modiloader | 099a1c2361247e7e74ed6f13b09421bcca71d2fb5641d8db3a922f6272d32666

General

Target

d599488a1f3eeae8a64687aced847fad_JaffaCakes118.exe
Size

1.2MB
MD5

d599488a1f3eeae8a64687aced847fad
SHA1

dfb78edb35197f2f80519fcde991b132c6184160
SHA256

099a1c2361247e7e74ed6f13b09421bcca71d2fb5641d8db3a922f6272d32666
SHA512

74f9ca9a2a9cf659681f111d3fdd305dd94c68d21054c5947be887a1c74ec70b8ac269e60524b6836593006d96baa4cb5c6c9aa8436cd11aad286d51beed61ec
SSDEEP

24576:VV0fsaxQV7w49bwKxtkkgV0fsaxQV7w49bwKxtkL:VV0GV7Tww9gV0GV7Twwa

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 6 IoCs

resource	yara_rule
behavioral1/memory/2216-35-0x0000000000230000-0x0000000000255000-memory.dmp	modiloader_stage2
behavioral1/memory/860-20-0x00000000001B0000-0x00000000001D5000-memory.dmp	modiloader_stage2
behavioral1/memory/860-16-0x0000000000400000-0x000000000041F000-memory.dmp	modiloader_stage2
behavioral1/memory/860-13-0x0000000000400000-0x000000000041F000-memory.dmp	modiloader_stage2
behavioral1/memory/860-36-0x0000000000400000-0x000000000041F000-memory.dmp	modiloader_stage2
behavioral1/memory/860-38-0x00000000001B0000-0x00000000001D5000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
860	f76d901.tmp.exe
2216	f76d950.tmp.exe

Loads dropped DLL 7 IoCs

pid	Process
2328	d599488a1f3eeae8a64687aced847fad_JaffaCakes118.exe
2328	d599488a1f3eeae8a64687aced847fad_JaffaCakes118.exe
2328	d599488a1f3eeae8a64687aced847fad_JaffaCakes118.exe
860	f76d901.tmp.exe
2328	d599488a1f3eeae8a64687aced847fad_JaffaCakes118.exe
2328	d599488a1f3eeae8a64687aced847fad_JaffaCakes118.exe
2216	f76d950.tmp.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\atmQQ2.dll	f76d901.tmp.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d599488a1f3eeae8a64687aced847fad_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f76d950.tmp.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
860	f76d901.tmp.exe
860	f76d901.tmp.exe
860	f76d901.tmp.exe
860	f76d901.tmp.exe
860	f76d901.tmp.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
2216	f76d950.tmp.exe
2216	f76d950.tmp.exe
2216	f76d950.tmp.exe
2216	f76d950.tmp.exe
2216	f76d950.tmp.exe
2216	f76d950.tmp.exe
2216	f76d950.tmp.exe
2216	f76d950.tmp.exe
2216	f76d950.tmp.exe
2216	f76d950.tmp.exe
2216	f76d950.tmp.exe
2216	f76d950.tmp.exe
2216	f76d950.tmp.exe
2216	f76d950.tmp.exe
2216	f76d950.tmp.exe
2216	f76d950.tmp.exe
2216	f76d950.tmp.exe
2216	f76d950.tmp.exe
2216	f76d950.tmp.exe
2216	f76d950.tmp.exe
2216	f76d950.tmp.exe
2216	f76d950.tmp.exe
2216	f76d950.tmp.exe
2216	f76d950.tmp.exe
2216	f76d950.tmp.exe
2216	f76d950.tmp.exe
2216	f76d950.tmp.exe
2216	f76d950.tmp.exe
2216	f76d950.tmp.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2328	d599488a1f3eeae8a64687aced847fad_JaffaCakes118.exe
2328	d599488a1f3eeae8a64687aced847fad_JaffaCakes118.exe
860	f76d901.tmp.exe
2216	f76d950.tmp.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 860	2328	d599488a1f3eeae8a64687aced847fad_JaffaCakes118.exe	31
PID 2328 wrote to memory of 860	2328	d599488a1f3eeae8a64687aced847fad_JaffaCakes118.exe	31
PID 2328 wrote to memory of 860	2328	d599488a1f3eeae8a64687aced847fad_JaffaCakes118.exe	31
PID 2328 wrote to memory of 860	2328	d599488a1f3eeae8a64687aced847fad_JaffaCakes118.exe	31
PID 2328 wrote to memory of 2216	2328	d599488a1f3eeae8a64687aced847fad_JaffaCakes118.exe	32
PID 2328 wrote to memory of 2216	2328	d599488a1f3eeae8a64687aced847fad_JaffaCakes118.exe	32
PID 2328 wrote to memory of 2216	2328	d599488a1f3eeae8a64687aced847fad_JaffaCakes118.exe	32
PID 2328 wrote to memory of 2216	2328	d599488a1f3eeae8a64687aced847fad_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\d599488a1f3eeae8a64687aced847fad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d599488a1f3eeae8a64687aced847fad_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\f76d901.tmp.exe
  C:\Users\Admin\AppData\Local\Temp\f76d901.tmp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:860
- C:\Users\Admin\AppData\Local\Temp\f76d950.tmp.exe
  C:\Users\Admin\AppData\Local\Temp\f76d950.tmp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f76d901.tmp.exe

Filesize
38KB

MD5
e61241358211a033cda36e48b68d91a3

SHA1
ca2dd3dd6114f62b95f0c35edf3715439beca080

SHA256
09665e44e74d607599c09824b53434e927f72b704e1124caef4f07a54eb3a341

SHA512
b24db602be7192105459966970bde1bc6a33fbef7dba8185d31a49cbdd626f7ddf9350e566230ecd372dc8e462faed4175ff7f4b4221c6464bc36b71e65a4f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\f76d950.tmp.exe

Filesize
29KB

MD5
19f9a0a0490061125426703a1931f59a

SHA1
61fa131f972d334d2757da19121fd330043d648d

SHA256
1bdace947cf17dfacc0756263739602096099952d1ca079e28a61192bbdca3e9

SHA512
690cefa97eb684ce1bbfdfcfbf08e68d95b193f16ec1f714da36a9bd893ed1bc0a80d83223da9808cac96b41e281c48f730a52000a0fe4436ce40d6ef77b98a3

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\atmQQ2.dll

Filesize
22KB

MD5
a9aa5a1c31d419a464c89d3dc78431fc

SHA1
48affccd6e74eadcf3421220cc03625f942ad96e

SHA256
68b230a1f7cdf4e12589203209290cf6a71d6b7ffcbaecfa8caa11eea53e3dec

SHA512
8a9d66ca9e8364e1f76a086d9363c148b8bacae54561d6f1f0c8d97741f1b30f4e25195f8c7f73c3959409246157352a72d403f9e93cef9652ac8b4faaa4f3ed

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
1.1MB

MD5
71520e2e016f657e0131181c093af6e0

SHA1
98b542d747b2dfd57ea69e42ffc8e6a6f05d18cb

SHA256
c77f7719ef55800ebc692edb5523f6becd83bdc25b8bc6f7dbff3c6243ef76ae

SHA512
d48758acc8767a78b898152efac9ce31e043904dcaddc0e60c3145bc7250e8384913833f33f717d986f2f9262a3e82ecde13b4fbece851b2b8b70af43a177b71

Download Submit
memory/860-16-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/860-17-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/860-20-0x00000000001B0000-0x00000000001D5000-memory.dmp

Filesize
148KB

Download
memory/860-13-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/860-36-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/860-37-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/860-38-0x00000000001B0000-0x00000000001D5000-memory.dmp

Filesize
148KB

Download
memory/2216-35-0x0000000000230000-0x0000000000255000-memory.dmp

Filesize
148KB

Download
memory/2328-6-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/2328-34-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2328-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing