modiloader | b9900779a43961ddcbfbd22772d83e91b0dbb79904e93df622671f3b35c80bc3

General

Target

ec52a88ef30346c168c2c933b996c63b_JaffaCakes118.exe
Size

308KB
MD5

ec52a88ef30346c168c2c933b996c63b
SHA1

c5238d5987c41c4420ee9dc8baf67ae29203e58a
SHA256

b9900779a43961ddcbfbd22772d83e91b0dbb79904e93df622671f3b35c80bc3
SHA512

98fdc05208025b81c91d76a86da031c76a43d6a0b4a52e1a4cf1d8e03da21e82b28339e2639522d6ed1c5a1bc832927fcb03c36c6904de8ef6186854503465c6
SSDEEP

6144:F605Ug4F+2sespYsG14nCBKoJvJtsls4ZDsS4MbqFFUDjY0sQPp:n5Ugaw1GWC7B6lLhsS4zIDjSQ

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 4 IoCs

resource	yara_rule
behavioral1/memory/1736-14-0x0000000000400000-0x0000000000553210-memory.dmp	modiloader_stage2
behavioral1/memory/2308-16-0x0000000000400000-0x0000000000553210-memory.dmp	modiloader_stage2
behavioral1/memory/1736-19-0x0000000000400000-0x0000000000553210-memory.dmp	modiloader_stage2
behavioral1/memory/2308-28-0x0000000000400000-0x0000000000553210-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
2888	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1736	explorer.bat

Loads dropped DLL 4 IoCs

pid	Process
2308	ec52a88ef30346c168c2c933b996c63b_JaffaCakes118.exe
2308	ec52a88ef30346c168c2c933b996c63b_JaffaCakes118.exe
2268	WerFault.exe
2268	WerFault.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\explorer.bat	ec52a88ef30346c168c2c933b996c63b_JaffaCakes118.exe
File opened for modification	C:\Program Files\explorer.bat	ec52a88ef30346c168c2c933b996c63b_JaffaCakes118.exe
File created	C:\Program Files\SxDel.bat	ec52a88ef30346c168c2c933b996c63b_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2268	1736	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec52a88ef30346c168c2c933b996c63b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.bat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 1736	2308	ec52a88ef30346c168c2c933b996c63b_JaffaCakes118.exe	31
PID 2308 wrote to memory of 1736	2308	ec52a88ef30346c168c2c933b996c63b_JaffaCakes118.exe	31
PID 2308 wrote to memory of 1736	2308	ec52a88ef30346c168c2c933b996c63b_JaffaCakes118.exe	31
PID 2308 wrote to memory of 1736	2308	ec52a88ef30346c168c2c933b996c63b_JaffaCakes118.exe	31
PID 1736 wrote to memory of 2268	1736	explorer.bat	32
PID 1736 wrote to memory of 2268	1736	explorer.bat	32
PID 1736 wrote to memory of 2268	1736	explorer.bat	32
PID 1736 wrote to memory of 2268	1736	explorer.bat	32
PID 2308 wrote to memory of 2888	2308	ec52a88ef30346c168c2c933b996c63b_JaffaCakes118.exe	33
PID 2308 wrote to memory of 2888	2308	ec52a88ef30346c168c2c933b996c63b_JaffaCakes118.exe	33
PID 2308 wrote to memory of 2888	2308	ec52a88ef30346c168c2c933b996c63b_JaffaCakes118.exe	33
PID 2308 wrote to memory of 2888	2308	ec52a88ef30346c168c2c933b996c63b_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\ec52a88ef30346c168c2c933b996c63b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec52a88ef30346c168c2c933b996c63b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Program Files\explorer.bat
  "C:\Program Files\explorer.bat"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 284
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\SxDel.bat""
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\SxDel.bat

Filesize
212B

MD5
772dd481af4b789e53946394d225f25e

SHA1
297a1a69422fb48cd3262662922e0fa757b11a22

SHA256
45377b00824bbc3dc2aaff0b1664e753dec508b5f888aa13c48dd14a0faca008

SHA512
838137335aac310f5c7ad4523f32e68063df97db65804609f6e28299346d619327b5da1710b3909b48b1bbd4d7e7d6899f256cab232e6f7db225ae910cf27972

Download Submit
C:\Program Files\explorer.bat

Filesize
308KB

MD5
ec52a88ef30346c168c2c933b996c63b

SHA1
c5238d5987c41c4420ee9dc8baf67ae29203e58a

SHA256
b9900779a43961ddcbfbd22772d83e91b0dbb79904e93df622671f3b35c80bc3

SHA512
98fdc05208025b81c91d76a86da031c76a43d6a0b4a52e1a4cf1d8e03da21e82b28339e2639522d6ed1c5a1bc832927fcb03c36c6904de8ef6186854503465c6

Download Submit
memory/1736-20-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1736-14-0x0000000000400000-0x0000000000553210-memory.dmp

Filesize
1.3MB

Download
memory/1736-15-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1736-19-0x0000000000400000-0x0000000000553210-memory.dmp

Filesize
1.3MB

Download
memory/2308-4-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2308-11-0x0000000003210000-0x0000000003364000-memory.dmp

Filesize
1.3MB

Download
memory/2308-12-0x0000000003210000-0x0000000003364000-memory.dmp

Filesize
1.3MB

Download
memory/2308-16-0x0000000000400000-0x0000000000553210-memory.dmp

Filesize
1.3MB

Download
memory/2308-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2308-0-0x0000000000400000-0x0000000000553210-memory.dmp

Filesize
1.3MB

Download
memory/2308-28-0x0000000000400000-0x0000000000553210-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing