSDEEP

24576:IbYUSrlwjSVB9y81hXlEM2Iu9VYRj/1rRiVzC2:Is3zy4u9WD1twzC

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/memory/2232-14-0x0000000000400000-0x0000000000615000-memory.dmp	modiloader_stage2
behavioral2/memory/2232-23-0x0000000000400000-0x0000000000615000-memory.dmp	modiloader_stage2

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{B2178DF1-BDA4-421D-B03E-EA1B3A25F281}\Info	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B2178DF1-BDA4-421D-B03E-EA1B3A25F281}	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B2178DF1-BDA4-421D-B03E-EA1B3A25F281}\Info	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B2178DF1-BDA4-421D-B03E-EA1B3A25F281}\Info\Data = 00000000101eef760000000000000000090000009b4cfa76f0246200090000005cfb1900906fc877083e6200101eef76e4fa19001855f776340000c000000000a8fb19002555f77640fb1900000002000c00000048fb190000000000e0020000020000004c00190000000000000000004cfa1900c0301c00000000003baaac11e40b00003e4b49f74269ba0d9cfa19007f5c02003b069502b0fa1900010000009cfa19003c0000004204db0102b5b968000000003b069502b0fa190008000000a7010000e4fa1900c6cd007740fb19008cfb19003cff3702e80709000b000c00020000007b03030002b5b9684204db019b4cfa7600000000000000000000000000000000000000000000000024fb1900b7e5f87600fb19000cfb190040fb1900982d360205e6f87602b5b9684204db012000fe7fe80709000b000c00020000007b03030086c4131bfa60096c78fb190051e5f87640fb1900982d36023cff37023cff370200000000090000000b000a1b0200e6403b0695020900000178fb1900cfa5400070fb19007b031900982d36023cff370204322e3030958656760be03f1e00000060aa40007b0319008756760b8756760b1041e64003000b000c000200	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 33	2232	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2232	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
Token: 33	2232	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2232	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
Token: 33	2232	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2232	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
Token: 33	2232	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2232	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
2232	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
2232	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
2232	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
2232	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
2232	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
2232	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
2232	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
2232	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
2232	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
2232	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
2232	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
2232	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
2232	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
2232	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
2232	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
2232	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
2232	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
2232	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 1560	2232	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe	86
PID 2232 wrote to memory of 1560	2232	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe	86
PID 2232 wrote to memory of 1560	2232	da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\da4e0703a34085c2fa77d86492273381_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\~RomDmp1\RomDump.com > C:\Users\Admin\AppData\Local\Temp\~RomDmp1\Rom.dmp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wake.ini

Filesize
30B

MD5
ebfe4b94ac788c0f0d61c7f2cbc8e1b6

SHA1
5d0e3e95f1a8d750928378f97a844e64a9c96d4e

SHA256
90a6387cb6130b3b01768766981740c3cde56181234c526185fe6c079430e164

SHA512
1f6ba345063a12e4ba04a1327ecad089b5636eda3cf74f6858ca2e7a657ea827ec0c3d6648800b55e49c6bb87346cdf1fe364322fbe238667755b34fdf1e14ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\wake.ini

Filesize
16B

MD5
01cd931d712a7d4b7943ca0ae8e6d774

SHA1
0f5e5ab9c138f0616fb9e3f09e6561d5ec9bae20

SHA256
83047afb974e165e3fa9f0f2173f0f94dee2497b96dc363ad34a4226bc2f54fa

SHA512
2342aed3603c9600be887791ab6516267110f74f8dab53ee0c8a453b7b5c7c8379d05c837aafcf0a7e3ed75275f4550c3b89d8cf357396ba063ca7b5970b0296

Download Submit
C:\Users\Admin\AppData\Local\Temp\~RomDmp1\RomDump.com

Filesize
46B

MD5
74ea83a987cf7e29fe79b16b15b4bbed

SHA1
452a79ee1211fad2efdfaf203e4b092f937208fc

SHA256
9b327617c8c6fc6c70b7ada3ea40edcb143f0925d0c33fbb8a0a366020deed9d

SHA512
35334ba33584b60b2774a4404706d88382b4ab647a3e9afe231e7910246c6fb851a2ae860652771fe2809e40abdc922d75f08616b8dc1ea16e2eefa572000355

Download Submit
memory/2232-0-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/2232-15-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/2232-14-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/2232-23-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing