modiloader | 647840b0c745bb5d9ef481038b6f45f2eda25f8483bbfea733fe7adac03c7455

General

Target

ed0d6dd06661db39631a957f9ebd3c4c_JaffaCakes118.exe
Size

188KB
MD5

ed0d6dd06661db39631a957f9ebd3c4c
SHA1

e847c151d71e169cbf9f83c93a18bfe5f9c3a6d5
SHA256

647840b0c745bb5d9ef481038b6f45f2eda25f8483bbfea733fe7adac03c7455
SHA512

c6e1740a492d6ebcd99756504e4e452af8711f8aba2d080bcac2ee2e808540624538222eeff6e89086222df57e5f819b90501e15aceee3a898f505d93aa20d24
SSDEEP

3072:pmwFa2NYyJ30qzzhKL6AO00K563RXBXBbourVRPDyrt:phbDzs595chJBbourVRP

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/2600-25-0x0000000000400000-0x0000000000432000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-50-0x0000000000400000-0x0000000000432000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2600	photo01.exe
2316	server.exe

Loads dropped DLL 6 IoCs

pid	Process
1448	ed0d6dd06661db39631a957f9ebd3c4c_JaffaCakes118.exe
1448	ed0d6dd06661db39631a957f9ebd3c4c_JaffaCakes118.exe
1448	ed0d6dd06661db39631a957f9ebd3c4c_JaffaCakes118.exe
1448	ed0d6dd06661db39631a957f9ebd3c4c_JaffaCakes118.exe
2600	photo01.exe
2600	photo01.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed0d6dd06661db39631a957f9ebd3c4c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	photo01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2316	server.exe
2316	server.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2124	DllHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1448	ed0d6dd06661db39631a957f9ebd3c4c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 2600	1448	ed0d6dd06661db39631a957f9ebd3c4c_JaffaCakes118.exe	30
PID 1448 wrote to memory of 2600	1448	ed0d6dd06661db39631a957f9ebd3c4c_JaffaCakes118.exe	30
PID 1448 wrote to memory of 2600	1448	ed0d6dd06661db39631a957f9ebd3c4c_JaffaCakes118.exe	30
PID 1448 wrote to memory of 2600	1448	ed0d6dd06661db39631a957f9ebd3c4c_JaffaCakes118.exe	30
PID 2600 wrote to memory of 2316	2600	photo01.exe	31
PID 2600 wrote to memory of 2316	2600	photo01.exe	31
PID 2600 wrote to memory of 2316	2600	photo01.exe	31
PID 2600 wrote to memory of 2316	2600	photo01.exe	31
PID 2316 wrote to memory of 1236	2316	server.exe	21
PID 2316 wrote to memory of 1236	2316	server.exe	21
PID 2316 wrote to memory of 1236	2316	server.exe	21
PID 2316 wrote to memory of 1236	2316	server.exe	21
PID 2316 wrote to memory of 1236	2316	server.exe	21
PID 2316 wrote to memory of 1236	2316	server.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1236
- C:\Users\Admin\AppData\Local\Temp\ed0d6dd06661db39631a957f9ebd3c4c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ed0d6dd06661db39631a957f9ebd3c4c_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Users\Admin\AppData\Local\Temp\photo01.exe
    "C:\Users\Admin\AppData\Local\Temp\photo01.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2316

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zabour.jpg

Filesize
55KB

MD5
095dc0190f34b162c1027b2108beae8a

SHA1
330fd7aff62e617d7db78aa3411141eeb75e6082

SHA256
5ddd498744efe01380e923f3a29065290c123a129b68c8de52d4d6a6b30014da

SHA512
21da19e0598b84e12386298ff3510644405df82ed804689750c9738bca80c7374ab61c3dcbb061b66b4a6aa4093756e9487195d964257d14280008a814028a72

Download Submit
\Users\Admin\AppData\Local\Temp\photo01.exe

Filesize
163KB

MD5
5042e637a61f374960f8d94dd121c1cd

SHA1
c3ad97167e820d5b6d7815fe01f995ba37b1ce6f

SHA256
b534d46182ca8c02df34cc1b96fac3c500c7d4c0fab1f4b1fb81cafee32e9437

SHA512
6e9c9afbcd8233e2fd8290e3f8c655ffe6dcbf0a1d88d33d2b94feab06a21ddc3551274d4517796390a052a1a4dafefca056ec1221824dc13721122b2c1c6ef8

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
50KB

MD5
790ca7727b189e9728b3b1eeb54a4fc7

SHA1
e048b9b9717bcc701b40e254783b33924ab7b413

SHA256
fc0641364c42caf5b4b92c7882242f9247d80b37692a4b39d3020f3816b10714

SHA512
69e4feabbd28b645a2a6333f45555d4ed17f7c71dc2607c727f96348c586c68180925a6c34c0425e68788cfcd9bdcbb1de1cc9ce3d3546d639b09e62de0836d7

Download Submit
memory/1236-45-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

Filesize
24KB

Download
memory/1236-38-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/1448-22-0x0000000004120000-0x0000000004122000-memory.dmp

Filesize
8KB

Download
memory/1448-21-0x0000000004A00000-0x0000000004A32000-memory.dmp

Filesize
200KB

Download
memory/1448-19-0x0000000004A00000-0x0000000004A32000-memory.dmp

Filesize
200KB

Download
memory/1448-20-0x0000000004A00000-0x0000000004A32000-memory.dmp

Filesize
200KB

Download
memory/1448-62-0x0000000004A00000-0x0000000004A32000-memory.dmp

Filesize
200KB

Download
memory/1448-63-0x0000000004A00000-0x0000000004A32000-memory.dmp

Filesize
200KB

Download
memory/2124-49-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/2316-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2600-25-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2600-29-0x0000000002550000-0x0000000002559000-memory.dmp

Filesize
36KB

Download
memory/2600-48-0x0000000003190000-0x0000000003192000-memory.dmp

Filesize
8KB

Download
memory/2600-50-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing