modiloader | dafa0160ac5f814b90db131d77d29fa16b68d76df3243dafbb0a51a968e725cd

General

Target

d78674a0b1e4d82307e8ec37a70bdbf2_JaffaCakes118.exe
Size

801KB
MD5

d78674a0b1e4d82307e8ec37a70bdbf2
SHA1

8cb6cb00ac93481527492b374c43bfb070db164b
SHA256

dafa0160ac5f814b90db131d77d29fa16b68d76df3243dafbb0a51a968e725cd
SHA512

228a48242b62eeeb1697a5c55e431745cd61f5cbb4617dac76cac6d54403a71d527891f5f9e5f23ba312d59037ed3a0d660d7d1f3a43407267829880902a54c2
SSDEEP

24576:D+pCK0Adttc//////RTJ5cpbpE5M88FTdI+r7lquHce:q7tdHc//////RTJ5ypE5MRF51r7dce

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 5 IoCs

resource	yara_rule
behavioral1/files/0x000700000001930d-7.dat	modiloader_stage2
behavioral1/memory/880-17-0x0000000000400000-0x00000000004BC000-memory.dmp	modiloader_stage2
behavioral1/memory/2512-18-0x0000000000400000-0x00000000004BC000-memory.dmp	modiloader_stage2
behavioral1/memory/2512-25-0x0000000000400000-0x00000000004BC000-memory.dmp	modiloader_stage2
behavioral1/memory/2512-31-0x0000000000400000-0x00000000004BC000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
2528	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
880	yt.exe
2512	Adobef.exe

Loads dropped DLL 2 IoCs

pid	Process
2432	cmd.exe
880	yt.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~1\COMMON~1\MICROS~1\MSInfo\Adobef.exe	yt.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\MSInfo\Adobef.exe	yt.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d78674a0b1e4d82307e8ec37a70bdbf2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2432	2440	d78674a0b1e4d82307e8ec37a70bdbf2_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2432	2440	d78674a0b1e4d82307e8ec37a70bdbf2_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2432	2440	d78674a0b1e4d82307e8ec37a70bdbf2_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2432	2440	d78674a0b1e4d82307e8ec37a70bdbf2_JaffaCakes118.exe	30
PID 2440 wrote to memory of 2528	2440	d78674a0b1e4d82307e8ec37a70bdbf2_JaffaCakes118.exe	31
PID 2440 wrote to memory of 2528	2440	d78674a0b1e4d82307e8ec37a70bdbf2_JaffaCakes118.exe	31
PID 2440 wrote to memory of 2528	2440	d78674a0b1e4d82307e8ec37a70bdbf2_JaffaCakes118.exe	31
PID 2440 wrote to memory of 2528	2440	d78674a0b1e4d82307e8ec37a70bdbf2_JaffaCakes118.exe	31
PID 2432 wrote to memory of 880	2432	cmd.exe	34
PID 2432 wrote to memory of 880	2432	cmd.exe	34
PID 2432 wrote to memory of 880	2432	cmd.exe	34
PID 2432 wrote to memory of 880	2432	cmd.exe	34
PID 880 wrote to memory of 2512	880	yt.exe	35
PID 880 wrote to memory of 2512	880	yt.exe	35
PID 880 wrote to memory of 2512	880	yt.exe	35
PID 880 wrote to memory of 2512	880	yt.exe	35
PID 880 wrote to memory of 2976	880	yt.exe	36
PID 880 wrote to memory of 2976	880	yt.exe	36
PID 880 wrote to memory of 2976	880	yt.exe	36
PID 880 wrote to memory of 2976	880	yt.exe	36

C:\Users\Admin\AppData\Local\Temp\d78674a0b1e4d82307e8ec37a70bdbf2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d78674a0b1e4d82307e8ec37a70bdbf2_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\yt.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Users\Admin\AppData\Local\Temp\yt.exe
    C:\Users\Admin\AppData\Local\Temp\yt.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:880
  - - C:\PROGRA~1\COMMON~1\MICROS~1\MSInfo\Adobef.exe
      C:\PROGRA~1\COMMON~1\MICROS~1\MSInfo\Adobef.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2512
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c erase /F C:\Users\Admin\AppData\Local\Temp\yt.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c erase /F "C:\Users\Admin\AppData\Local\Temp\d78674a0b1e4d82307e8ec37a70bdbf2_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yt.exe

Filesize
672KB

MD5
6361714e688768f9a6d5535b090e3803

SHA1
711683ef06cdd3425db1ca1604311e954c2fad7d

SHA256
4299b9c3d5abe9cc2c6cdf8e859233381c7eee0788603a34bea90f16afa76a34

SHA512
c3137a49e56672ea223e6bb0c02663d420e916b43d8988a3464ff79ba1b0893e510598f1390e0fea9f5db56573986ddd64fe138e9e0c0902d1261715678374d6

Download Submit
memory/880-9-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/880-17-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2440-1-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2440-5-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2512-16-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2512-19-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2512-18-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2512-25-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2512-31-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download

Analysis

Sharing