modiloader | 0e2e772188ed3497c81992630798d2cbdc1fea446406fbe0e11204db26fdf0a3

General

Target

cfbb71cd4c20888128f25c49e9622422_JaffaCakes118.exe
Size

281KB
MD5

cfbb71cd4c20888128f25c49e9622422
SHA1

fbf81bea05ae08f6290547be85a42aa5d5418143
SHA256

0e2e772188ed3497c81992630798d2cbdc1fea446406fbe0e11204db26fdf0a3
SHA512

6827be9c8f037301f028b82496059ac2d6363f5c571dedcc289c693326e60641c5229401b2b26a8396faadd5babeb69fd53b7586487cee98cd27f53e7041204d
SSDEEP

6144:bw0ctxh7aL5+HpBQ9aEa8FCnDeh/448FYDcHfMep9kDXHKjpK:bwYh/444YDm4TqjpK

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/756-29-0x0000000000400000-0x000000000044D000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2528	sys.dll.exe
2844	sys.dll.exe

Loads dropped DLL 3 IoCs

pid	Process
756	cfbb71cd4c20888128f25c49e9622422_JaffaCakes118.exe
756	cfbb71cd4c20888128f25c49e9622422_JaffaCakes118.exe
2528	sys.dll.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2528 set thread context of 2844	2528	sys.dll.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfbb71cd4c20888128f25c49e9622422_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys.dll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2668	DllHost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2528	sys.dll.exe
2668	DllHost.exe
2668	DllHost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 2528	756	cfbb71cd4c20888128f25c49e9622422_JaffaCakes118.exe	28
PID 756 wrote to memory of 2528	756	cfbb71cd4c20888128f25c49e9622422_JaffaCakes118.exe	28
PID 756 wrote to memory of 2528	756	cfbb71cd4c20888128f25c49e9622422_JaffaCakes118.exe	28
PID 756 wrote to memory of 2528	756	cfbb71cd4c20888128f25c49e9622422_JaffaCakes118.exe	28
PID 2528 wrote to memory of 2844	2528	sys.dll.exe	29
PID 2528 wrote to memory of 2844	2528	sys.dll.exe	29
PID 2528 wrote to memory of 2844	2528	sys.dll.exe	29
PID 2528 wrote to memory of 2844	2528	sys.dll.exe	29
PID 2528 wrote to memory of 2844	2528	sys.dll.exe	29
PID 2528 wrote to memory of 2844	2528	sys.dll.exe	29
PID 2528 wrote to memory of 2844	2528	sys.dll.exe	29
PID 2528 wrote to memory of 2844	2528	sys.dll.exe	29

C:\Users\Admin\AppData\Local\Temp\cfbb71cd4c20888128f25c49e9622422_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cfbb71cd4c20888128f25c49e9622422_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:756
- C:\Users\Admin\AppData\Local\Temp\sys.dll.exe
  "C:\Users\Admin\AppData\Local\Temp\sys.dll.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Users\Admin\AppData\Local\Temp\sys.dll.exe
    C:\Users\Admin\AppData\Local\Temp\sys.dll.exe
    3⤵
    - Executes dropped EXE
    PID:2844

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\20070110.jpg

Filesize
156KB

MD5
5d62a41f0e44cfe072568d83f2bf435b

SHA1
9b41cfe9f68bbbcb1bf1be43048c5522a9a04307

SHA256
7676633cbd3323aae2acf06da18d19caaab3abe14f5056a00bf8c7a084d9a28c

SHA512
86f3d72a91ad5e50e482f19fd9e59eb55580a3378af2b818ae2afc928ca1ba9c3e7c3243b8bd2fbf832f9bdd8b8cba0e3d121ea13f270d6115b4d950362723d4

Download Submit
\Users\Admin\AppData\Local\Temp\sys.dll.exe

Filesize
112KB

MD5
c6bc08de2aed3a4112471aeef5096117

SHA1
d14051c9267df6e5d2b7f49d714fef05bfedbb2b

SHA256
e864dedb2b3b35b4d802b385ebb3a57e3e270898eccea7ec76aab7e1440059c9

SHA512
9fd5eddb012fee63548b17576d28d77556837bf9c51b8d981b4606aaef7942e85d72e4d28399e59e1b1204e23112eec8a304e8492955bab139936f8c11f0ca8f

Download Submit
memory/756-27-0x0000000002100000-0x0000000002102000-memory.dmp

Filesize
8KB

Download
memory/756-29-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2668-28-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2844-22-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2844-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2844-26-0x0000000000400000-0x0000000000401C00-memory.dmp

Filesize
7KB

Download
memory/2844-24-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2844-18-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2844-16-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2844-14-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing