modiloader | 041e8fc92dd5dcef95ba5c82203746d36792f56e1ef77cf8f13558eb18fa3d61

General

Target

fadbf7cb04f90eb43900f7327ba5e69c_JaffaCakes118.exe
Size

292KB
MD5

fadbf7cb04f90eb43900f7327ba5e69c
SHA1

54e73ac808e6ea34113c8b5331fb16d74fc4f2af
SHA256

041e8fc92dd5dcef95ba5c82203746d36792f56e1ef77cf8f13558eb18fa3d61
SHA512

41807aabbce15f0cef6d43d2066e3fc8f59b7bf71e50da19b7b9957cf48c5b1245c046b058bd287adceafc0344ee3b593d377c7bbeda437ce0b0372dae188969
SSDEEP

6144:hDORJ6TtxmFKEGSvBFaTGMxI2jX1LobQTgzXLu8NRlYp9Nofhw:+OrOvBFh2bFobQQaiMp9NZ

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/memory/2272-4-0x0000000000400000-0x0000000000449000-memory.dmp	modiloader_stage2
behavioral1/memory/2272-5-0x0000000000400000-0x0000000000449000-memory.dmp	modiloader_stage2
behavioral1/memory/2272-25-0x0000000000400000-0x0000000000449000-memory.dmp	modiloader_stage2

Executes dropped EXE 3 IoCs

pid	Process
2296	AimPointÚÑÈí».exe
1808	server.exe
2760	server.exe

Loads dropped DLL 5 IoCs

pid	Process
2272	fadbf7cb04f90eb43900f7327ba5e69c_JaffaCakes118.exe
2272	fadbf7cb04f90eb43900f7327ba5e69c_JaffaCakes118.exe
2272	fadbf7cb04f90eb43900f7327ba5e69c_JaffaCakes118.exe
2272	fadbf7cb04f90eb43900f7327ba5e69c_JaffaCakes118.exe
1808	server.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1808 set thread context of 2760	1808	server.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AimPointÚÑÈí».exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fadbf7cb04f90eb43900f7327ba5e69c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2760	server.exe
2760	server.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2296	AimPointÚÑÈí».exe
2296	AimPointÚÑÈí».exe
1808	server.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2296	2272	fadbf7cb04f90eb43900f7327ba5e69c_JaffaCakes118.exe	31
PID 2272 wrote to memory of 2296	2272	fadbf7cb04f90eb43900f7327ba5e69c_JaffaCakes118.exe	31
PID 2272 wrote to memory of 2296	2272	fadbf7cb04f90eb43900f7327ba5e69c_JaffaCakes118.exe	31
PID 2272 wrote to memory of 2296	2272	fadbf7cb04f90eb43900f7327ba5e69c_JaffaCakes118.exe	31
PID 2272 wrote to memory of 1808	2272	fadbf7cb04f90eb43900f7327ba5e69c_JaffaCakes118.exe	32
PID 2272 wrote to memory of 1808	2272	fadbf7cb04f90eb43900f7327ba5e69c_JaffaCakes118.exe	32
PID 2272 wrote to memory of 1808	2272	fadbf7cb04f90eb43900f7327ba5e69c_JaffaCakes118.exe	32
PID 2272 wrote to memory of 1808	2272	fadbf7cb04f90eb43900f7327ba5e69c_JaffaCakes118.exe	32
PID 1808 wrote to memory of 2760	1808	server.exe	33
PID 1808 wrote to memory of 2760	1808	server.exe	33
PID 1808 wrote to memory of 2760	1808	server.exe	33
PID 1808 wrote to memory of 2760	1808	server.exe	33
PID 1808 wrote to memory of 2760	1808	server.exe	33
PID 1808 wrote to memory of 2760	1808	server.exe	33
PID 1808 wrote to memory of 2760	1808	server.exe	33
PID 1808 wrote to memory of 2760	1808	server.exe	33
PID 2760 wrote to memory of 1200	2760	server.exe	21
PID 2760 wrote to memory of 1200	2760	server.exe	21
PID 2760 wrote to memory of 1200	2760	server.exe	21
PID 2760 wrote to memory of 1200	2760	server.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\fadbf7cb04f90eb43900f7327ba5e69c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fadbf7cb04f90eb43900f7327ba5e69c_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\AimPointÚÑÈí».exe
    "C:\Users\Admin\AppData\Local\Temp\AimPointÚÑÈí».exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2296
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\AimPointÚÑÈí».exe

Filesize
84KB

MD5
b38c55fc0e34b0fa3239dad3317f3dd4

SHA1
ea05f72b91722b5fa5cc1bdb192a5db0f6ed83e3

SHA256
3d5cb3c39def952b1ce6b80b54c587ba3c34f5787b9356c519cb21d97219ad92

SHA512
0b553ef88ec2528f68b783f4e0972eaf2c2a1cfdee167b782a2783d410d6726d1899ca6512c159e11dbf6039a3d39fecbd699bfa3f72c476db98deba53fd4709

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
109KB

MD5
19fd7486bcbb9898f64e8d0e1794019b

SHA1
6bf720422ae8115e5872f6d0ff4208081a1a8b66

SHA256
bccf60f803bf57a9f9d11790f155f17d0d66dd15754bb94fe415716734eef2ca

SHA512
69827d963bf0bd69b7df02f0a78fe1f582c3c8c83a004181a989348827045570c360b6f6cf736b3f2ceba575bb10582aced1f7f0cfeed525787251c32efbc1aa

Download Submit
memory/1200-44-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1200-41-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1808-27-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1808-34-0x0000000000230000-0x0000000000293000-memory.dmp

Filesize
396KB

Download
memory/1808-39-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2272-25-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2272-1-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2272-19-0x0000000002B00000-0x0000000002B63000-memory.dmp

Filesize
396KB

Download
memory/2272-0-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/2272-5-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2272-3-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2272-4-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2760-38-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2760-35-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/2760-32-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2760-40-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download

Analysis

Sharing