modiloader | d4962916fb84171fa9c67c12571e380af7d80dbeaf727f0797045d8ab2b0697c

General

Target

e34cc310536ad0478ffe7a2a1b43845b_JaffaCakes118.exe
Size

708KB
MD5

e34cc310536ad0478ffe7a2a1b43845b
SHA1

69fe0e6115a0d84083bf5b901e03787511101239
SHA256

d4962916fb84171fa9c67c12571e380af7d80dbeaf727f0797045d8ab2b0697c
SHA512

4814156062c423a79cba86db6d93e19d5cb2fa6253235235cba798f5b3b612d568524b45fc7b6a0c486a3fc4388598a6beeabe185bdb4d5899ce19c9553de1fc
SSDEEP

12288:0pmiRf08bkQeOA9zTuCVobQbmRvTnl6pKw9YC21vIkmAu69lnfvf:IRf0WbAhTFsvTluYvPmAu69lnH

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2540-21-0x0000000000400000-0x00000000004B8000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
1308	new.exe
2368	creditcard.EXE

Loads dropped DLL 4 IoCs

pid	Process
2540	e34cc310536ad0478ffe7a2a1b43845b_JaffaCakes118.exe
2540	e34cc310536ad0478ffe7a2a1b43845b_JaffaCakes118.exe
2540	e34cc310536ad0478ffe7a2a1b43845b_JaffaCakes118.exe
2540	e34cc310536ad0478ffe7a2a1b43845b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	creditcard.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e34cc310536ad0478ffe7a2a1b43845b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	new.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1308	new.exe
1308	new.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 1308	2540	e34cc310536ad0478ffe7a2a1b43845b_JaffaCakes118.exe	30
PID 2540 wrote to memory of 1308	2540	e34cc310536ad0478ffe7a2a1b43845b_JaffaCakes118.exe	30
PID 2540 wrote to memory of 1308	2540	e34cc310536ad0478ffe7a2a1b43845b_JaffaCakes118.exe	30
PID 2540 wrote to memory of 1308	2540	e34cc310536ad0478ffe7a2a1b43845b_JaffaCakes118.exe	30
PID 2540 wrote to memory of 2368	2540	e34cc310536ad0478ffe7a2a1b43845b_JaffaCakes118.exe	31
PID 2540 wrote to memory of 2368	2540	e34cc310536ad0478ffe7a2a1b43845b_JaffaCakes118.exe	31
PID 2540 wrote to memory of 2368	2540	e34cc310536ad0478ffe7a2a1b43845b_JaffaCakes118.exe	31
PID 2540 wrote to memory of 2368	2540	e34cc310536ad0478ffe7a2a1b43845b_JaffaCakes118.exe	31
PID 1308 wrote to memory of 1204	1308	new.exe	21
PID 1308 wrote to memory of 1204	1308	new.exe	21
PID 1308 wrote to memory of 1204	1308	new.exe	21
PID 1308 wrote to memory of 1204	1308	new.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\e34cc310536ad0478ffe7a2a1b43845b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e34cc310536ad0478ffe7a2a1b43845b_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Users\Admin\AppData\Local\Temp\new.exe
    "C:\Users\Admin\AppData\Local\Temp\new.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1308
- - C:\Users\Admin\AppData\Local\Temp\creditcard.EXE
    "C:\Users\Admin\AppData\Local\Temp\creditcard.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\creditcard.EXE

Filesize
297KB

MD5
fffe4e3f9234a957012680fbe4026b80

SHA1
3844b072cfab05e55fa444a61660ad9205f36e20

SHA256
8947c277122b491b5cab694cd767e62295b71134fd681cd776c970302290b92e

SHA512
722727421189d83df0bfd757522f108b228a782ed0ced441b2d30cbd4be7db560e05156495b6200d8115cd92fc2f7b7fc457b73ef621a8f607972822b825b048

Download Submit
\Users\Admin\AppData\Local\Temp\new.exe

Filesize
400KB

MD5
e1ebf4150358267aa842a83998e57fcf

SHA1
16c5fd80a9ce658ad7b8c38fc1cc73ec6e58e67b

SHA256
0c310246423f8911899ad8896f76c0ee4bee6a6f15b57f8aaeb444eed46af146

SHA512
fc63f4de35ffc7f16262c4c19e4bfcfdfd75199c088c220777b3dd05f75454fcd59775602f330303d4f0383cad2625b9f6f81d5765a38db7cae785d71c6cbe23

Download Submit
memory/1204-33-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1204-30-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1308-25-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1308-23-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1308-22-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1308-28-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/1308-27-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1308-13-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1308-12-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/2368-24-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2368-26-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2368-43-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2540-21-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download

Analysis

Sharing