modiloader | dabd800fc600631531e376672bd68bbc64e05fecaa9d9c051bf0e1e4816a1eae

General

Target

c38b6531d904c46ccd2a2a1cf9e80543_JaffaCakes118.exe
Size

76KB
MD5

c38b6531d904c46ccd2a2a1cf9e80543
SHA1

a7b8c818099d694ce4f3ed0be90fbe1a6eb8e564
SHA256

dabd800fc600631531e376672bd68bbc64e05fecaa9d9c051bf0e1e4816a1eae
SHA512

16df39b6d2ffc353b2e8a66a8bf45ae9373660fbd4a9a2c6f95c13230a64da0ddeef616798edcf5c6354cccf8ea86a3f62de175def36660c7c1839f4d42a865a
SSDEEP

1536:5K8ddtt1FFxxVToOBz0WlZnbMLJhUUKJ3zzj1w:5K8dJDJDMLJh+ZzzB

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000012118-2.dat	modiloader_stage2
behavioral1/memory/1968-7-0x0000000000400000-0x000000000041A000-memory.dmp	modiloader_stage2
behavioral1/memory/1728-24-0x0000000000400000-0x0000000000417000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
1728	sex tup yoop egfhhyjewkkksex..mp4jdjjgfffvcsexcvsrghejkeyysgsdff563d2d3s3s3sssssssss3s3333333sd2fdfredgkiieruieueuiiiukjkhjjhijugyugwggdffgfhjuhyueij.3pghdhgygdywegt.exe
628	server.exe

Loads dropped DLL 4 IoCs

pid	Process
1968	c38b6531d904c46ccd2a2a1cf9e80543_JaffaCakes118.exe
1968	c38b6531d904c46ccd2a2a1cf9e80543_JaffaCakes118.exe
1728	sex tup yoop egfhhyjewkkksex..mp4jdjjgfffvcsexcvsrghejkeyysgsdff563d2d3s3s3sssssssss3s3333333sd2fdfredgkiieruieueuiiiukjkhjjhijugyugwggdffgfhjuhyueij.3pghdhgygdywegt.exe
1728	sex tup yoop egfhhyjewkkksex..mp4jdjjgfffvcsexcvsrghejkeyysgsdff563d2d3s3s3sssssssss3s3333333sd2fdfredgkiieruieueuiiiukjkhjjhijugyugwggdffgfhjuhyueij.3pghdhgygdywegt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c38b6531d904c46ccd2a2a1cf9e80543_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sex tup yoop egfhhyjewkkksex..mp4jdjjgfffvcsexcvsrghejkeyysgsdff563d2d3s3s3sssssssss3s3333333sd2fdfredgkiieruieueuiiiukjkhjjhijugyugwggdffgfhjuhyueij.3pghdhgygdywegt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
628	server.exe
628	server.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2492	DllHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2492	DllHost.exe
2492	DllHost.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 1728	1968	c38b6531d904c46ccd2a2a1cf9e80543_JaffaCakes118.exe	30
PID 1968 wrote to memory of 1728	1968	c38b6531d904c46ccd2a2a1cf9e80543_JaffaCakes118.exe	30
PID 1968 wrote to memory of 1728	1968	c38b6531d904c46ccd2a2a1cf9e80543_JaffaCakes118.exe	30
PID 1968 wrote to memory of 1728	1968	c38b6531d904c46ccd2a2a1cf9e80543_JaffaCakes118.exe	30
PID 1728 wrote to memory of 628	1728	sex tup yoop egfhhyjewkkksex..mp4jdjjgfffvcsexcvsrghejkeyysgsdff563d2d3s3s3sssssssss3s3333333sd2fdfredgkiieruieueuiiiukjkhjjhijugyugwggdffgfhjuhyueij.3pghdhgygdywegt.exe	32
PID 1728 wrote to memory of 628	1728	sex tup yoop egfhhyjewkkksex..mp4jdjjgfffvcsexcvsrghejkeyysgsdff563d2d3s3s3sssssssss3s3333333sd2fdfredgkiieruieueuiiiukjkhjjhijugyugwggdffgfhjuhyueij.3pghdhgygdywegt.exe	32
PID 1728 wrote to memory of 628	1728	sex tup yoop egfhhyjewkkksex..mp4jdjjgfffvcsexcvsrghejkeyysgsdff563d2d3s3s3sssssssss3s3333333sd2fdfredgkiieruieueuiiiukjkhjjhijugyugwggdffgfhjuhyueij.3pghdhgygdywegt.exe	32
PID 1728 wrote to memory of 628	1728	sex tup yoop egfhhyjewkkksex..mp4jdjjgfffvcsexcvsrghejkeyysgsdff563d2d3s3s3sssssssss3s3333333sd2fdfredgkiieruieueuiiiukjkhjjhijugyugwggdffgfhjuhyueij.3pghdhgygdywegt.exe	32
PID 628 wrote to memory of 1244	628	server.exe	21
PID 628 wrote to memory of 1244	628	server.exe	21
PID 628 wrote to memory of 1244	628	server.exe	21
PID 628 wrote to memory of 1244	628	server.exe	21
PID 628 wrote to memory of 1244	628	server.exe	21
PID 628 wrote to memory of 1244	628	server.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244
- C:\Users\Admin\AppData\Local\Temp\c38b6531d904c46ccd2a2a1cf9e80543_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\c38b6531d904c46ccd2a2a1cf9e80543_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Users\Admin\AppData\Local\Temp\sex tup yoop egfhhyjewkkksex..mp4jdjjgfffvcsexcvsrghejkeyysgsdff563d2d3s3s3sssssssss3s3333333sd2fdfredgkiieruieueuiiiukjkhjjhijugyugwggdffgfhjuhyueij.3pghdhgygdywegt.exe
    "C:\Users\Admin\AppData\Local\Temp\sex tup yoop egfhhyjewkkksex..mp4jdjjgfffvcsexcvsrghejkeyysgsdff563d2d3s3s3sssssssss3s3333333sd2fdfredgkiieruieueuiiiukjkhjjhijugyugwggdffgfhjuhyueij.3pghdhgygdywegt.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:628

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mens-sex-toys-silicone-doll-love-doll-adult-sex-toys-da1c5.jpg

Filesize
25KB

MD5
a11cc9759a6ca9c1140e43bce443740e

SHA1
75d0a82751c3e0a7d6a3f34e8a6a51329a7aa3d0

SHA256
d86d54995a820b746d734d59693af7d98a69561b0011030e2a42378672a30ebd

SHA512
7ca309a668bca4f3c3932e41c10accf351d58d6a4527a5bb3d9004294237cfceca6931fb3357a35e600decf237df655bdfcd98511665e23217b75d13f08710f5

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
28KB

MD5
7ef4a9f4cffd05a1da4d543e4c19f43c

SHA1
54e7f8f2718a7475f16339c8c77bc975fac5b4c0

SHA256
88c753f12dcf7828b287a67dd343d26ab176a9cbe489096c2c429075069aaa3c

SHA512
ea50b2fe27e2343511be18414b5053ca94056b6dfe48b99a55e4be56218cdcb2e274df3d8a3c07a41eaa210bc35e292f4f0c2d466b24b657becb009bbbc7e06d

Download Submit
\Users\Admin\AppData\Local\Temp\sex tup yoop egfhhyjewkkksex..mp4jdjjgfffvcsexcvsrghejkeyysgsdff563d2d3s3s3sssssssss3s3333333sd2fdfredgkiieruieueuiiiukjkhjjhijugyugwggdffgfhjuhyueij.3pghdhgygdywegt.exe

Filesize
63KB

MD5
d512a69ee8bd7d9745d6809c31b5f936

SHA1
6a9eeadc3b184cc74bbd2a53de1a11a6993b43a6

SHA256
505de7dc0b7ceda2443b3a172000874a986b3923cdf15fc609bd13b8fb48442a

SHA512
31b813ea298e8d6456fba585bbd0b582f628fce5860919c4589097965c61daefaf6f983c66b3648ef63344a636bbdccf14d91ee544f8417d74ada6d813428f65

Download Submit
memory/628-25-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1244-27-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/1244-33-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

Filesize
24KB

Download
memory/1728-11-0x0000000003010000-0x0000000003012000-memory.dmp

Filesize
8KB

Download
memory/1728-17-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/1728-24-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1728-22-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/1968-7-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2492-12-0x0000000000180000-0x0000000000182000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing