modiloader | 825a372fd4302d2ef94d829cd91fcc94eef1e6cdf5fb4fc7eb44dac5733c85cf

General

Target

e43ee351a7e0172dba63ebd5608ddc0b_JaffaCakes118.exe
Size

266KB
MD5

e43ee351a7e0172dba63ebd5608ddc0b
SHA1

8788eac3f52a2428c91c9343f80a688361ef89f3
SHA256

825a372fd4302d2ef94d829cd91fcc94eef1e6cdf5fb4fc7eb44dac5733c85cf
SHA512

b7545ee1d8c95895d224e3423c27eee7cc64f268afbba44a265077078fe5c3b72897f8b33f689064703c95ac17982a208b9f06ee904b0cb4b103778a72a55d4a
SSDEEP

6144:CivB0mnf76HZEGUWMWU3ayxJKuCkh/xJkD8ol4Rj2BuQe4UTdX:pmmnfuu/BWobKuXhEd4Rj2BOdX

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/memory/2668-29-0x0000000000400000-0x0000000000504000-memory.dmp	modiloader_stage2
behavioral1/memory/2808-30-0x0000000000400000-0x0000000000504000-memory.dmp	modiloader_stage2
behavioral1/memory/2668-39-0x0000000000400000-0x0000000000504000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
1712	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2808	Network.exe

Loads dropped DLL 5 IoCs

pid	Process
2668	e43ee351a7e0172dba63ebd5608ddc0b_JaffaCakes118.exe
2668	e43ee351a7e0172dba63ebd5608ddc0b_JaffaCakes118.exe
2592	WerFault.exe
2592	WerFault.exe
2592	WerFault.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_Network.exe	Network.exe
File opened for modification	C:\Windows\SysWOW64\_Network.exe	Network.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2808 set thread context of 2816	2808	Network.exe	31

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Network.exe	e43ee351a7e0172dba63ebd5608ddc0b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Network.exe	e43ee351a7e0172dba63ebd5608ddc0b_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat	e43ee351a7e0172dba63ebd5608ddc0b_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2592	2808	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e43ee351a7e0172dba63ebd5608ddc0b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Network.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2808	2668	e43ee351a7e0172dba63ebd5608ddc0b_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2808	2668	e43ee351a7e0172dba63ebd5608ddc0b_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2808	2668	e43ee351a7e0172dba63ebd5608ddc0b_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2808	2668	e43ee351a7e0172dba63ebd5608ddc0b_JaffaCakes118.exe	30
PID 2808 wrote to memory of 2816	2808	Network.exe	31
PID 2808 wrote to memory of 2816	2808	Network.exe	31
PID 2808 wrote to memory of 2816	2808	Network.exe	31
PID 2808 wrote to memory of 2816	2808	Network.exe	31
PID 2808 wrote to memory of 2816	2808	Network.exe	31
PID 2808 wrote to memory of 2816	2808	Network.exe	31
PID 2808 wrote to memory of 2592	2808	Network.exe	32
PID 2808 wrote to memory of 2592	2808	Network.exe	32
PID 2808 wrote to memory of 2592	2808	Network.exe	32
PID 2808 wrote to memory of 2592	2808	Network.exe	32
PID 2668 wrote to memory of 1712	2668	e43ee351a7e0172dba63ebd5608ddc0b_JaffaCakes118.exe	33
PID 2668 wrote to memory of 1712	2668	e43ee351a7e0172dba63ebd5608ddc0b_JaffaCakes118.exe	33
PID 2668 wrote to memory of 1712	2668	e43ee351a7e0172dba63ebd5608ddc0b_JaffaCakes118.exe	33
PID 2668 wrote to memory of 1712	2668	e43ee351a7e0172dba63ebd5608ddc0b_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\e43ee351a7e0172dba63ebd5608ddc0b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e43ee351a7e0172dba63ebd5608ddc0b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\Network.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\Network.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\system32\calc.exe"
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 280
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat""
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\Delet.bat

Filesize
212B

MD5
8b726e819bc91f2625d83abbcda90b84

SHA1
88103f12a764c052605c85c32167f3919d026c9a

SHA256
211dafad3cb7d8bf68a5958804471eb9f96fe045fb88f20d829c8c462013979e

SHA512
2d779cf73a2c9b03c98d7afabaa8d2477e8110b23d5e6047b1fb8fe3ff42ec9840dd95ba950a8b7ed2927e64d115cbc641b19401d055afcfe83259b57b09e0ad

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\Network.exe

Filesize
266KB

MD5
e43ee351a7e0172dba63ebd5608ddc0b

SHA1
8788eac3f52a2428c91c9343f80a688361ef89f3

SHA256
825a372fd4302d2ef94d829cd91fcc94eef1e6cdf5fb4fc7eb44dac5733c85cf

SHA512
b7545ee1d8c95895d224e3423c27eee7cc64f268afbba44a265077078fe5c3b72897f8b33f689064703c95ac17982a208b9f06ee904b0cb4b103778a72a55d4a

Download Submit
memory/2668-29-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/2668-1-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2668-4-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2668-39-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/2668-14-0x0000000002FD0000-0x00000000030D4000-memory.dmp

Filesize
1.0MB

Download
memory/2668-12-0x0000000002FD0000-0x00000000030D4000-memory.dmp

Filesize
1.0MB

Download
memory/2668-0-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/2808-16-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2808-30-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/2808-31-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2808-13-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/2808-15-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2816-24-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/2816-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing