modiloader | 7b9f238467b4dcbaf60557068a8619c85866b5d835ec9a5a41e0d0f92fafb089

General

Target

e135841a19710afe8fc153ed636e2d01_JaffaCakes118.exe
Size

966KB
MD5

e135841a19710afe8fc153ed636e2d01
SHA1

a8f7a622ff176e8089ea7017d6c88ca7a0b8d1fb
SHA256

7b9f238467b4dcbaf60557068a8619c85866b5d835ec9a5a41e0d0f92fafb089
SHA512

2a9586da69b0d5b6d34ba8805c1e65ac4deed9ee622655d751e72d5dee49e142baab5e760d5ea35a1226aec9c235f1128f9336660c6f4f16df4a987972e70e90
SSDEEP

12288:iZQ9MEgfyJJhZfkD5JFZvgxJIvCTSmGul+hRkb2NdLk04pLdDj1ay3F:iZQqEoYJf2Jv4PSmdl+vL6G6F

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2120-17-0x0000000000400000-0x00000000004F9000-memory.dmp	modiloader_stage2

Executes dropped EXE 4 IoCs

pid	Process
2324	zoka.exe
1780	HarrysFilters40.exe
2696	HarrysFilters40.tmp
2760	tmp.exe

Loads dropped DLL 8 IoCs

pid	Process
2120	e135841a19710afe8fc153ed636e2d01_JaffaCakes118.exe
2120	e135841a19710afe8fc153ed636e2d01_JaffaCakes118.exe
2120	e135841a19710afe8fc153ed636e2d01_JaffaCakes118.exe
1780	HarrysFilters40.exe
2324	zoka.exe
2324	zoka.exe
2696	HarrysFilters40.tmp
2696	HarrysFilters40.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e135841a19710afe8fc153ed636e2d01_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zoka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HarrysFilters40.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HarrysFilters40.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2760	tmp.exe
2760	tmp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2696	HarrysFilters40.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2324	zoka.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2324	2120	e135841a19710afe8fc153ed636e2d01_JaffaCakes118.exe	30
PID 2120 wrote to memory of 2324	2120	e135841a19710afe8fc153ed636e2d01_JaffaCakes118.exe	30
PID 2120 wrote to memory of 2324	2120	e135841a19710afe8fc153ed636e2d01_JaffaCakes118.exe	30
PID 2120 wrote to memory of 2324	2120	e135841a19710afe8fc153ed636e2d01_JaffaCakes118.exe	30
PID 2120 wrote to memory of 1780	2120	e135841a19710afe8fc153ed636e2d01_JaffaCakes118.exe	31
PID 2120 wrote to memory of 1780	2120	e135841a19710afe8fc153ed636e2d01_JaffaCakes118.exe	31
PID 2120 wrote to memory of 1780	2120	e135841a19710afe8fc153ed636e2d01_JaffaCakes118.exe	31
PID 2120 wrote to memory of 1780	2120	e135841a19710afe8fc153ed636e2d01_JaffaCakes118.exe	31
PID 1780 wrote to memory of 2696	1780	HarrysFilters40.exe	32
PID 1780 wrote to memory of 2696	1780	HarrysFilters40.exe	32
PID 1780 wrote to memory of 2696	1780	HarrysFilters40.exe	32
PID 1780 wrote to memory of 2696	1780	HarrysFilters40.exe	32
PID 1780 wrote to memory of 2696	1780	HarrysFilters40.exe	32
PID 1780 wrote to memory of 2696	1780	HarrysFilters40.exe	32
PID 1780 wrote to memory of 2696	1780	HarrysFilters40.exe	32
PID 2324 wrote to memory of 2760	2324	zoka.exe	33
PID 2324 wrote to memory of 2760	2324	zoka.exe	33
PID 2324 wrote to memory of 2760	2324	zoka.exe	33
PID 2324 wrote to memory of 2760	2324	zoka.exe	33
PID 2760 wrote to memory of 1196	2760	tmp.exe	21
PID 2760 wrote to memory of 1196	2760	tmp.exe	21
PID 2760 wrote to memory of 1196	2760	tmp.exe	21
PID 2760 wrote to memory of 1196	2760	tmp.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\e135841a19710afe8fc153ed636e2d01_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e135841a19710afe8fc153ed636e2d01_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Users\Admin\AppData\Local\Temp\zoka.exe
    "C:\Users\Admin\AppData\Local\Temp\zoka.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Users\Admin\AppData\Local\Temp\tmp.exe
      C:\Users\Admin\AppData\Local\Temp\tmp.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2760
- - C:\Users\Admin\AppData\Local\Temp\HarrysFilters40.exe
    "C:\Users\Admin\AppData\Local\Temp\HarrysFilters40.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - C:\Users\Admin\AppData\Local\Temp\is-SRLU8.tmp\HarrysFilters40.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-SRLU8.tmp\HarrysFilters40.tmp" /SL5="$80192,485556,54272,C:\Users\Admin\AppData\Local\Temp\HarrysFilters40.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\HarrysFilters40.exe

Filesize
841KB

MD5
13afb37ab12199a98333cfd750d03626

SHA1
fabb38e4ca7d285e332c52c6d66697c967d82830

SHA256
5964a6f9165a9104891b6c943f8de76d142e24c7a70ee67b89d8abe92ed3c30c

SHA512
0964978ce5f6c4d98fff5781a702714ed3e4c3f5993ac956a2569a01eb269db2107a27d90f4667efcc61f6104f58532bf45b12b8889321757a4d2cd1cd2d8660

Download Submit
\Users\Admin\AppData\Local\Temp\is-NOM50.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-SRLU8.tmp\HarrysFilters40.tmp

Filesize
696KB

MD5
8aa8c628f7b7b7f3e96eff00557bd0bf

SHA1
9af9cf61707cbba7bf0d7cbed94e8db91aff8bd6

SHA256
14d4fa3ea6c3fbf6e9d284de717e73a1ebb5e77f3d5c8c98808e40ade359ea9d

SHA512
5e0a4765873684fce159af81310e37b6918c923ccede0c4de0bd1e2e221425109131830cff02e3f910f15b0401ee3b4ae68700b6d29a5e8466f6d4ee1dcd6eeb

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
31KB

MD5
d811471dfbcc6b9764e0f8c31d87c5b3

SHA1
6cc5e219193149b1260a2fc7af25f670d9f65aff

SHA256
95974775c340267e20b692e87fe16b4360d5a6e6fb1094d375a6f0f430e1cc67

SHA512
ae3990f0cadf3eb3e12ad694c2fe6c8c9352f55d5a0efd38b5fe2855b5dab81b7edbc29e2cbb195939c3e99aaf015e9331f73f5861c3c74eaccfd78094000aa7

Download Submit
\Users\Admin\AppData\Local\Temp\zoka.exe

Filesize
112KB

MD5
a675138bbf24712bf92e2c35aed18727

SHA1
5313ba03c0ecbc9507719e13bc504f5dea0246b1

SHA256
73d7ac786c5594f3d90ecd34970c2210606efe48edeeaa2fa10edd67e95e6069

SHA512
e81aee548b84546672ec879d526c94ed02d2af194f76ff564e13f1d54fc755525a8fc4f3459d1df6aba47145805e89224ed0495a6919c16184fb3aa394f1299d

Download Submit
memory/1196-45-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1196-48-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1780-23-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1780-19-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1780-66-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2120-11-0x00000000025D0000-0x0000000002603000-memory.dmp

Filesize
204KB

Download
memory/2120-17-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2120-10-0x00000000025D0000-0x0000000002603000-memory.dmp

Filesize
204KB

Download
memory/2324-40-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/2324-58-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-36-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/2696-67-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2760-43-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download

Analysis

Sharing