modiloader | 92ac541bc3d2b602a419b9573ad6d9588f4a439585f3a2293ea7810dee4c2035

General

Target

f45447ed9d1a415c0f9c12fea0ede8a5_JaffaCakes118.exe
Size

289KB
MD5

f45447ed9d1a415c0f9c12fea0ede8a5
SHA1

afea7f558fa0e78559d5678f7cb1d699e4f66bf6
SHA256

92ac541bc3d2b602a419b9573ad6d9588f4a439585f3a2293ea7810dee4c2035
SHA512

f230c84149d4bf8b42d98c79d254f1cbcb4fff5540540d9f134a6bc7dc7d9703b82e3db804cb1c0213ed6564329b4a8e29c4ad0181a633811bbf10f7695b79bc
SSDEEP

6144:x0FolI3Yh63NPgZYhzMs0zPI0+EEjmZmNEGp9er4Loq:uFoe3ZNsYhozbC6xQ9e0Loq

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/memory/2124-20-0x0000000000400000-0x00000000005481A4-memory.dmp	modiloader_stage2
behavioral1/memory/1044-22-0x0000000000400000-0x00000000005481A4-memory.dmp	modiloader_stage2
behavioral1/memory/2124-31-0x0000000000400000-0x00000000005481A4-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
2520	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1044	360Safe.exe

Loads dropped DLL 7 IoCs

pid	Process
2124	f45447ed9d1a415c0f9c12fea0ede8a5_JaffaCakes118.exe
2124	f45447ed9d1a415c0f9c12fea0ede8a5_JaffaCakes118.exe
928	WerFault.exe
928	WerFault.exe
928	WerFault.exe
928	WerFault.exe
928	WerFault.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat	f45447ed9d1a415c0f9c12fea0ede8a5_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\360Safe.exe	f45447ed9d1a415c0f9c12fea0ede8a5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\360Safe.exe	f45447ed9d1a415c0f9c12fea0ede8a5_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process
928	1044	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f45447ed9d1a415c0f9c12fea0ede8a5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	360Safe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 1044	2124	f45447ed9d1a415c0f9c12fea0ede8a5_JaffaCakes118.exe	30
PID 2124 wrote to memory of 1044	2124	f45447ed9d1a415c0f9c12fea0ede8a5_JaffaCakes118.exe	30
PID 2124 wrote to memory of 1044	2124	f45447ed9d1a415c0f9c12fea0ede8a5_JaffaCakes118.exe	30
PID 2124 wrote to memory of 1044	2124	f45447ed9d1a415c0f9c12fea0ede8a5_JaffaCakes118.exe	30
PID 1044 wrote to memory of 928	1044	360Safe.exe	31
PID 1044 wrote to memory of 928	1044	360Safe.exe	31
PID 1044 wrote to memory of 928	1044	360Safe.exe	31
PID 1044 wrote to memory of 928	1044	360Safe.exe	31
PID 2124 wrote to memory of 2520	2124	f45447ed9d1a415c0f9c12fea0ede8a5_JaffaCakes118.exe	32
PID 2124 wrote to memory of 2520	2124	f45447ed9d1a415c0f9c12fea0ede8a5_JaffaCakes118.exe	32
PID 2124 wrote to memory of 2520	2124	f45447ed9d1a415c0f9c12fea0ede8a5_JaffaCakes118.exe	32
PID 2124 wrote to memory of 2520	2124	f45447ed9d1a415c0f9c12fea0ede8a5_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\f45447ed9d1a415c0f9c12fea0ede8a5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f45447ed9d1a415c0f9c12fea0ede8a5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\360Safe.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\360Safe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 292
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat""
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\SgotoDel.bat

Filesize
212B

MD5
beba9f8ef387cb244c6da31e0b12cf59

SHA1
ede7580aaab42621b0656cf2754f93fbaf196f78

SHA256
a7ea21ce049dedc69cbc462bc97966e1fc953778230c6c1a7d4ae44ea69f4530

SHA512
c8168508f81a8ad4b5b8f954d83edd7a2bae47109ac7aa8f0d112c23aaaf42a21fb98fef2773379014cf69d6b58144a46254599efe6d3afa57171d059ea873b4

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\360Safe.exe

Filesize
289KB

MD5
f45447ed9d1a415c0f9c12fea0ede8a5

SHA1
afea7f558fa0e78559d5678f7cb1d699e4f66bf6

SHA256
92ac541bc3d2b602a419b9573ad6d9588f4a439585f3a2293ea7810dee4c2035

SHA512
f230c84149d4bf8b42d98c79d254f1cbcb4fff5540540d9f134a6bc7dc7d9703b82e3db804cb1c0213ed6564329b4a8e29c4ad0181a633811bbf10f7695b79bc

Download Submit
memory/1044-14-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1044-22-0x0000000000400000-0x00000000005481A4-memory.dmp

Filesize
1.3MB

Download
memory/1044-23-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2124-2-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2124-13-0x0000000002280000-0x00000000023C9000-memory.dmp

Filesize
1.3MB

Download
memory/2124-12-0x0000000002280000-0x00000000023C9000-memory.dmp

Filesize
1.3MB

Download
memory/2124-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2124-20-0x0000000000400000-0x00000000005481A4-memory.dmp

Filesize
1.3MB

Download
memory/2124-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2124-0-0x0000000000400000-0x00000000005481A4-memory.dmp

Filesize
1.3MB

Download
memory/2124-31-0x0000000000400000-0x00000000005481A4-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing