modiloader | 52d0a13c9f15b915911e7362ec5e4b7c19ae9a2b4c0eedf822139f8c0e8466db

General

Target

f98637a0c698899ed520ae695c804d49_JaffaCakes118.exe
Size

748KB
MD5

f98637a0c698899ed520ae695c804d49
SHA1

06728e4644b0ea7db12a7492eb9682ed43e07769
SHA256

52d0a13c9f15b915911e7362ec5e4b7c19ae9a2b4c0eedf822139f8c0e8466db
SHA512

147c1966607e1d1107082bee47eb858f6b44fbd6844a0557c9e832861058a51409d16e9d8e6a75cdca87fdb767e5a940675e27c1a5183594b92fbb4244ca1785
SSDEEP

12288:XPLu4uxlc+OgHdJ4b+Mrc6vu50rtHPf76gw38OEYYyiaCpnTrobu:XPi1usJ4CMrnu5KX76gh3baKnTrqu

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 5 IoCs

resource	yara_rule
behavioral1/files/0x000700000001211b-3.dat	modiloader_stage2
behavioral1/memory/2408-18-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral1/memory/1600-23-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral1/memory/2052-24-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2
behavioral1/memory/1600-29-0x0000000000400000-0x00000000004C3000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
2052	cookis.exe

Loads dropped DLL 5 IoCs

pid	Process
1600	f98637a0c698899ed520ae695c804d49_JaffaCakes118.exe
1600	f98637a0c698899ed520ae695c804d49_JaffaCakes118.exe
2360	WerFault.exe
2360	WerFault.exe
2360	WerFault.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\_cookis.exe	cookis.exe
File created	C:\Windows\SysWOW64\_cookis.exe	cookis.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2052 set thread context of 2408	2052	cookis.exe	31

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\cookis.exe	f98637a0c698899ed520ae695c804d49_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\cookis.exe	f98637a0c698899ed520ae695c804d49_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2360	2052	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f98637a0c698899ed520ae695c804d49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cookis.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 2052	1600	f98637a0c698899ed520ae695c804d49_JaffaCakes118.exe	30
PID 1600 wrote to memory of 2052	1600	f98637a0c698899ed520ae695c804d49_JaffaCakes118.exe	30
PID 1600 wrote to memory of 2052	1600	f98637a0c698899ed520ae695c804d49_JaffaCakes118.exe	30
PID 1600 wrote to memory of 2052	1600	f98637a0c698899ed520ae695c804d49_JaffaCakes118.exe	30
PID 2052 wrote to memory of 2408	2052	cookis.exe	31
PID 2052 wrote to memory of 2408	2052	cookis.exe	31
PID 2052 wrote to memory of 2408	2052	cookis.exe	31
PID 2052 wrote to memory of 2408	2052	cookis.exe	31
PID 2052 wrote to memory of 2408	2052	cookis.exe	31
PID 2052 wrote to memory of 2408	2052	cookis.exe	31
PID 2052 wrote to memory of 2360	2052	cookis.exe	32
PID 2052 wrote to memory of 2360	2052	cookis.exe	32
PID 2052 wrote to memory of 2360	2052	cookis.exe	32
PID 2052 wrote to memory of 2360	2052	cookis.exe	32

C:\Users\Admin\AppData\Local\Temp\f98637a0c698899ed520ae695c804d49_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f98637a0c698899ed520ae695c804d49_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\cookis.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\cookis.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\system32\calc.exe"
    3⤵
    PID:2408
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 280
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files\Common Files\Microsoft Shared\MSInfo\cookis.exe

Filesize
748KB

MD5
f98637a0c698899ed520ae695c804d49

SHA1
06728e4644b0ea7db12a7492eb9682ed43e07769

SHA256
52d0a13c9f15b915911e7362ec5e4b7c19ae9a2b4c0eedf822139f8c0e8466db

SHA512
147c1966607e1d1107082bee47eb858f6b44fbd6844a0557c9e832861058a51409d16e9d8e6a75cdca87fdb767e5a940675e27c1a5183594b92fbb4244ca1785

Download Submit
memory/1600-2-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1600-23-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1600-29-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2052-10-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2052-25-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2052-24-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2408-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2408-16-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2408-18-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download

Analysis

Sharing