modiloader | 0954424e1ee9fa6c1434e7894663e5b6b6528a7bb84bd634278122ddda3994ac

General

Target

fedd2c5184b8d7adebd7f085592f0a9f_JaffaCakes118.exe
Size

284KB
MD5

fedd2c5184b8d7adebd7f085592f0a9f
SHA1

ad560d6e7cfd5e9925e95ea046ece4ea868e4d55
SHA256

0954424e1ee9fa6c1434e7894663e5b6b6528a7bb84bd634278122ddda3994ac
SHA512

afb3accdbc28cc1f03c483302403629193df37486243f34f72314c3ac62138dc7ec949060838bc2b4b7527c63c3b32ef350cc08079e1553b3499cee8c877dc92
SSDEEP

6144:WhKz89RI+BTs4vV7hFj9YyrnF+TlUmZ4NA5U+V:WhKzkqwBV7Dj9fUJzZr

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/memory/3000-19-0x0000000000400000-0x00000000005421A4-memory.dmp	modiloader_stage2
behavioral1/memory/2256-21-0x0000000000400000-0x00000000005421A4-memory.dmp	modiloader_stage2
behavioral1/memory/3000-30-0x0000000000400000-0x00000000005421A4-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
2620	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2256	explorer.bat

Loads dropped DLL 4 IoCs

pid	Process
3000	fedd2c5184b8d7adebd7f085592f0a9f_JaffaCakes118.exe
3000	fedd2c5184b8d7adebd7f085592f0a9f_JaffaCakes118.exe
2060	WerFault.exe
2060	WerFault.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\explorer.bat	fedd2c5184b8d7adebd7f085592f0a9f_JaffaCakes118.exe
File opened for modification	C:\Program Files\explorer.bat	fedd2c5184b8d7adebd7f085592f0a9f_JaffaCakes118.exe
File created	C:\Program Files\SxDel.bat	fedd2c5184b8d7adebd7f085592f0a9f_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2060	2256	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fedd2c5184b8d7adebd7f085592f0a9f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.bat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2256	3000	fedd2c5184b8d7adebd7f085592f0a9f_JaffaCakes118.exe	30
PID 3000 wrote to memory of 2256	3000	fedd2c5184b8d7adebd7f085592f0a9f_JaffaCakes118.exe	30
PID 3000 wrote to memory of 2256	3000	fedd2c5184b8d7adebd7f085592f0a9f_JaffaCakes118.exe	30
PID 3000 wrote to memory of 2256	3000	fedd2c5184b8d7adebd7f085592f0a9f_JaffaCakes118.exe	30
PID 2256 wrote to memory of 2060	2256	explorer.bat	31
PID 2256 wrote to memory of 2060	2256	explorer.bat	31
PID 2256 wrote to memory of 2060	2256	explorer.bat	31
PID 2256 wrote to memory of 2060	2256	explorer.bat	31
PID 3000 wrote to memory of 2620	3000	fedd2c5184b8d7adebd7f085592f0a9f_JaffaCakes118.exe	33
PID 3000 wrote to memory of 2620	3000	fedd2c5184b8d7adebd7f085592f0a9f_JaffaCakes118.exe	33
PID 3000 wrote to memory of 2620	3000	fedd2c5184b8d7adebd7f085592f0a9f_JaffaCakes118.exe	33
PID 3000 wrote to memory of 2620	3000	fedd2c5184b8d7adebd7f085592f0a9f_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\fedd2c5184b8d7adebd7f085592f0a9f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fedd2c5184b8d7adebd7f085592f0a9f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Program Files\explorer.bat
  "C:\Program Files\explorer.bat"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 284
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\SxDel.bat""
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\SxDel.bat

Filesize
212B

MD5
517b2bcd6d7e1932d7e6015204127d6e

SHA1
14cbd09080b4ae568c1f549bccdcecffdeac683b

SHA256
2abdc86ba0acdfc4a94f3aa63186cd9ee626111e9936aa772f99793bdbe4aee6

SHA512
8b3e0f788e402658d2a3ab0dcb93d2c5a76cb7adda4f80f06c4b347d3eebfa11f7be0422d65019759e271e5b704f81fd0165a8548a0d22c738c5229b6cb0e9fe

Download Submit
\Program Files\explorer.bat

Filesize
284KB

MD5
fedd2c5184b8d7adebd7f085592f0a9f

SHA1
ad560d6e7cfd5e9925e95ea046ece4ea868e4d55

SHA256
0954424e1ee9fa6c1434e7894663e5b6b6528a7bb84bd634278122ddda3994ac

SHA512
afb3accdbc28cc1f03c483302403629193df37486243f34f72314c3ac62138dc7ec949060838bc2b4b7527c63c3b32ef350cc08079e1553b3499cee8c877dc92

Download Submit
memory/2256-14-0x0000000000400000-0x00000000005421A4-memory.dmp

Filesize
1.3MB

Download
memory/2256-15-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2256-16-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2256-21-0x0000000000400000-0x00000000005421A4-memory.dmp

Filesize
1.3MB

Download
memory/2256-22-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3000-2-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3000-11-0x0000000002F40000-0x0000000003083000-memory.dmp

Filesize
1.3MB

Download
memory/3000-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3000-12-0x0000000002F40000-0x0000000003083000-memory.dmp

Filesize
1.3MB

Download
memory/3000-19-0x0000000000400000-0x00000000005421A4-memory.dmp

Filesize
1.3MB

Download
memory/3000-20-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3000-0-0x0000000000400000-0x00000000005421A4-memory.dmp

Filesize
1.3MB

Download
memory/3000-30-0x0000000000400000-0x00000000005421A4-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing