modiloader | 42a8b011ea909e76e91b70c0af554a0a06e1c3b7dfd5805d27b25e76dabd7aff

General

Target

f70e5bbe31a3b953ba55fcb35ff454b1_JaffaCakes118.exe
Size

597KB
MD5

f70e5bbe31a3b953ba55fcb35ff454b1
SHA1

d34b37b91fbdb995e0507c7a461f690bd105015f
SHA256

42a8b011ea909e76e91b70c0af554a0a06e1c3b7dfd5805d27b25e76dabd7aff
SHA512

6e1bcc4601696743c88e4c150113284e81f1e561ed09edf4dc8b540750921bb063b7359ad91bfa788befda2cf475ff6cc12e6dda21ad93d04253b19e2826568f
SSDEEP

12288:3M8FUr8wREWlM9Dvg+21c2obY7TsGsEbgO3yg:30rhRzM9DvWoc3sGbbgKyg

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/2932-50-0x0000000000400000-0x00000000004FE000-memory.dmp	modiloader_stage2
behavioral1/memory/1308-51-0x0000000000400000-0x00000000004FE000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
2976	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2932	divepro.ini

Loads dropped DLL 2 IoCs

pid	Process
1308	f70e5bbe31a3b953ba55fcb35ff454b1_JaffaCakes118.exe
1308	f70e5bbe31a3b953ba55fcb35ff454b1_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\divepro.ini	f70e5bbe31a3b953ba55fcb35ff454b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\divepro.ini	f70e5bbe31a3b953ba55fcb35ff454b1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\divepro.ini	divepro.ini
File created	C:\Windows\SysWOW64\DaverDel.bat	f70e5bbe31a3b953ba55fcb35ff454b1_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f70e5bbe31a3b953ba55fcb35ff454b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 2932	1308	f70e5bbe31a3b953ba55fcb35ff454b1_JaffaCakes118.exe	29
PID 1308 wrote to memory of 2932	1308	f70e5bbe31a3b953ba55fcb35ff454b1_JaffaCakes118.exe	29
PID 1308 wrote to memory of 2932	1308	f70e5bbe31a3b953ba55fcb35ff454b1_JaffaCakes118.exe	29
PID 1308 wrote to memory of 2932	1308	f70e5bbe31a3b953ba55fcb35ff454b1_JaffaCakes118.exe	29
PID 1308 wrote to memory of 2976	1308	f70e5bbe31a3b953ba55fcb35ff454b1_JaffaCakes118.exe	30
PID 1308 wrote to memory of 2976	1308	f70e5bbe31a3b953ba55fcb35ff454b1_JaffaCakes118.exe	30
PID 1308 wrote to memory of 2976	1308	f70e5bbe31a3b953ba55fcb35ff454b1_JaffaCakes118.exe	30
PID 1308 wrote to memory of 2976	1308	f70e5bbe31a3b953ba55fcb35ff454b1_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\f70e5bbe31a3b953ba55fcb35ff454b1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f70e5bbe31a3b953ba55fcb35ff454b1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\SysWOW64\divepro.ini
  C:\Windows\system32\divepro.ini
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\DaverDel.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DaverDel.bat

Filesize
212B

MD5
2a2305448339aaba7d6f0ef5ad272b54

SHA1
92c73d342f718d641b61883763e67ebfd62d6042

SHA256
27c57ebb0387da46b7c08fe883f407c2528e9f0226abd84b390fcefcf0f27d00

SHA512
d267639c7379e5a8bdaeed411f520b2cfe80b54afc8551afde205b903b858bb97d2bfba04711db18bcec17b3529728f8c11ed921fb2dcf49eb0ac93b31e4b607

Download Submit
\Windows\SysWOW64\divepro.ini

Filesize
597KB

MD5
f70e5bbe31a3b953ba55fcb35ff454b1

SHA1
d34b37b91fbdb995e0507c7a461f690bd105015f

SHA256
42a8b011ea909e76e91b70c0af554a0a06e1c3b7dfd5805d27b25e76dabd7aff

SHA512
6e1bcc4601696743c88e4c150113284e81f1e561ed09edf4dc8b540750921bb063b7359ad91bfa788befda2cf475ff6cc12e6dda21ad93d04253b19e2826568f

Download Submit
memory/1308-24-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/1308-6-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1308-7-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1308-23-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/1308-5-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/1308-22-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1308-3-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1308-2-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1308-12-0x0000000002AB0000-0x0000000002AB2000-memory.dmp

Filesize
8KB

Download
memory/1308-11-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1308-10-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/1308-27-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/1308-9-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/1308-30-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1308-29-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1308-25-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

Filesize
4KB

Download
memory/1308-52-0x0000000000340000-0x0000000000390000-memory.dmp

Filesize
320KB

Download
memory/1308-8-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1308-4-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1308-21-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1308-20-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/1308-19-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/1308-38-0x0000000002D50000-0x0000000002E4E000-memory.dmp

Filesize
1016KB

Download
memory/1308-51-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/1308-37-0x0000000002D50000-0x0000000002E4E000-memory.dmp

Filesize
1016KB

Download
memory/1308-18-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1308-17-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1308-16-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1308-15-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/1308-28-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/1308-26-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

Filesize
4KB

Download
memory/1308-1-0x0000000000340000-0x0000000000390000-memory.dmp

Filesize
320KB

Download
memory/1308-0-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/2932-50-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/2932-40-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download

Analysis

Sharing