modiloader | c2bdb2b1f9a76c1087ac84d303441793e17b4f5e5a59cd4a2269bfe96e5515fa

General

Target

910dfd05b43191f376040a0325b79795_JaffaCakes118.exe
Size

872KB
MD5

910dfd05b43191f376040a0325b79795
SHA1

2cd9d7a05387efd1f28f6f307c5aee1d5661a977
SHA256

c2bdb2b1f9a76c1087ac84d303441793e17b4f5e5a59cd4a2269bfe96e5515fa
SHA512

82a7934ac51ea1e26bd60644b8ae93e07d60df133f3e72dd85c9773a9eb0b44071a0093e76492fed10842b14f2bf2cbe85766f0f155f8be6353aeec7ee3f181d
SSDEEP

24576:k1dlZo5r5SM6Wp7Utyd2ViBiMP4bXvwbtPbWw7Pv:k1dlZor5SMOtVS74zvkaw7n

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2800-41-0x0000000000400000-0x00000000004EB000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2800	2222.exe
1156	D.exe

Loads dropped DLL 4 IoCs

pid	Process
2860	910dfd05b43191f376040a0325b79795_JaffaCakes118.exe
2860	910dfd05b43191f376040a0325b79795_JaffaCakes118.exe
2800	2222.exe
2800	2222.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\advapi32.dll	2222.exe
File created	C:\Windows\SysWOW64\advapi32.dll	2222.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	910dfd05b43191f376040a0325b79795_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1156	D.exe
1156	D.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2068	DllHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2068	DllHost.exe
2068	DllHost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2800	2860	910dfd05b43191f376040a0325b79795_JaffaCakes118.exe	31
PID 2860 wrote to memory of 2800	2860	910dfd05b43191f376040a0325b79795_JaffaCakes118.exe	31
PID 2860 wrote to memory of 2800	2860	910dfd05b43191f376040a0325b79795_JaffaCakes118.exe	31
PID 2860 wrote to memory of 2800	2860	910dfd05b43191f376040a0325b79795_JaffaCakes118.exe	31
PID 2800 wrote to memory of 1156	2800	2222.exe	32
PID 2800 wrote to memory of 1156	2800	2222.exe	32
PID 2800 wrote to memory of 1156	2800	2222.exe	32
PID 2800 wrote to memory of 1156	2800	2222.exe	32
PID 1156 wrote to memory of 1352	1156	D.exe	21
PID 1156 wrote to memory of 1352	1156	D.exe	21
PID 1156 wrote to memory of 1352	1156	D.exe	21
PID 1156 wrote to memory of 1352	1156	D.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1352
- C:\Users\Admin\AppData\Local\Temp\910dfd05b43191f376040a0325b79795_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\910dfd05b43191f376040a0325b79795_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\2222.exe
    "C:\Users\Admin\AppData\Local\Temp\2222.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Users\Admin\AppData\Local\Temp\D.exe
      "C:\Users\Admin\AppData\Local\Temp\D.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1156

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\225331_105150109576906_100002457521796_45707_4863942_n.jpg

Filesize
28KB

MD5
5a392698af7033b5ae7291caf45c6621

SHA1
c541c927811b7052c68496a667b0ecb95f1435dd

SHA256
875b86cb4664883b2317af666c6baed69aefede9c910cbe8bd513e05a6210afa

SHA512
fc40ec177e2f1b0f8439eb0369db8ee0a5001b02ba8cee410802cea2ce62f89d9de99c1931e00dfc97aeb8e980504e76d60c2a796fc396ae41af3e40cee6ffe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\D.exe

Filesize
31KB

MD5
bebf90842a3fb7606a38e2818c1f6475

SHA1
a1360e2ce4a1888d28feaa389284c205fcd35c06

SHA256
2b9b8642b2bbe746daa426d3dabc0a7c5a30875f1aa69f3f49eea9744af63dbf

SHA512
79314f789931444a2c967c7f2bcda751277a89eefc7936b75e6400ca77e42d940fee4fc0511561facb87e04f8e16e3535f64eb574b9eacd96f86d028f93901ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfx.ini

Filesize
249B

MD5
31a8177375dc81dd2766d3c814ce37d4

SHA1
64c6ea57d5b137c69fad92a815dbe30310fdbfb1

SHA256
997ee54fd1e29bc3f5018f566f580c417a8f43c6e8f80520f530f759c972e56f

SHA512
81bb55629d2668c12d17cf0e450b8f81d52896eb37927830fdbca229d444cda3108619e19712ad1af066b046485330a56b3269a7eab6bdc01af4a25258034bec

Download Submit
\Users\Admin\AppData\Local\Temp\2222.exe

Filesize
821KB

MD5
86b5bb3f6a58ab52c284a30de8930c26

SHA1
35ab299c53ba50182a4fe4e2adad5249c06f3c33

SHA256
6f9fed677f545a7aa7ade0719e19c62646d3909431109e544fa1dddc6ab57990

SHA512
8a49f4742d399a170c87545a1a9bf2ff8d4e467d9579e4aaa146bbacdd09cad79e70437824e90f28162b395a3e459464d466379772f52e0caf42654a8c2d316d

Download Submit
memory/1156-44-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/1352-50-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1352-47-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/2068-19-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/2068-23-0x0000000077BD0000-0x0000000077D79000-memory.dmp

Filesize
1.7MB

Download
memory/2800-41-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2800-32-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2800-43-0x0000000077BD0000-0x0000000077D79000-memory.dmp

Filesize
1.7MB

Download
memory/2860-30-0x0000000001E50000-0x0000000001F3B000-memory.dmp

Filesize
940KB

Download
memory/2860-24-0x00000000036B0000-0x000000000379B000-memory.dmp

Filesize
940KB

Download
memory/2860-18-0x0000000003060000-0x0000000003062000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing