modiloader | dafa0160ac5f814b90db131d77d29fa16b68d76df3243dafbb0a51a968e725cd

General

Target

d78674a0b1e4d82307e8ec37a70bdbf2_JaffaCakes118.exe
Size

801KB
MD5

d78674a0b1e4d82307e8ec37a70bdbf2
SHA1

8cb6cb00ac93481527492b374c43bfb070db164b
SHA256

dafa0160ac5f814b90db131d77d29fa16b68d76df3243dafbb0a51a968e725cd
SHA512

228a48242b62eeeb1697a5c55e431745cd61f5cbb4617dac76cac6d54403a71d527891f5f9e5f23ba312d59037ed3a0d660d7d1f3a43407267829880902a54c2
SSDEEP

24576:D+pCK0Adttc//////RTJ5cpbpE5M88FTdI+r7lquHce:q7tdHc//////RTJ5ypE5MRF51r7dce

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 5 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cae-7.dat	modiloader_stage2
behavioral2/memory/628-16-0x0000000000400000-0x00000000004BC000-memory.dmp	modiloader_stage2
behavioral2/memory/3328-17-0x0000000000400000-0x00000000004BC000-memory.dmp	modiloader_stage2
behavioral2/memory/3328-24-0x0000000000400000-0x00000000004BC000-memory.dmp	modiloader_stage2
behavioral2/memory/3328-30-0x0000000000400000-0x00000000004BC000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
628	yt.exe
3328	Adobef.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~1\COMMON~1\MICROS~1\MSInfo\Adobef.exe	yt.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\MSInfo\Adobef.exe	yt.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d78674a0b1e4d82307e8ec37a70bdbf2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobef.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 644	824	d78674a0b1e4d82307e8ec37a70bdbf2_JaffaCakes118.exe	83
PID 824 wrote to memory of 644	824	d78674a0b1e4d82307e8ec37a70bdbf2_JaffaCakes118.exe	83
PID 824 wrote to memory of 644	824	d78674a0b1e4d82307e8ec37a70bdbf2_JaffaCakes118.exe	83
PID 824 wrote to memory of 4552	824	d78674a0b1e4d82307e8ec37a70bdbf2_JaffaCakes118.exe	84
PID 824 wrote to memory of 4552	824	d78674a0b1e4d82307e8ec37a70bdbf2_JaffaCakes118.exe	84
PID 824 wrote to memory of 4552	824	d78674a0b1e4d82307e8ec37a70bdbf2_JaffaCakes118.exe	84
PID 644 wrote to memory of 628	644	cmd.exe	87
PID 644 wrote to memory of 628	644	cmd.exe	87
PID 644 wrote to memory of 628	644	cmd.exe	87
PID 628 wrote to memory of 3328	628	yt.exe	88
PID 628 wrote to memory of 3328	628	yt.exe	88
PID 628 wrote to memory of 3328	628	yt.exe	88
PID 628 wrote to memory of 696	628	yt.exe	89
PID 628 wrote to memory of 696	628	yt.exe	89
PID 628 wrote to memory of 696	628	yt.exe	89

C:\Users\Admin\AppData\Local\Temp\d78674a0b1e4d82307e8ec37a70bdbf2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d78674a0b1e4d82307e8ec37a70bdbf2_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\yt.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:644
- - C:\Users\Admin\AppData\Local\Temp\yt.exe
    C:\Users\Admin\AppData\Local\Temp\yt.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\PROGRA~1\COMMON~1\MICROS~1\MSInfo\Adobef.exe
      C:\PROGRA~1\COMMON~1\MICROS~1\MSInfo\Adobef.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3328
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c erase /F C:\Users\Admin\AppData\Local\Temp\yt.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c erase /F "C:\Users\Admin\AppData\Local\Temp\d78674a0b1e4d82307e8ec37a70bdbf2_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yt.exe

Filesize
672KB

MD5
6361714e688768f9a6d5535b090e3803

SHA1
711683ef06cdd3425db1ca1604311e954c2fad7d

SHA256
4299b9c3d5abe9cc2c6cdf8e859233381c7eee0788603a34bea90f16afa76a34

SHA512
c3137a49e56672ea223e6bb0c02663d420e916b43d8988a3464ff79ba1b0893e510598f1390e0fea9f5db56573986ddd64fe138e9e0c0902d1261715678374d6

Download Submit
memory/628-9-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/628-16-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/824-0-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/824-5-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/3328-15-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3328-18-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3328-17-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3328-24-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3328-30-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download

Analysis

Sharing