modiloader | 18e805e5e7c861daeae15010adb04b4b6a594c1f5d049ba483b8bd52053360ed

General

Target

cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe
Size

493KB
MD5

cc3beb8891eae9e320e6396c197e2e19
SHA1

965fc72e664356b7f54b308eee3abaf8ee82cda4
SHA256

18e805e5e7c861daeae15010adb04b4b6a594c1f5d049ba483b8bd52053360ed
SHA512

e4d1907cda9596bb1014fdb6e4f4afa354d273f5889fa92b16737f6928c01f26d431a2f95ad4a583a62962b39888bd00d631aaecd36fa939ff729689a8d2071e
SSDEEP

12288:9Yd+DN2QzXqUgYVhLLNO931vK1ifzNvNRR8W:KIEQzXXLLq3RMEv5

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 11 IoCs

resource	yara_rule
behavioral1/memory/2736-22-0x0000000000400000-0x0000000000426000-memory.dmp	modiloader_stage2
behavioral1/memory/2736-24-0x0000000000400000-0x0000000000426000-memory.dmp	modiloader_stage2
behavioral1/memory/2736-21-0x0000000000400000-0x0000000000426000-memory.dmp	modiloader_stage2
behavioral1/memory/2664-20-0x0000000000400000-0x0000000000480800-memory.dmp	modiloader_stage2
behavioral1/memory/2736-18-0x0000000000400000-0x0000000000426000-memory.dmp	modiloader_stage2
behavioral1/memory/2736-14-0x0000000000400000-0x0000000000426000-memory.dmp	modiloader_stage2
behavioral1/memory/2736-12-0x0000000000400000-0x0000000000426000-memory.dmp	modiloader_stage2
behavioral1/memory/2736-10-0x0000000000400000-0x0000000000426000-memory.dmp	modiloader_stage2
behavioral1/memory/2736-9-0x0000000000400000-0x0000000000426000-memory.dmp	modiloader_stage2
behavioral1/memory/2736-6-0x0000000000400000-0x0000000000426000-memory.dmp	modiloader_stage2
behavioral1/memory/2736-46-0x0000000000400000-0x0000000000426000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2560	Nashy.exe
2856	keygen.exe

Loads dropped DLL 4 IoCs

pid	Process
2736	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe
2736	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe
2736	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe
2736	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2664 set thread context of 2736	2664	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nashy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2560	Nashy.exe
2560	Nashy.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2736	2664	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	31
PID 2664 wrote to memory of 2736	2664	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	31
PID 2664 wrote to memory of 2736	2664	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	31
PID 2664 wrote to memory of 2736	2664	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	31
PID 2664 wrote to memory of 2736	2664	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	31
PID 2664 wrote to memory of 2736	2664	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	31
PID 2664 wrote to memory of 2736	2664	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	31
PID 2664 wrote to memory of 2736	2664	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	31
PID 2664 wrote to memory of 2736	2664	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	31
PID 2664 wrote to memory of 2736	2664	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	31
PID 2664 wrote to memory of 2736	2664	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	31
PID 2664 wrote to memory of 2736	2664	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	31
PID 2736 wrote to memory of 2560	2736	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	32
PID 2736 wrote to memory of 2560	2736	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	32
PID 2736 wrote to memory of 2560	2736	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	32
PID 2736 wrote to memory of 2560	2736	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	32
PID 2736 wrote to memory of 2856	2736	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	33
PID 2736 wrote to memory of 2856	2736	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	33
PID 2736 wrote to memory of 2856	2736	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	33
PID 2736 wrote to memory of 2856	2736	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	33
PID 2560 wrote to memory of 1188	2560	Nashy.exe	21
PID 2560 wrote to memory of 1188	2560	Nashy.exe	21
PID 2560 wrote to memory of 1188	2560	Nashy.exe	21
PID 2560 wrote to memory of 1188	2560	Nashy.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Users\Admin\AppData\Local\Temp\Nashy.exe
      "C:\Users\Admin\AppData\Local\Temp\Nashy.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2560
  - - C:\Users\Admin\AppData\Local\Temp\keygen.exe
      "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Nashy.exe

Filesize
55KB

MD5
b866ece9263205834d134b16d8870418

SHA1
748af220968259eb89e3e703cd483fca56f203a6

SHA256
827587f1a8666a7f9351a5f9733f4886841f04e72f748f7d231a4fa103908fd8

SHA512
bdd42624de9de6d52edf20a48046a717126cb09db08c6f756ed3c78ecce59892f4723d616cf8cae3d45719ed33cefaf277e881580116e92a1a15d65dcbbbe9e7

Download Submit
\Users\Admin\AppData\Local\Temp\keygen.exe

Filesize
34KB

MD5
9288a9ba08b3d9ca13f32b7583daf49e

SHA1
a80cde5b4039550faa118e7b605aba4895f847a3

SHA256
c1e52c56cf65fb0df4f1cdbd80fd9a109a0c81a83c735adfd8e190095f6e83c9

SHA512
e52ca18f977c990de03117fb80101583bfd6aa30f5ac6b0f71bb31efb991a104fdbf63a633544fe7b40eca7954a792c587ab7d011e5ed54a611eca5e4a260b29

Download Submit
memory/1188-55-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1188-52-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/2560-49-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/2560-36-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/2664-1-0x0000000000360000-0x00000000003E1000-memory.dmp

Filesize
516KB

Download
memory/2664-20-0x0000000000400000-0x0000000000480800-memory.dmp

Filesize
514KB

Download
memory/2664-0-0x0000000000400000-0x0000000000480800-memory.dmp

Filesize
514KB

Download
memory/2736-18-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2736-14-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2736-6-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2736-4-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2736-2-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2736-10-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2736-12-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2736-46-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2736-44-0x0000000000430000-0x0000000000460000-memory.dmp

Filesize
192KB

Download
memory/2736-9-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2736-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2736-21-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2736-33-0x00000000006C0000-0x00000000006C9000-memory.dmp

Filesize
36KB

Download
memory/2736-31-0x00000000006C0000-0x00000000006C9000-memory.dmp

Filesize
36KB

Download
memory/2736-24-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2736-22-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2856-48-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2856-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing