modiloader | c0293e8b11f3cb206c37fdaf150b81f5f15d33f3a929b4ff8ec30dae248e53f5

General

Target

96c4b48fbbd9a7b2bd0f6d24e81ce358_JaffaCakes118.exe
Size

82KB
MD5

96c4b48fbbd9a7b2bd0f6d24e81ce358
SHA1

a601ad493e2ed62020cbc300b8128eebad9027e5
SHA256

c0293e8b11f3cb206c37fdaf150b81f5f15d33f3a929b4ff8ec30dae248e53f5
SHA512

47947b802bb242049fac598e1ad6dafbd3aa7fdbc6db9423d3bf54e6922df6f4783f28c46472c47a62b9c94126947ebf26e00f72fe1e0ac509a70bed84207da4
SSDEEP

1536:mlj8JjgR2WyuZ+p77xtupPDtQXB5IY/25FnMbQFWvKUUEkZ4j63htmphCSaYEi8:8jPYRp77xtupPRQLGznzFWvzUNg0vmIx

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/memory/2512-1-0x0000000000400000-0x000000000041D000-memory.dmp	modiloader_stage2
behavioral1/memory/2512-32-0x0000000000400000-0x000000000041C37A-memory.dmp	modiloader_stage2
behavioral1/memory/2512-33-0x0000000000400000-0x000000000041D000-memory.dmp	modiloader_stage2

Executes dropped EXE 3 IoCs

pid	Process
2556	Server.exe
2336	Server.exe
2920	server.exe

Loads dropped DLL 8 IoCs

pid	Process
2512	96c4b48fbbd9a7b2bd0f6d24e81ce358_JaffaCakes118.exe
2512	96c4b48fbbd9a7b2bd0f6d24e81ce358_JaffaCakes118.exe
2556	Server.exe
2592	WerFault.exe
2592	WerFault.exe
2592	WerFault.exe
2512	96c4b48fbbd9a7b2bd0f6d24e81ce358_JaffaCakes118.exe
2512	96c4b48fbbd9a7b2bd0f6d24e81ce358_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2556 set thread context of 2336	2556	Server.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2592	2336	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c4b48fbbd9a7b2bd0f6d24e81ce358_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2920	server.exe
2920	server.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2556	2512	96c4b48fbbd9a7b2bd0f6d24e81ce358_JaffaCakes118.exe	30
PID 2512 wrote to memory of 2556	2512	96c4b48fbbd9a7b2bd0f6d24e81ce358_JaffaCakes118.exe	30
PID 2512 wrote to memory of 2556	2512	96c4b48fbbd9a7b2bd0f6d24e81ce358_JaffaCakes118.exe	30
PID 2512 wrote to memory of 2556	2512	96c4b48fbbd9a7b2bd0f6d24e81ce358_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2336	2556	Server.exe	31
PID 2556 wrote to memory of 2336	2556	Server.exe	31
PID 2556 wrote to memory of 2336	2556	Server.exe	31
PID 2556 wrote to memory of 2336	2556	Server.exe	31
PID 2556 wrote to memory of 2336	2556	Server.exe	31
PID 2556 wrote to memory of 2336	2556	Server.exe	31
PID 2336 wrote to memory of 2592	2336	Server.exe	32
PID 2336 wrote to memory of 2592	2336	Server.exe	32
PID 2336 wrote to memory of 2592	2336	Server.exe	32
PID 2336 wrote to memory of 2592	2336	Server.exe	32
PID 2512 wrote to memory of 2920	2512	96c4b48fbbd9a7b2bd0f6d24e81ce358_JaffaCakes118.exe	34
PID 2512 wrote to memory of 2920	2512	96c4b48fbbd9a7b2bd0f6d24e81ce358_JaffaCakes118.exe	34
PID 2512 wrote to memory of 2920	2512	96c4b48fbbd9a7b2bd0f6d24e81ce358_JaffaCakes118.exe	34
PID 2512 wrote to memory of 2920	2512	96c4b48fbbd9a7b2bd0f6d24e81ce358_JaffaCakes118.exe	34
PID 2920 wrote to memory of 1232	2920	server.exe	21
PID 2920 wrote to memory of 1232	2920	server.exe	21
PID 2920 wrote to memory of 1232	2920	server.exe	21
PID 2920 wrote to memory of 1232	2920	server.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232
- C:\Users\Admin\AppData\Local\Temp\96c4b48fbbd9a7b2bd0f6d24e81ce358_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\96c4b48fbbd9a7b2bd0f6d24e81ce358_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Users\Admin\AppData\Local\Temp\Server.exe
      C:\Users\Admin\AppData\Local\Temp\Server.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2336
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 36
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2592
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
54KB

MD5
766e3784cee0de6be13b08276258bb8c

SHA1
a0f8e877e563a0b51478085034f433a45c1a5d0b

SHA256
73f2836030775b1e617512597d315e99116e9cca7023e9c0fd84b22f63de7aaa

SHA512
7f8248fb3dd3f828393d4e5509ff0962c22c37e1158eaca34117819893bd69c04c02f70f234dec63154c53cd5f5e3e05558e708dffb451fc22b0d28bf28777bc

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
14KB

MD5
8a81958ff76241c145186cf51b200b5c

SHA1
06b6704d52fff7ba5f0236890e1991d14bc68be3

SHA256
8176c499e09461d496555cd901cb8e14368fcbbcefe1e64d200ce17afd68fa0e

SHA512
23c4195cd15183b8cf56e2248896ab08d0abb1651644fc032f03e3f93015d55f25742345d96e7efe0ce21323553abd99a8e76807bd2325a09206b7c180f04ed1

Download Submit
memory/1232-43-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1232-40-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/2336-20-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2336-17-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2336-15-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2336-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2336-12-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2512-34-0x0000000002410000-0x0000000002419000-memory.dmp

Filesize
36KB

Download
memory/2512-33-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2512-1-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2512-32-0x0000000000400000-0x000000000041C37A-memory.dmp

Filesize
112KB

Download
memory/2512-52-0x0000000002410000-0x0000000002419000-memory.dmp

Filesize
36KB

Download
memory/2920-36-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2920-37-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing