modiloader | 642a7c7e0ab17ea171af6cea6818c5206f068ca30407af786c05ffddaa1df664

General

Target

f0b51b01a8bb25cfc0be4cc53adff0d4_JaffaCakes118.exe
Size

389KB
MD5

f0b51b01a8bb25cfc0be4cc53adff0d4
SHA1

8a37ff06e4f1daf98ef706ddd69907c292778bb9
SHA256

642a7c7e0ab17ea171af6cea6818c5206f068ca30407af786c05ffddaa1df664
SHA512

f32b25708cd633a670fb333b7ce60fc08580641e8ba6d6065edca8dd773801e30b57d9be497e64d58a93b560a01c6b52611fd4cc3f4106f0499fe29d9962418b
SSDEEP

12288:PKn08OYFPmp9WmtCv3bsz3DSiBBa1k6Z:PK081Vesmov3gz3DSSBMZ

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 7 IoCs

resource	yara_rule
behavioral1/memory/1868-5-0x0000000000400000-0x0000000000527000-memory.dmp	modiloader_stage2
behavioral1/memory/2084-15-0x0000000000400000-0x0000000000527000-memory.dmp	modiloader_stage2
behavioral1/memory/2084-13-0x0000000000400000-0x0000000000527000-memory.dmp	modiloader_stage2
behavioral1/memory/2084-16-0x0000000000400000-0x0000000000527000-memory.dmp	modiloader_stage2
behavioral1/memory/1868-17-0x0000000000400000-0x0000000000527000-memory.dmp	modiloader_stage2
behavioral1/memory/2084-19-0x0000000000400000-0x0000000000527000-memory.dmp	modiloader_stage2
behavioral1/memory/1868-27-0x0000000000400000-0x0000000000527000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
1632	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2084	re91.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\ReDelBat.bat	f0b51b01a8bb25cfc0be4cc53adff0d4_JaffaCakes118.exe
File created	C:\Windows\re91.exe	f0b51b01a8bb25cfc0be4cc53adff0d4_JaffaCakes118.exe
File opened for modification	C:\Windows\re91.exe	f0b51b01a8bb25cfc0be4cc53adff0d4_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2480	2084	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0b51b01a8bb25cfc0be4cc53adff0d4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	re91.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 2084	1868	f0b51b01a8bb25cfc0be4cc53adff0d4_JaffaCakes118.exe	30
PID 1868 wrote to memory of 2084	1868	f0b51b01a8bb25cfc0be4cc53adff0d4_JaffaCakes118.exe	30
PID 1868 wrote to memory of 2084	1868	f0b51b01a8bb25cfc0be4cc53adff0d4_JaffaCakes118.exe	30
PID 1868 wrote to memory of 2084	1868	f0b51b01a8bb25cfc0be4cc53adff0d4_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2480	2084	re91.exe	31
PID 2084 wrote to memory of 2480	2084	re91.exe	31
PID 2084 wrote to memory of 2480	2084	re91.exe	31
PID 2084 wrote to memory of 2480	2084	re91.exe	31
PID 1868 wrote to memory of 1632	1868	f0b51b01a8bb25cfc0be4cc53adff0d4_JaffaCakes118.exe	33
PID 1868 wrote to memory of 1632	1868	f0b51b01a8bb25cfc0be4cc53adff0d4_JaffaCakes118.exe	33
PID 1868 wrote to memory of 1632	1868	f0b51b01a8bb25cfc0be4cc53adff0d4_JaffaCakes118.exe	33
PID 1868 wrote to memory of 1632	1868	f0b51b01a8bb25cfc0be4cc53adff0d4_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\f0b51b01a8bb25cfc0be4cc53adff0d4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f0b51b01a8bb25cfc0be4cc53adff0d4_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\re91.exe
  C:\Windows\re91.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 284
    3⤵
    - Program crash
    PID:2480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\ReDelBat.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ReDelBat.bat

Filesize
212B

MD5
8c3ed75cbca057d0b1fc383be3dfc937

SHA1
3cc85fc59aca4acaf7ea5a87555662286bdb43c2

SHA256
84f746919b13b0d5ce190ccc9d8ad9b5a6f5bad4d5dd690b4fcf235a21ea29ad

SHA512
6c1132a48da16d292831b3d9420bb79010a34d71e0cc3ced232e11ede281d17dd55c30c6b6dbdf7c9f8548664f349a8db2d414cc654449d7c7a66eefa0075106

Download Submit
C:\Windows\re91.exe

Filesize
389KB

MD5
f0b51b01a8bb25cfc0be4cc53adff0d4

SHA1
8a37ff06e4f1daf98ef706ddd69907c292778bb9

SHA256
642a7c7e0ab17ea171af6cea6818c5206f068ca30407af786c05ffddaa1df664

SHA512
f32b25708cd633a670fb333b7ce60fc08580641e8ba6d6065edca8dd773801e30b57d9be497e64d58a93b560a01c6b52611fd4cc3f4106f0499fe29d9962418b

Download Submit
memory/1868-18-0x00000000004C5000-0x0000000000526000-memory.dmp

Filesize
388KB

Download
memory/1868-2-0x00000000004C5000-0x0000000000526000-memory.dmp

Filesize
388KB

Download
memory/1868-1-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/1868-5-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/1868-14-0x0000000002F30000-0x0000000003057000-memory.dmp

Filesize
1.2MB

Download
memory/1868-0-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/1868-27-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/1868-12-0x0000000002F30000-0x0000000003057000-memory.dmp

Filesize
1.2MB

Download
memory/1868-17-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/2084-15-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/2084-19-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/2084-16-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/2084-13-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing