modiloader | d6f4dde7139d3ef864a41a0fb3a1004ae45d30dcc424dd33d54063b446048bcf

General

Target

b5c8553a7a9e80d9f7ab179c6d461dab_JaffaCakes118.exe
Size

585KB
MD5

b5c8553a7a9e80d9f7ab179c6d461dab
SHA1

896a95d6a7df82ca6c209a01602cfd35e19341fb
SHA256

d6f4dde7139d3ef864a41a0fb3a1004ae45d30dcc424dd33d54063b446048bcf
SHA512

34005207c85c1cc57af08b4a1a74c3c7ccaf5a309fb8c5bf14da58ce2094e81c104c6c43bed499005812536659438f0a1b404ee3d73800a9a7b68c7c71de3c4f
SSDEEP

12288:LbNobzxOidX5AaR5KvcIL5SsmGawWT+pszGhqM7z65jDZYum1:L+HxO4pAOchBhrWgsqYM7u5hYu0

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/memory/4528-4-0x0000000010000000-0x0000000010155000-memory.dmp	modiloader_stage2
behavioral2/memory/4916-21-0x0000000010000000-0x0000000010155000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
4916	svchost.com
1740	svchost.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Deleteme.bat	b5c8553a7a9e80d9f7ab179c6d461dab_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4528 set thread context of 760	4528	b5c8553a7a9e80d9f7ab179c6d461dab_JaffaCakes118.exe	83
PID 4916 set thread context of 1740	4916	svchost.com	99
PID 1740 set thread context of 4356	1740	svchost.com	101

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	b5c8553a7a9e80d9f7ab179c6d461dab_JaffaCakes118.exe
File created	C:\Windows\svchost.com	b5c8553a7a9e80d9f7ab179c6d461dab_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4232	4356	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b5c8553a7a9e80d9f7ab179c6d461dab_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b5c8553a7a9e80d9f7ab179c6d461dab_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	760	b5c8553a7a9e80d9f7ab179c6d461dab_JaffaCakes118.exe
Token: SeSystemtimePrivilege	760	b5c8553a7a9e80d9f7ab179c6d461dab_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 760	4528	b5c8553a7a9e80d9f7ab179c6d461dab_JaffaCakes118.exe	83
PID 4528 wrote to memory of 760	4528	b5c8553a7a9e80d9f7ab179c6d461dab_JaffaCakes118.exe	83
PID 4528 wrote to memory of 760	4528	b5c8553a7a9e80d9f7ab179c6d461dab_JaffaCakes118.exe	83
PID 4528 wrote to memory of 760	4528	b5c8553a7a9e80d9f7ab179c6d461dab_JaffaCakes118.exe	83
PID 4528 wrote to memory of 760	4528	b5c8553a7a9e80d9f7ab179c6d461dab_JaffaCakes118.exe	83
PID 760 wrote to memory of 4916	760	b5c8553a7a9e80d9f7ab179c6d461dab_JaffaCakes118.exe	97
PID 760 wrote to memory of 4916	760	b5c8553a7a9e80d9f7ab179c6d461dab_JaffaCakes118.exe	97
PID 760 wrote to memory of 4916	760	b5c8553a7a9e80d9f7ab179c6d461dab_JaffaCakes118.exe	97
PID 4916 wrote to memory of 1740	4916	svchost.com	99
PID 4916 wrote to memory of 1740	4916	svchost.com	99
PID 4916 wrote to memory of 1740	4916	svchost.com	99
PID 4916 wrote to memory of 1740	4916	svchost.com	99
PID 4916 wrote to memory of 1740	4916	svchost.com	99
PID 760 wrote to memory of 396	760	b5c8553a7a9e80d9f7ab179c6d461dab_JaffaCakes118.exe	100
PID 760 wrote to memory of 396	760	b5c8553a7a9e80d9f7ab179c6d461dab_JaffaCakes118.exe	100
PID 760 wrote to memory of 396	760	b5c8553a7a9e80d9f7ab179c6d461dab_JaffaCakes118.exe	100
PID 1740 wrote to memory of 4356	1740	svchost.com	101
PID 1740 wrote to memory of 4356	1740	svchost.com	101
PID 1740 wrote to memory of 4356	1740	svchost.com	101
PID 1740 wrote to memory of 4356	1740	svchost.com	101
PID 1740 wrote to memory of 4356	1740	svchost.com	101

C:\Users\Admin\AppData\Local\Temp\b5c8553a7a9e80d9f7ab179c6d461dab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b5c8553a7a9e80d9f7ab179c6d461dab_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Users\Admin\AppData\Local\Temp\b5c8553a7a9e80d9f7ab179c6d461dab_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\b5c8553a7a9e80d9f7ab179c6d461dab_JaffaCakes118.exe
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Windows\svchost.com
    C:\Windows\svchost.com
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Windows\svchost.com
      C:\Windows\svchost.com
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1740
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        
        PID:4356
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 12
        6⤵
        Program crash
        
        PID:4232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\system32\Deleteme.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4356 -ip 4356
1⤵
PID:3208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Deleteme.bat

Filesize
212B

MD5
c60bbb0b948ba6b9bc242846ef380c58

SHA1
f918eb8ac7163c58ebe4f5715996c1b9d8fe6c5c

SHA256
d99c2879f0b666326f48e2da30232e133205dd6562eeb1b7a0ea96c7951e1395

SHA512
16fa2d2b12c061462c71ee06509a4f7eb085741409b0a7b27889c4b2392820ab3bc23a67a66d81693e0d33d41745e1c427226deda8de4b81b946d2518753ee8f

Download Submit
C:\Windows\svchost.com

Filesize
585KB

MD5
b5c8553a7a9e80d9f7ab179c6d461dab

SHA1
896a95d6a7df82ca6c209a01602cfd35e19341fb

SHA256
d6f4dde7139d3ef864a41a0fb3a1004ae45d30dcc424dd33d54063b446048bcf

SHA512
34005207c85c1cc57af08b4a1a74c3c7ccaf5a309fb8c5bf14da58ce2094e81c104c6c43bed499005812536659438f0a1b404ee3d73800a9a7b68c7c71de3c4f

Download Submit
memory/760-11-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/760-2-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/760-5-0x0000000010000000-0x0000000010155000-memory.dmp

Filesize
1.3MB

Download
memory/760-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/760-7-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/760-8-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/760-26-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/760-6-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1740-23-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1740-27-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1740-24-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/4356-25-0x0000000010000000-0x0000000010155000-memory.dmp

Filesize
1.3MB

Download
memory/4528-0-0x0000000010000000-0x0000000010155000-memory.dmp

Filesize
1.3MB

Download
memory/4528-4-0x0000000010000000-0x0000000010155000-memory.dmp

Filesize
1.3MB

Download
memory/4916-21-0x0000000010000000-0x0000000010155000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing