modiloader | 4bfc4058c12e43ed7130752046e90514ea396f7ceeb890dfb49b4a695017ad58

General

Target

dbaa553574f33e4a8ee6c2fdca2f6076_JaffaCakes118.exe
Size

632KB
MD5

dbaa553574f33e4a8ee6c2fdca2f6076
SHA1

eeb44811e264daaa9761cb09b53ae58f300afd64
SHA256

4bfc4058c12e43ed7130752046e90514ea396f7ceeb890dfb49b4a695017ad58
SHA512

d49af8754b8c8895783879bb0fccd814681b64666f7a3118ae8a5c27e6d49466e7c7b51f58e4e8617dac3d410c261d83b7c3d305240705c367f1f7512f4eba1d
SSDEEP

12288:DZrqHlBluDTLMnykCUZBUbHgWZgPWlq7m5QSqIbRIWEHQe18LQk9MDnoRXQ5Ily:D5CQDUykC0BUbWPWP5bXbRiHf180FCgF

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/2060-48-0x0000000000400000-0x00000000005C1000-memory.dmp	modiloader_stage2
behavioral1/memory/1928-50-0x0000000000400000-0x00000000005C1000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
2448	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2060	windosmisf.exe

Loads dropped DLL 2 IoCs

pid	Process
1928	dbaa553574f33e4a8ee6c2fdca2f6076_JaffaCakes118.exe
1928	dbaa553574f33e4a8ee6c2fdca2f6076_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\_windosmisf.exe	windosmisf.exe
File created	C:\Windows\SysWOW64\_windosmisf.exe	windosmisf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2060 set thread context of 2200	2060	windosmisf.exe	32

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\windosmisf.exe	dbaa553574f33e4a8ee6c2fdca2f6076_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\windosmisf.exe	dbaa553574f33e4a8ee6c2fdca2f6076_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat	dbaa553574f33e4a8ee6c2fdca2f6076_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbaa553574f33e4a8ee6c2fdca2f6076_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windosmisf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2060	1928	dbaa553574f33e4a8ee6c2fdca2f6076_JaffaCakes118.exe	31
PID 1928 wrote to memory of 2060	1928	dbaa553574f33e4a8ee6c2fdca2f6076_JaffaCakes118.exe	31
PID 1928 wrote to memory of 2060	1928	dbaa553574f33e4a8ee6c2fdca2f6076_JaffaCakes118.exe	31
PID 1928 wrote to memory of 2060	1928	dbaa553574f33e4a8ee6c2fdca2f6076_JaffaCakes118.exe	31
PID 2060 wrote to memory of 2200	2060	windosmisf.exe	32
PID 2060 wrote to memory of 2200	2060	windosmisf.exe	32
PID 2060 wrote to memory of 2200	2060	windosmisf.exe	32
PID 2060 wrote to memory of 2200	2060	windosmisf.exe	32
PID 2060 wrote to memory of 2200	2060	windosmisf.exe	32
PID 2060 wrote to memory of 2200	2060	windosmisf.exe	32
PID 2060 wrote to memory of 2988	2060	windosmisf.exe	33
PID 2060 wrote to memory of 2988	2060	windosmisf.exe	33
PID 2060 wrote to memory of 2988	2060	windosmisf.exe	33
PID 2060 wrote to memory of 2988	2060	windosmisf.exe	33
PID 1928 wrote to memory of 2448	1928	dbaa553574f33e4a8ee6c2fdca2f6076_JaffaCakes118.exe	34
PID 1928 wrote to memory of 2448	1928	dbaa553574f33e4a8ee6c2fdca2f6076_JaffaCakes118.exe	34
PID 1928 wrote to memory of 2448	1928	dbaa553574f33e4a8ee6c2fdca2f6076_JaffaCakes118.exe	34
PID 1928 wrote to memory of 2448	1928	dbaa553574f33e4a8ee6c2fdca2f6076_JaffaCakes118.exe	34
PID 1928 wrote to memory of 2448	1928	dbaa553574f33e4a8ee6c2fdca2f6076_JaffaCakes118.exe	34
PID 1928 wrote to memory of 2448	1928	dbaa553574f33e4a8ee6c2fdca2f6076_JaffaCakes118.exe	34
PID 1928 wrote to memory of 2448	1928	dbaa553574f33e4a8ee6c2fdca2f6076_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\dbaa553574f33e4a8ee6c2fdca2f6076_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dbaa553574f33e4a8ee6c2fdca2f6076_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\windosmisf.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\windosmisf.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\system32\calc.exe"
    3⤵
    PID:2200
- - C:\program files\internet explorer\IEXPLORE.EXE
    "C:\program files\internet explorer\IEXPLORE.EXE"
    3⤵
    PID:2988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat""
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\SetupDel.bat

Filesize
212B

MD5
112698d8bf6a678e94149887723869c5

SHA1
1e97831ad198b1188f5d6d81fdcea99182a24467

SHA256
2eefb4b14f1063b6aa13095991c5588d684bc21b373dfca9e1dd9b9cbed968d9

SHA512
5cfad999fd644ff6646aaad5c7fa36fd8e47d3c4bd9fa44709a3c566e46654d6eb058120c6534b6773d9d579d2c497dc79cf61f4ecbf8002ee22806d2f4b9bb6

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\windosmisf.exe

Filesize
632KB

MD5
dbaa553574f33e4a8ee6c2fdca2f6076

SHA1
eeb44811e264daaa9761cb09b53ae58f300afd64

SHA256
4bfc4058c12e43ed7130752046e90514ea396f7ceeb890dfb49b4a695017ad58

SHA512
d49af8754b8c8895783879bb0fccd814681b64666f7a3118ae8a5c27e6d49466e7c7b51f58e4e8617dac3d410c261d83b7c3d305240705c367f1f7512f4eba1d

Download Submit
memory/1928-19-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1928-20-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/1928-8-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/1928-17-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/1928-7-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/1928-0-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/1928-18-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1928-15-0x0000000003530000-0x0000000003531000-memory.dmp

Filesize
4KB

Download
memory/1928-14-0x0000000003530000-0x0000000003531000-memory.dmp

Filesize
4KB

Download
memory/1928-13-0x0000000003430000-0x0000000003433000-memory.dmp

Filesize
12KB

Download
memory/1928-12-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/1928-6-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/1928-10-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/1928-9-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/1928-16-0x0000000003530000-0x0000000003531000-memory.dmp

Filesize
4KB

Download
memory/1928-5-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/1928-11-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1928-4-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1928-3-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/1928-2-0x00000000006D0000-0x0000000000724000-memory.dmp

Filesize
336KB

Download
memory/1928-29-0x0000000004720000-0x00000000048E1000-memory.dmp

Filesize
1.8MB

Download
memory/1928-50-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/1928-30-0x0000000004720000-0x00000000048E1000-memory.dmp

Filesize
1.8MB

Download
memory/1928-1-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1928-49-0x00000000006D0000-0x0000000000724000-memory.dmp

Filesize
336KB

Download
memory/2060-48-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/2060-32-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/2200-39-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/2200-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing