modiloader | a7e2a2accb0e249448b07f11bc58f30edf17e190ea859ce04bd1a5e09c423c14

General

Target

f565a552325029a85f630f64c5ff35aa_JaffaCakes118.exe
Size

2.6MB
MD5

f565a552325029a85f630f64c5ff35aa
SHA1

59c46f6654380af880db7ab38df4082de05b4bff
SHA256

a7e2a2accb0e249448b07f11bc58f30edf17e190ea859ce04bd1a5e09c423c14
SHA512

f24b5851de2e5750f4703a9998df67d8b0723abb5dd651c0c8bf9be1c4ea3f71574a0f469a0133944f6c234aae35417099c5076eb7922c70cdbf4016c9662a1b
SSDEEP

49152:u5p6rzE46JC4IxCr3BYfijb/1NgXPWz4tJ9u+/o72Tsf/8zAu:WoLKdNgfWs9u+wb8zAu

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/3036-24-0x0000000000220000-0x0000000000244000-memory.dmp	modiloader_stage2
behavioral1/memory/3036-27-0x0000000000220000-0x0000000000244000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
3036	server.exe
2560	QQ.exe

Loads dropped DLL 4 IoCs

pid	Process
2300	f565a552325029a85f630f64c5ff35aa_JaffaCakes118.exe
2300	f565a552325029a85f630f64c5ff35aa_JaffaCakes118.exe
2300	f565a552325029a85f630f64c5ff35aa_JaffaCakes118.exe
3036	server.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\atmQQ2.dll	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f565a552325029a85f630f64c5ff35aa_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3036	server.exe
3036	server.exe
3036	server.exe
3036	server.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3036	server.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 3036	2300	f565a552325029a85f630f64c5ff35aa_JaffaCakes118.exe	30
PID 2300 wrote to memory of 3036	2300	f565a552325029a85f630f64c5ff35aa_JaffaCakes118.exe	30
PID 2300 wrote to memory of 3036	2300	f565a552325029a85f630f64c5ff35aa_JaffaCakes118.exe	30
PID 2300 wrote to memory of 3036	2300	f565a552325029a85f630f64c5ff35aa_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\f565a552325029a85f630f64c5ff35aa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f565a552325029a85f630f64c5ff35aa_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3036
- C:\Users\Admin\AppData\Local\Temp\QQ.exe
  "C:\Users\Admin\AppData\Local\Temp\QQ.exe"
  2⤵
  - Executes dropped EXE
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QQ.exe

Filesize
1.9MB

MD5
29a861ef2ad8988732af4c5fae99e931

SHA1
a495371c729baadcfd923cd7b0a47e835c44ec03

SHA256
f36b92724009c9e7fd54cde0458e379a3d63b056fe0d6e4b5523f72281b45ba3

SHA512
b7442b9e4c962352a5e1ad413187ba19d5fbf53c246b9808b2afdc3ff992f5d2f99f66bd908969106a734fb603b7ca0475436244c0079b3e4799bc28fae56ccf

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\atmQQ2.dll

Filesize
21KB

MD5
4edab5d104e0daa48304b9269ca2388f

SHA1
c663cf65c3501046777bb77a25dd6904dd7311ef

SHA256
aff0e348111d47a3a00bb135f559b9a83b541f8050671c93644c41db167eb6c7

SHA512
a4315dc424ea23c9b40886e51c451fffb6a822864ba7025c63c1d9a1279bbeeb5069d8c4ccebfd70b06d6198f1dc4399bf5bbf39d15749c5ba290f0651c5be34

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
40KB

MD5
7e680fd9ce92fa5994c1c540013d9cb3

SHA1
f46db2c360f970dba952a02fe965601759239599

SHA256
86b65121c16c097da9890358d0ce76cf115ebec977feb68ae44402aab394bb2b

SHA512
1bfc608b5adfe2dab28d9d4ef83a476176e51536215cd1c786b2675b7a4addbb2f69a493377dd66d467ac94829f20998ba1fc64efaa5986fdf0b03f779b59ea2

Download Submit
memory/2300-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2300-12-0x0000000003560000-0x0000000003582000-memory.dmp

Filesize
136KB

Download
memory/2300-10-0x0000000003560000-0x0000000003582000-memory.dmp

Filesize
136KB

Download
memory/2300-23-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3036-14-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/3036-24-0x0000000000220000-0x0000000000244000-memory.dmp

Filesize
144KB

Download
memory/3036-25-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3036-26-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/3036-27-0x0000000000220000-0x0000000000244000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing