modiloader | d7eafa1a100e5a34c09c66f7df78e80667f58a1b233a8f4f54d623d014659ee3

General

Target

b4e141d8b9cd7a6af0eb0bbba8a1f643_JaffaCakes118.exe
Size

878KB
MD5

b4e141d8b9cd7a6af0eb0bbba8a1f643
SHA1

7e344c3b83681444844a456556cf6c987a738e74
SHA256

d7eafa1a100e5a34c09c66f7df78e80667f58a1b233a8f4f54d623d014659ee3
SHA512

6601d24b102d6889e8f8c8a0719b27dbf1f17ff44a089a2b7b220e3c9dced961d62a639fb43d5f0c4bac31bf6a6c7fb15936a5f0c23d52a5ef1aa62ce89634cb
SSDEEP

24576:NHO8209ZI/1KP+W8xBPlXrdjS7KUK+BB3e:NHI2ZIwmW8r3jS7KABZ

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2008-17-0x0000000000400000-0x00000000004E3000-memory.dmp	modiloader_stage2

Executes dropped EXE 3 IoCs

pid	Process
1876	icon changer.exe
2568	we.scr
1836	we.scr

Loads dropped DLL 10 IoCs

pid	Process
2008	b4e141d8b9cd7a6af0eb0bbba8a1f643_JaffaCakes118.exe
2008	b4e141d8b9cd7a6af0eb0bbba8a1f643_JaffaCakes118.exe
2008	b4e141d8b9cd7a6af0eb0bbba8a1f643_JaffaCakes118.exe
2008	b4e141d8b9cd7a6af0eb0bbba8a1f643_JaffaCakes118.exe
2568	we.scr
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2568 set thread context of 1836	2568	we.scr	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2264	1876	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	we.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4e141d8b9cd7a6af0eb0bbba8a1f643_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icon changer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1836	we.scr
1836	we.scr

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2568	we.scr

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1876	2008	b4e141d8b9cd7a6af0eb0bbba8a1f643_JaffaCakes118.exe	31
PID 2008 wrote to memory of 1876	2008	b4e141d8b9cd7a6af0eb0bbba8a1f643_JaffaCakes118.exe	31
PID 2008 wrote to memory of 1876	2008	b4e141d8b9cd7a6af0eb0bbba8a1f643_JaffaCakes118.exe	31
PID 2008 wrote to memory of 1876	2008	b4e141d8b9cd7a6af0eb0bbba8a1f643_JaffaCakes118.exe	31
PID 2008 wrote to memory of 2568	2008	b4e141d8b9cd7a6af0eb0bbba8a1f643_JaffaCakes118.exe	32
PID 2008 wrote to memory of 2568	2008	b4e141d8b9cd7a6af0eb0bbba8a1f643_JaffaCakes118.exe	32
PID 2008 wrote to memory of 2568	2008	b4e141d8b9cd7a6af0eb0bbba8a1f643_JaffaCakes118.exe	32
PID 2008 wrote to memory of 2568	2008	b4e141d8b9cd7a6af0eb0bbba8a1f643_JaffaCakes118.exe	32
PID 2568 wrote to memory of 1836	2568	we.scr	34
PID 2568 wrote to memory of 1836	2568	we.scr	34
PID 2568 wrote to memory of 1836	2568	we.scr	34
PID 2568 wrote to memory of 1836	2568	we.scr	34
PID 2568 wrote to memory of 1836	2568	we.scr	34
PID 2568 wrote to memory of 1836	2568	we.scr	34
PID 2568 wrote to memory of 1836	2568	we.scr	34
PID 2568 wrote to memory of 1836	2568	we.scr	34
PID 1876 wrote to memory of 2264	1876	icon changer.exe	33
PID 1876 wrote to memory of 2264	1876	icon changer.exe	33
PID 1876 wrote to memory of 2264	1876	icon changer.exe	33
PID 1876 wrote to memory of 2264	1876	icon changer.exe	33
PID 1836 wrote to memory of 1200	1836	we.scr	21
PID 1836 wrote to memory of 1200	1836	we.scr	21
PID 1836 wrote to memory of 1200	1836	we.scr	21
PID 1836 wrote to memory of 1200	1836	we.scr	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\b4e141d8b9cd7a6af0eb0bbba8a1f643_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b4e141d8b9cd7a6af0eb0bbba8a1f643_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Users\Admin\AppData\Local\Temp\icon changer.exe
    "C:\Users\Admin\AppData\Local\Temp\icon changer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 148
      4⤵
      Loads dropped DLL
      Program crash
      PID:2264
- - C:\Users\Admin\AppData\Local\Temp\we.scr
    "C:\Users\Admin\AppData\Local\Temp\we.scr" /S
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Users\Admin\AppData\Local\Temp\we.scr
      C:\Users\Admin\AppData\Local\Temp\we.scr
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\we.scr

Filesize
164KB

MD5
50c2ea2d38524b57a5b1369b163843b2

SHA1
50f8700a4126193665fbe584ca4b12d3d2967288

SHA256
9f29e0a617a999a1fe8907737596764b4321e5e68fa55b8983a3e06c5c4b269a

SHA512
9ea159721deb513d07dacdf34dacc7960d97af5e8d4d06539b8775dfd79c9f0d2eee8576c82e3b9affcc062b7e70b673ba9fa71a1e63686e9f79a89ca37083dd

Download Submit
\Users\Admin\AppData\Local\Temp\icon changer.exe

Filesize
704KB

MD5
ccb64fc1043a19ed463ba7b2f7d51b14

SHA1
138ef47b589424b597f09d5bd6f89ff04bdcd965

SHA256
2640c0ceb175e82b3285327a94e604b19a248da43a7dce5035a98d8662d96777

SHA512
317f05008bb132cac39116e5fba8e47aa52a094b0f23497a875cb027017d46064efa6cf3bd6c1625e6567375dcfbac6607e9835489c0b515efdca4941748c9ee

Download Submit
memory/1200-57-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1200-60-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1836-47-0x0000000000400000-0x00000000004083A0-memory.dmp

Filesize
32KB

Download
memory/1836-46-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1836-43-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1836-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1836-39-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1836-37-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1836-35-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1836-69-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1876-23-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2008-17-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2008-21-0x0000000002DC0000-0x0000000002E71000-memory.dmp

Filesize
708KB

Download
memory/2568-29-0x0000000077651000-0x0000000077652000-memory.dmp

Filesize
4KB

Download
memory/2568-27-0x000000007764F000-0x0000000077650000-memory.dmp

Filesize
4KB

Download
memory/2568-26-0x0000000077650000-0x0000000077651000-memory.dmp

Filesize
4KB

Download
memory/2568-25-0x0000000001CF0000-0x0000000001D00000-memory.dmp

Filesize
64KB

Download
memory/2568-24-0x0000000000270000-0x0000000000295000-memory.dmp

Filesize
148KB

Download
memory/2568-28-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2568-22-0x00000000001B0000-0x00000000001B4000-memory.dmp

Filesize
16KB

Download
memory/2568-30-0x0000000000401000-0x0000000000413000-memory.dmp

Filesize
72KB

Download
memory/2568-20-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2568-31-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2568-49-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2568-50-0x0000000000270000-0x0000000000295000-memory.dmp

Filesize
148KB

Download
memory/2568-51-0x0000000000401000-0x0000000000413000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing