modiloader | dbfa6e510361d3dc1b36fe5c90c8c6702e436f7b5a02a5226522744ee5c608e2

General

Target

ee2eacf17a03aef062a4e12cf80da4c6_JaffaCakes118.exe
Size

1.7MB
MD5

ee2eacf17a03aef062a4e12cf80da4c6
SHA1

97d9c562251e0867dc81f33677278e788e80c719
SHA256

dbfa6e510361d3dc1b36fe5c90c8c6702e436f7b5a02a5226522744ee5c608e2
SHA512

6c43cfea2e363d57f8806708f2cd2682b53132efb63b0d499d756601e251ce8358f6c91dfbc5b5ce664d60f72e6670393fc12df9b62a8b8a0cd48f3f65032a7b
SSDEEP

49152:Z8ifEuFEhhjd27l7BB6pzE3AoktsMaIGswY0k7/yS2RDsSg/6Eo0r0IOllMq:n0jd27l7BB6m3AoktDaIG66S2RDJg/6V

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 4 IoCs

resource	yara_rule
behavioral1/memory/2220-15-0x0000000000400000-0x00000000005B8000-memory.dmp	modiloader_stage2
behavioral1/memory/2220-17-0x0000000000400000-0x00000000005B8000-memory.dmp	modiloader_stage2
behavioral1/memory/2220-21-0x0000000000400000-0x00000000005B8000-memory.dmp	modiloader_stage2
behavioral1/memory/2220-25-0x0000000000400000-0x00000000005B8000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
1692	ldapi32.exe

Loads dropped DLL 4 IoCs

pid	Process
2220	ee2eacf17a03aef062a4e12cf80da4c6_JaffaCakes118.exe
2220	ee2eacf17a03aef062a4e12cf80da4c6_JaffaCakes118.exe
2220	ee2eacf17a03aef062a4e12cf80da4c6_JaffaCakes118.exe
2220	ee2eacf17a03aef062a4e12cf80da4c6_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntswrl32.dll	ee2eacf17a03aef062a4e12cf80da4c6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ntcvx32.dll	ee2eacf17a03aef062a4e12cf80da4c6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ldapi32.exe	ee2eacf17a03aef062a4e12cf80da4c6_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee2eacf17a03aef062a4e12cf80da4c6_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1692	ldapi32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2220	ee2eacf17a03aef062a4e12cf80da4c6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 1692	2220	ee2eacf17a03aef062a4e12cf80da4c6_JaffaCakes118.exe	30
PID 2220 wrote to memory of 1692	2220	ee2eacf17a03aef062a4e12cf80da4c6_JaffaCakes118.exe	30
PID 2220 wrote to memory of 1692	2220	ee2eacf17a03aef062a4e12cf80da4c6_JaffaCakes118.exe	30
PID 2220 wrote to memory of 1692	2220	ee2eacf17a03aef062a4e12cf80da4c6_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\ee2eacf17a03aef062a4e12cf80da4c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee2eacf17a03aef062a4e12cf80da4c6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\ldapi32.exe
  C:\Windows\system32\ldapi32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\ldapi32.exe

Filesize
20KB

MD5
e38f905592325873f18354d051bc2a6f

SHA1
6246645f1e5d46e6dd3a4ba2fcb3a972d763c73b

SHA256
14a4420385ab920e1d208a39c6f1856088b085f556fc1cc008669de0f85c962c

SHA512
b5f409f5a9b2b099d400d8225f6a975338053fd13b5b1fba7361d3c8302b252f2717bc73e12d12bf848c34955aba3a926843f8c9049057b3e529a18271f64120

Download Submit
\Windows\SysWOW64\ntswrl32.dll

Filesize
11KB

MD5
895f481f8f64b882ad97653e2cfa1813

SHA1
06037524643c3a6525ab944dee26b82a9a58c68c

SHA256
ab161e229dc79cf5f0a0be35c4d617b55d5155a6ffd77e570a5a4914a4dc1bb5

SHA512
e6c3038a4f68fc02d0194896b9b31b48f572bae47749106460bc6e00d4fceb5ff8c14a2429a3d1f1f53ea37661dbb6bf4f564c6463b18d543dd5ac12e746a560

Download Submit
memory/1692-14-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2220-17-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download
memory/2220-16-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2220-15-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download
memory/2220-0-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2220-20-0x0000000076730000-0x0000000076731000-memory.dmp

Filesize
4KB

Download
memory/2220-22-0x0000000000880000-0x0000000000889000-memory.dmp

Filesize
36KB

Download
memory/2220-21-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download
memory/2220-25-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download
memory/2220-29-0x0000000076720000-0x0000000076810000-memory.dmp

Filesize
960KB

Download
memory/2220-35-0x0000000000880000-0x0000000000889000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing