modiloader | 0ed7b356f4d79d3ae3653b571e1625dcd8348610bfc95982c1dc212eaace61d0

General

Target

ddb36bcc0e884a926bf5db13f2197db8_JaffaCakes118.exe
Size

700KB
MD5

ddb36bcc0e884a926bf5db13f2197db8
SHA1

8f01a84e37531ca7d38195ce5f1579a458a62e52
SHA256

0ed7b356f4d79d3ae3653b571e1625dcd8348610bfc95982c1dc212eaace61d0
SHA512

9810fe946935b744b88632e3a101db7453da04dc005e87c0320450e2ee66e8e016184e9d522d02f5cdb605e7b5c475edea76d2ab8bdd13368c9e8cc418621421
SSDEEP

12288:WWrXZcWJlFfBs6MJeskwFNO0RJyUsUref+4auOxIvr0+CzNvVFdwk9r0puA7i:drOklFf6jJjkwNOesUre24aivQzNvVFh

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000018b68-25.dat	modiloader_stage2
behavioral1/memory/2664-37-0x0000000000400000-0x00000000004BE000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2692	456.exe
2664	1.exe

Loads dropped DLL 7 IoCs

pid	Process
2640	ddb36bcc0e884a926bf5db13f2197db8_JaffaCakes118.exe
2640	ddb36bcc0e884a926bf5db13f2197db8_JaffaCakes118.exe
2692	456.exe
2692	456.exe
2692	456.exe
2692	456.exe
2664	1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ddb36bcc0e884a926bf5db13f2197db8_JaffaCakes118.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\program files\common files\microsoft shared\msinfo\menu_03x.jpg	DllHost.exe
File created	C:\program files\common files\microsoft shared\msinfo\1.jpg	456.exe
File created	C:\program files\common files\microsoft shared\msinfo\menu_03x.jpg	456.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupWay.txt	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	456.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddb36bcc0e884a926bf5db13f2197db8_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2596	DllHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2596	DllHost.exe
2596	DllHost.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2692	2640	ddb36bcc0e884a926bf5db13f2197db8_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2692	2640	ddb36bcc0e884a926bf5db13f2197db8_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2692	2640	ddb36bcc0e884a926bf5db13f2197db8_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2692	2640	ddb36bcc0e884a926bf5db13f2197db8_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2692	2640	ddb36bcc0e884a926bf5db13f2197db8_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2692	2640	ddb36bcc0e884a926bf5db13f2197db8_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2692	2640	ddb36bcc0e884a926bf5db13f2197db8_JaffaCakes118.exe	30
PID 2692 wrote to memory of 2664	2692	456.exe	31
PID 2692 wrote to memory of 2664	2692	456.exe	31
PID 2692 wrote to memory of 2664	2692	456.exe	31
PID 2692 wrote to memory of 2664	2692	456.exe	31
PID 2692 wrote to memory of 2664	2692	456.exe	31
PID 2692 wrote to memory of 2664	2692	456.exe	31
PID 2692 wrote to memory of 2664	2692	456.exe	31
PID 2664 wrote to memory of 3064	2664	1.exe	32
PID 2664 wrote to memory of 3064	2664	1.exe	32
PID 2664 wrote to memory of 3064	2664	1.exe	32
PID 2664 wrote to memory of 3064	2664	1.exe	32
PID 2664 wrote to memory of 3064	2664	1.exe	32
PID 2664 wrote to memory of 3064	2664	1.exe	32
PID 2664 wrote to memory of 3064	2664	1.exe	32

C:\Users\Admin\AppData\Local\Temp\ddb36bcc0e884a926bf5db13f2197db8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ddb36bcc0e884a926bf5db13f2197db8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\456.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\456.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\program files\common files\microsoft shared\msinfo\1.exe
    "C:\program files\common files\microsoft shared\msinfo\1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\program files\internet explorer\IEXPLORE.EXE
      "C:\program files\internet explorer\IEXPLORE.EXE"
      4⤵
      PID:3064

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\program files\common files\microsoft shared\msinfo\menu_03x.jpg

Filesize
2KB

MD5
1be306dc4443fc05dde26452fbffe003

SHA1
a63e73dfbdd89ae9e2b45444045d054a4c8ba57d

SHA256
b6f070e9e8dca9e70de776b9778845208138c315fd65c3349b2b62dcb2bf353f

SHA512
95a6978731867073cef0948f45173a47244230b6132dc4a94ef3823b3c6b89f7e1f53492a367683fbdea41fb9ff2019c719411ce0aaf99b1f7e9ad11b3793bab

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\1.exe

Filesize
678KB

MD5
4f8b9532d5e008734f5d8fa5eb2df808

SHA1
f14bc78f963bd2d3d48479039a28019fbfa9e664

SHA256
5c2e6ff398169d6cb7bcf6af425e5acc5db11e3d000458bf54b1658866da71c6

SHA512
7247c95fd28ce4e9a5d30a9080f3a04af3ae9b93ddc8d849087613748762f26bc1a5feaf2a09ab31de1e9a8f51fce6247fd848fde96d37c4ae8daff5cef11070

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\456.exe

Filesize
666KB

MD5
18bc6302268f8cbebac8c80d6b350229

SHA1
3d31b865b4e412a137ab25158322b292a815dc8f

SHA256
8a46e1c2175e9649af55d467363f5d1a7a38849f3cf988cf9a2b8c5b684364f3

SHA512
3f3dfe746446c0daa62c9af7ba5b3d70d7c70a78db6156d9fd2ab900f4854d99320a5a2221b541aa6c773bee3b699accbb4c99427cc7ac363130798b52905cfa

Download Submit
memory/2596-39-0x0000000000360000-0x0000000000362000-memory.dmp

Filesize
8KB

Download
memory/2640-1-0x0000000000890000-0x00000000009F8000-memory.dmp

Filesize
1.4MB

Download
memory/2640-0-0x0000000001000000-0x0000000001167026-memory.dmp

Filesize
1.4MB

Download
memory/2640-42-0x0000000001000000-0x0000000001167026-memory.dmp

Filesize
1.4MB

Download
memory/2640-11-0x00000000004A0000-0x00000000005AD000-memory.dmp

Filesize
1.1MB

Download
memory/2640-10-0x00000000004A0000-0x00000000005AD000-memory.dmp

Filesize
1.1MB

Download
memory/2664-37-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2692-16-0x0000000000A50000-0x0000000000B5D000-memory.dmp

Filesize
1.1MB

Download
memory/2692-24-0x0000000003B50000-0x0000000003B60000-memory.dmp

Filesize
64KB

Download
memory/2692-21-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2692-38-0x0000000003E40000-0x0000000003E42000-memory.dmp

Filesize
8KB

Download
memory/2692-20-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2692-40-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2692-15-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2692-17-0x00000000004B6000-0x00000000004B7000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads