modiloader | b40cb03d11a8d3c73209618416991a630175c6a134b490dd57f055af742cbd40

General

Target

ff1b6d980f3e425f4c25c750bca0f053_JaffaCakes118.exe
Size

286KB
MD5

ff1b6d980f3e425f4c25c750bca0f053
SHA1

5d8ae1f83d90d2eb77d3427223ce8bc39ef92ef7
SHA256

b40cb03d11a8d3c73209618416991a630175c6a134b490dd57f055af742cbd40
SHA512

398636220d6fdda358a27b263e3227f23d17ba93188dd66001a8978f68cc1787646edf3c3b7b15886d0b4cd1cf75fa753811e67b543ee7cc0e126359b16f088f
SSDEEP

6144:wlsgkPr455qsvdBQMl1tDAINCi9CBnNpri5nLEf+LSkz:w2Pr4esvz3deBNy4GL

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/memory/1860-15-0x0000000000400000-0x00000000005471A4-memory.dmp	modiloader_stage2
behavioral1/memory/3020-17-0x0000000000400000-0x00000000005471A4-memory.dmp	modiloader_stage2
behavioral1/memory/1860-25-0x0000000000400000-0x00000000005471A4-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
2772	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3020	cmd.bat

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SgotoDel.bat	ff1b6d980f3e425f4c25c750bca0f053_JaffaCakes118.exe
File created	C:\Windows\cmd.bat	ff1b6d980f3e425f4c25c750bca0f053_JaffaCakes118.exe
File opened for modification	C:\Windows\cmd.bat	ff1b6d980f3e425f4c25c750bca0f053_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2356	3020	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.bat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff1b6d980f3e425f4c25c750bca0f053_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 3020	1860	ff1b6d980f3e425f4c25c750bca0f053_JaffaCakes118.exe	30
PID 1860 wrote to memory of 3020	1860	ff1b6d980f3e425f4c25c750bca0f053_JaffaCakes118.exe	30
PID 1860 wrote to memory of 3020	1860	ff1b6d980f3e425f4c25c750bca0f053_JaffaCakes118.exe	30
PID 1860 wrote to memory of 3020	1860	ff1b6d980f3e425f4c25c750bca0f053_JaffaCakes118.exe	30
PID 3020 wrote to memory of 2356	3020	cmd.bat	31
PID 3020 wrote to memory of 2356	3020	cmd.bat	31
PID 3020 wrote to memory of 2356	3020	cmd.bat	31
PID 3020 wrote to memory of 2356	3020	cmd.bat	31
PID 1860 wrote to memory of 2772	1860	ff1b6d980f3e425f4c25c750bca0f053_JaffaCakes118.exe	33
PID 1860 wrote to memory of 2772	1860	ff1b6d980f3e425f4c25c750bca0f053_JaffaCakes118.exe	33
PID 1860 wrote to memory of 2772	1860	ff1b6d980f3e425f4c25c750bca0f053_JaffaCakes118.exe	33
PID 1860 wrote to memory of 2772	1860	ff1b6d980f3e425f4c25c750bca0f053_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\ff1b6d980f3e425f4c25c750bca0f053_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff1b6d980f3e425f4c25c750bca0f053_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\cmd.bat
  C:\Windows\cmd.bat
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 284
    3⤵
    - Program crash
    PID:2356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\SgotoDel.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SgotoDel.bat

Filesize
212B

MD5
3e9f10d3df8e9f9904928005a43f1a93

SHA1
34ec878220e20e3f02448b93057bd9097b7122ab

SHA256
42c54d00508fe288a5a45359d91ca4188a7e461ac7c7278caf26b3a2956ff4d1

SHA512
02174abf7c1069de746f07d70debad79b533b3e87125e24cfdfe286ef2222e94655f8ca6f6f0d18c95c57f92f26e9ed7138a2a9fedfd770c0ab75bb6da457db5

Download Submit
C:\Windows\cmd.bat

Filesize
286KB

MD5
ff1b6d980f3e425f4c25c750bca0f053

SHA1
5d8ae1f83d90d2eb77d3427223ce8bc39ef92ef7

SHA256
b40cb03d11a8d3c73209618416991a630175c6a134b490dd57f055af742cbd40

SHA512
398636220d6fdda358a27b263e3227f23d17ba93188dd66001a8978f68cc1787646edf3c3b7b15886d0b4cd1cf75fa753811e67b543ee7cc0e126359b16f088f

Download Submit
memory/1860-11-0x0000000002F30000-0x0000000003078000-memory.dmp

Filesize
1.3MB

Download
memory/1860-4-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1860-0-0x0000000000400000-0x00000000005471A4-memory.dmp

Filesize
1.3MB

Download
memory/1860-9-0x0000000002F30000-0x0000000003078000-memory.dmp

Filesize
1.3MB

Download
memory/1860-15-0x0000000000400000-0x00000000005471A4-memory.dmp

Filesize
1.3MB

Download
memory/1860-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1860-25-0x0000000000400000-0x00000000005471A4-memory.dmp

Filesize
1.3MB

Download
memory/3020-13-0x0000000000400000-0x00000000005471A4-memory.dmp

Filesize
1.3MB

Download
memory/3020-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3020-14-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3020-16-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3020-17-0x0000000000400000-0x00000000005471A4-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing