modiloader | dd48956600e9edd1e5e917a380013e5fe249a6704bb3ed730d0a4158c3d4379b

General

Target

cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe
Size

705KB
MD5

cc81c48dade59b365af47f88d73d11d3
SHA1

9f1f7268a3cb48a4d182d17f4995db9551a50cc3
SHA256

dd48956600e9edd1e5e917a380013e5fe249a6704bb3ed730d0a4158c3d4379b
SHA512

8142200accf60ec17c0f9f5b30a03d65a4aaca628293857cad2bccf2b2761493da862cc468dc7b90be4c3858dbe100b02bcd4f289663afb1d2d30836b56c6e9a
SSDEEP

12288:yRjUrkgyBkGCt9y341FNdRGrlPFi0BNdgDbRwC3duXLE4dsTaHK:yBsk3yyofR0ri0Bs3VdvssTaq

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 4 IoCs

resource	yara_rule
behavioral1/files/0x00090000000120f9-3.dat	modiloader_stage2
behavioral1/memory/2368-20-0x0000000000400000-0x00000000004B6A00-memory.dmp	modiloader_stage2
behavioral1/memory/2492-18-0x0000000000400000-0x00000000004B7000-memory.dmp	modiloader_stage2
behavioral1/memory/2012-21-0x0000000000400000-0x00000000004B6A00-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
2368	Atievxe.exe

Loads dropped DLL 2 IoCs

pid	Process
2012	cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe
2012	cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_Atievxe.exe	Atievxe.exe
File opened for modification	C:\Windows\SysWOW64\_Atievxe.exe	Atievxe.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2368 set thread context of 2492	2368	Atievxe.exe	31

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Atievxe.exe	cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Atievxe.exe	cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Atievxe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2368	2012	cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe	30
PID 2012 wrote to memory of 2368	2012	cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe	30
PID 2012 wrote to memory of 2368	2012	cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe	30
PID 2012 wrote to memory of 2368	2012	cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2492	2368	Atievxe.exe	31
PID 2368 wrote to memory of 2492	2368	Atievxe.exe	31
PID 2368 wrote to memory of 2492	2368	Atievxe.exe	31
PID 2368 wrote to memory of 2492	2368	Atievxe.exe	31
PID 2368 wrote to memory of 2492	2368	Atievxe.exe	31
PID 2368 wrote to memory of 2492	2368	Atievxe.exe	31
PID 2012 wrote to memory of 1260	2012	cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe	32
PID 2012 wrote to memory of 1260	2012	cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe	32
PID 2012 wrote to memory of 1260	2012	cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe	32
PID 2012 wrote to memory of 1260	2012	cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\Atievxe.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\Atievxe.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\system32\calc.exe"
    3⤵
    PID:2492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c erase /F "C:\Users\Admin\AppData\Local\Temp\cc81c48dade59b365af47f88d73d11d3_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files\Common Files\Microsoft Shared\MSInfo\Atievxe.exe

Filesize
705KB

MD5
cc81c48dade59b365af47f88d73d11d3

SHA1
9f1f7268a3cb48a4d182d17f4995db9551a50cc3

SHA256
dd48956600e9edd1e5e917a380013e5fe249a6704bb3ed730d0a4158c3d4379b

SHA512
8142200accf60ec17c0f9f5b30a03d65a4aaca628293857cad2bccf2b2761493da862cc468dc7b90be4c3858dbe100b02bcd4f289663afb1d2d30836b56c6e9a

Download Submit
memory/2012-0-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2012-21-0x0000000000400000-0x00000000004B6A00-memory.dmp

Filesize
730KB

Download
memory/2368-13-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/2368-20-0x0000000000400000-0x00000000004B6A00-memory.dmp

Filesize
730KB

Download
memory/2492-16-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2492-18-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2492-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing