modiloader | 1ab813e1eabc56689cca8707fba2bc6299b98f56c02d9d621e49a613ec4c887c

General

Target

ac105711978b60ce8815e262bbbc77e9_JaffaCakes118.exe
Size

1.6MB
MD5

ac105711978b60ce8815e262bbbc77e9
SHA1

190e2bb7509c78956b22e2d9f8c8e5883b30a234
SHA256

1ab813e1eabc56689cca8707fba2bc6299b98f56c02d9d621e49a613ec4c887c
SHA512

c36f30f9fa0234fb9b67b9dc494136cbe93c99599bf8d78cd53de09b378ccffd880abfea67d8fc0a8a2b435a86376e5bd09022be7668822a95e0c5b28ac57eed
SSDEEP

24576:EifSC/2lqqfQZ7uVeWi/UtUzD8gbFStU4gf2EW5A2DJr/kS4vGIk6v3HXsw:EiKRwwVmUtqD8gbFh43Dp/wPHD

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/3016-47-0x00000000001B0000-0x00000000001D3000-memory.dmp	modiloader_stage2

Executes dropped EXE 3 IoCs

pid	Process
2824	GZ.exe
3016	QQ.exe
2748	Hacker.com.cn.exe

Loads dropped DLL 5 IoCs

pid	Process
2996	ac105711978b60ce8815e262bbbc77e9_JaffaCakes118.exe
2996	ac105711978b60ce8815e262bbbc77e9_JaffaCakes118.exe
2996	ac105711978b60ce8815e262bbbc77e9_JaffaCakes118.exe
2996	ac105711978b60ce8815e262bbbc77e9_JaffaCakes118.exe
3016	QQ.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\atmQQ2.dll	QQ.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	GZ.exe
File created	C:\Windows\Hacker.com.cn.exe	GZ.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	GZ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac105711978b60ce8815e262bbbc77e9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hacker.com.cn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3016	QQ.exe
3016	QQ.exe
3016	QQ.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	GZ.exe
Token: SeSystemtimePrivilege	3016	QQ.exe
Token: SeDebugPrivilege	2748	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2748	Hacker.com.cn.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3016	QQ.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 2824	2996	ac105711978b60ce8815e262bbbc77e9_JaffaCakes118.exe	30
PID 2996 wrote to memory of 2824	2996	ac105711978b60ce8815e262bbbc77e9_JaffaCakes118.exe	30
PID 2996 wrote to memory of 2824	2996	ac105711978b60ce8815e262bbbc77e9_JaffaCakes118.exe	30
PID 2996 wrote to memory of 2824	2996	ac105711978b60ce8815e262bbbc77e9_JaffaCakes118.exe	30
PID 2996 wrote to memory of 3016	2996	ac105711978b60ce8815e262bbbc77e9_JaffaCakes118.exe	31
PID 2996 wrote to memory of 3016	2996	ac105711978b60ce8815e262bbbc77e9_JaffaCakes118.exe	31
PID 2996 wrote to memory of 3016	2996	ac105711978b60ce8815e262bbbc77e9_JaffaCakes118.exe	31
PID 2996 wrote to memory of 3016	2996	ac105711978b60ce8815e262bbbc77e9_JaffaCakes118.exe	31
PID 2748 wrote to memory of 1648	2748	Hacker.com.cn.exe	33
PID 2748 wrote to memory of 1648	2748	Hacker.com.cn.exe	33
PID 2748 wrote to memory of 1648	2748	Hacker.com.cn.exe	33
PID 2748 wrote to memory of 1648	2748	Hacker.com.cn.exe	33
PID 2824 wrote to memory of 2176	2824	GZ.exe	34
PID 2824 wrote to memory of 2176	2824	GZ.exe	34
PID 2824 wrote to memory of 2176	2824	GZ.exe	34
PID 2824 wrote to memory of 2176	2824	GZ.exe	34
PID 2824 wrote to memory of 2176	2824	GZ.exe	34
PID 2824 wrote to memory of 2176	2824	GZ.exe	34
PID 2824 wrote to memory of 2176	2824	GZ.exe	34

C:\Users\Admin\AppData\Local\Temp\ac105711978b60ce8815e262bbbc77e9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ac105711978b60ce8815e262bbbc77e9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Users\Admin\AppData\Local\Temp\GZ.exe
  "C:\Users\Admin\AppData\Local\Temp\GZ.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2176
- C:\Users\Admin\AppData\Local\Temp\QQ.exe
  "C:\Users\Admin\AppData\Local\Temp\QQ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3016

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\uninstal.bat

Filesize
130B

MD5
dfb48f7ef2ca915876aacbce05cdb5bd

SHA1
0138aed43f23e294aff90d7790af9ce8f0f3c455

SHA256
1bc718af3bfb9dc47285331d65795f5d8b6a6942656c24d6cb3f76ad6d368b8e

SHA512
4b1399c142ce49ea1c09039c22fd665741b74b7c1feb8eb9885ff116b2156d3162bc173e2fea6d9142001d48b1561a6b848df6dd6432b862fde17643490ba052

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\atmQQ2.dll

Filesize
20KB

MD5
ceab948eadf5b3fa4bed38b54d982552

SHA1
93c5545bff8b76c32b76ce8f49b435052e3cb759

SHA256
ff67e28ccc37d6e00f3e0549614b12d9c758432d0cfcfaab3edcf9be739f0f04

SHA512
bfb2212e27ab50b89317565b5da71d3f2f495fb20ca3fedf8661d7f2cc3df04b02dc22d5005c2d2eb2dd321229aabbacb454bd0b9d923813e096e360b1ed5733

Download Submit
\Users\Admin\AppData\Local\Temp\GZ.exe

Filesize
743KB

MD5
5c39c5c8973485dcd35fe4938b84513b

SHA1
fbbcde2dc482dd579c5db8761f499a5a9ca17edf

SHA256
cc84f7cf65b88511f8f8604ef475518e085b7f3d16d8ab0a63e25fbad3bd1207

SHA512
513e8e73cdc15a55c72c7f8eaeb3d7b5e861bf330aad1965e80f7e53264c502f99c37ef69ee911d0d943d585c49345e662d4657f67b92f00475400bc3127ffec

Download Submit
\Users\Admin\AppData\Local\Temp\QQ.exe

Filesize
37KB

MD5
029447e7fdf7d4fbdb422b46280f385f

SHA1
e6711021aaded7f77f33d5cfa1ad5684c7286361

SHA256
d7f8ac786b51ea13eb9a2c6e8c1fc45d349fdc187d88571f563b7667bb9f4242

SHA512
052a0ba4bd9133a3b21fd8c4a985811d38ffc91b254cf40c95250d6400e7e3620df6d54b682a7d9e6ac003194222c3c6d58c8131b4aac996afff493177a9e608

Download Submit
memory/2748-40-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2748-58-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2824-21-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2824-36-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2996-13-0x00000000036F0000-0x0000000003719000-memory.dmp

Filesize
164KB

Download
memory/2996-26-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2996-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2996-19-0x00000000036F0000-0x0000000003719000-memory.dmp

Filesize
164KB

Download
memory/3016-22-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3016-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3016-39-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3016-45-0x00000000001B0000-0x00000000001D3000-memory.dmp

Filesize
140KB

Download
memory/3016-47-0x00000000001B0000-0x00000000001D3000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing