modiloader | 9088b50009559b0862fe45c39f6686b3f3f84133ce2f8bec7165957eb270be5f

General

Target

ec915d1633b2e2e03759fb0186597219_JaffaCakes118.exe
Size

216KB
MD5

ec915d1633b2e2e03759fb0186597219
SHA1

754bae3b2c79233a1ebf60f3bc8e58f641ae9590
SHA256

9088b50009559b0862fe45c39f6686b3f3f84133ce2f8bec7165957eb270be5f
SHA512

ab38e1c48d4af07c7a7e1679257286c9131cbfa52fb1653bf0cf2ce7db37dc1888a33f6d224089de94b42c5577e3118096f86618c9c69f2512d349a182d751a5
SSDEEP

6144:EQaTpvBwDdO/tRmYRcNm9ashRC3jaTcRkIWOcMn:kNmD8fmqBjhRC3OeXb

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/1568-3-0x0000000000400000-0x0000000000436000-memory.dmp	modiloader_stage2
behavioral1/memory/1568-37-0x0000000000400000-0x0000000000436000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
2216	server.exe

Loads dropped DLL 2 IoCs

pid	Process
1568	ec915d1633b2e2e03759fb0186597219_JaffaCakes118.exe
1568	ec915d1633b2e2e03759fb0186597219_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec915d1633b2e2e03759fb0186597219_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2216	server.exe
2216	server.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1096	DllHost.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 2216	1568	ec915d1633b2e2e03759fb0186597219_JaffaCakes118.exe	29
PID 1568 wrote to memory of 2216	1568	ec915d1633b2e2e03759fb0186597219_JaffaCakes118.exe	29
PID 1568 wrote to memory of 2216	1568	ec915d1633b2e2e03759fb0186597219_JaffaCakes118.exe	29
PID 1568 wrote to memory of 2216	1568	ec915d1633b2e2e03759fb0186597219_JaffaCakes118.exe	29
PID 2216 wrote to memory of 1244	2216	server.exe	20
PID 2216 wrote to memory of 1244	2216	server.exe	20
PID 2216 wrote to memory of 1244	2216	server.exe	20
PID 2216 wrote to memory of 1244	2216	server.exe	20
PID 2216 wrote to memory of 1244	2216	server.exe	20
PID 2216 wrote to memory of 1244	2216	server.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244
- C:\Users\Admin\AppData\Local\Temp\ec915d1633b2e2e03759fb0186597219_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ec915d1633b2e2e03759fb0186597219_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2216

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\70486.jpg

Filesize
50KB

MD5
d92264ef57c79e5e9bf94937edb0b2ce

SHA1
80b228b414dd05695340ec841e6872030a9a8acd

SHA256
47c06e958f650f52b50bb9b097e215150240e3fc8422462d7cbfce1cc4980e87

SHA512
7e66767a83d83d9b58a31dc112bc703626c8d6e6409790adbe3749f27117a25914472a1a36e0f72e0ca401670efba1d7931c7de46684ddf3f9b4f56427361092

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
28KB

MD5
862fac7c3da2182585c3f868b760b1fb

SHA1
85d3526f800d091961e0948e1586748c0f9b6946

SHA256
3a7aaaaafb806d6bf2f928a62c543aa32a10f72434447c93b63335c35341c0a7

SHA512
7f1fc4713a6816865ec2ad76970e3bb16e7cbe20340cbc3137acfe7e5942d3ccdf720ef7d59878946d3de9aed38a5b7c30cf100fada46ba79cb3d9b9fec05908

Download Submit
memory/1096-36-0x0000000000170000-0x0000000000172000-memory.dmp

Filesize
8KB

Download
memory/1244-16-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/1244-23-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

Filesize
24KB

Download
memory/1568-2-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1568-8-0x0000000001FF0000-0x0000000001FF9000-memory.dmp

Filesize
36KB

Download
memory/1568-1-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1568-3-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1568-35-0x00000000021E0000-0x00000000021E2000-memory.dmp

Filesize
8KB

Download
memory/1568-37-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1568-0-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/2216-19-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing