modiloader | ea836ef512beca63d1e1dc12b60ea8d57737ab3db3e1cb7d16209408ef7ccd65

General

Target

e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe
Size

651KB
MD5

e027e31a159b5507f5a9377d2500ce2e
SHA1

a1fd538454fa5270d33343bff9fe0f17796ffc35
SHA256

ea836ef512beca63d1e1dc12b60ea8d57737ab3db3e1cb7d16209408ef7ccd65
SHA512

1e35e60d16359c7a792ceab9b2f2f3a4c4f6be589a83a4d922795ba7a8d8c593ae2f5735196539293786ec3864553801c23ad69026491aef74cd8931745afd8d
SSDEEP

12288:kpyZT1trCxu/mDwLRI6BxcDqp9aqCcajVuD3Z7BPQGMWYur0s0D:kUx1tjOD3SxcDDcNDqWYurL0

Score

10^/10

modiloader discovery trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 11 IoCs

resource	yara_rule
behavioral2/memory/2264-7-0x0000000000400000-0x0000000000507000-memory.dmp	modiloader_stage2
behavioral2/memory/2264-6-0x0000000000400000-0x0000000000507000-memory.dmp	modiloader_stage2
behavioral2/memory/1972-4-0x0000000000400000-0x000000000041C000-memory.dmp	modiloader_stage2
behavioral2/files/0x0007000000023cbf-53.dat	modiloader_stage2
behavioral2/memory/1152-61-0x0000000000400000-0x000000000041B000-memory.dmp	modiloader_stage2
behavioral2/memory/2264-62-0x0000000000400000-0x0000000000507000-memory.dmp	modiloader_stage2
behavioral2/files/0x0007000000023cc1-65.dat	modiloader_stage2
behavioral2/memory/2856-73-0x0000000000400000-0x000000000041B000-memory.dmp	modiloader_stage2
behavioral2/files/0x0007000000023cc4-71.dat	modiloader_stage2
behavioral2/memory/652-83-0x0000000000400000-0x000000000041B000-memory.dmp	modiloader_stage2
behavioral2/memory/2264-123-0x0000000000400000-0x0000000000507000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
1820	dHY4IvP3.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2868	tasklist.exe
2976	tasklist.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1972 set thread context of 2264	1972	e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe	84

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2264-8-0x0000000000400000-0x0000000000507000-memory.dmp	upx
behavioral2/memory/2264-7-0x0000000000400000-0x0000000000507000-memory.dmp	upx
behavioral2/memory/2264-6-0x0000000000400000-0x0000000000507000-memory.dmp	upx
behavioral2/memory/2264-5-0x0000000000400000-0x0000000000507000-memory.dmp	upx
behavioral2/memory/2264-0-0x0000000000400000-0x0000000000507000-memory.dmp	upx
behavioral2/memory/2264-1-0x0000000000400000-0x0000000000507000-memory.dmp	upx
behavioral2/memory/2264-62-0x0000000000400000-0x0000000000507000-memory.dmp	upx
behavioral2/memory/3640-75-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/3640-74-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/3640-70-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/3640-67-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/1084-86-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/1084-87-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/1084-85-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/1084-80-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/1084-79-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3640-102-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/2264-123-0x0000000000400000-0x0000000000507000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dHY4IvP3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1820	dHY4IvP3.exe
1820	dHY4IvP3.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2264	e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe
1820	dHY4IvP3.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2264	1972	e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe	84
PID 1972 wrote to memory of 2264	1972	e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe	84
PID 1972 wrote to memory of 2264	1972	e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe	84
PID 1972 wrote to memory of 2264	1972	e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe	84
PID 1972 wrote to memory of 2264	1972	e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe	84
PID 1972 wrote to memory of 2264	1972	e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe	84
PID 1972 wrote to memory of 2264	1972	e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe	84
PID 1972 wrote to memory of 2264	1972	e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe	84
PID 1972 wrote to memory of 2264	1972	e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe	84
PID 2264 wrote to memory of 1820	2264	e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe	85
PID 2264 wrote to memory of 1820	2264	e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe	85
PID 2264 wrote to memory of 1820	2264	e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe
  e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Users\Admin\dHY4IvP3.exe
    C:\Users\Admin\dHY4IvP3.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1820
  - - C:\Users\Admin\ziuoqat.exe
      "C:\Users\Admin\ziuoqat.exe"
      4⤵
      PID:4824
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del dHY4IvP3.exe
      4⤵
      PID:3976
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:2976
- - C:\Users\Admin\azhost.exe
    C:\Users\Admin\azhost.exe
    3⤵
    PID:1152
  - - C:\Users\Admin\azhost.exe
      azhost.exe
      4⤵
      PID:3540
- - C:\Users\Admin\bzhost.exe
    C:\Users\Admin\bzhost.exe
    3⤵
    PID:2856
  - - C:\Users\Admin\bzhost.exe
      bzhost.exe
      4⤵
      PID:3640
- - C:\Users\Admin\czhost.exe
    C:\Users\Admin\czhost.exe
    3⤵
    PID:652
  - - C:\Users\Admin\czhost.exe
      czhost.exe
      4⤵
      PID:1084
- - C:\Users\Admin\dzhost.exe
    C:\Users\Admin\dzhost.exe
    3⤵
    PID:2432
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:2824
- - C:\Users\Admin\ezhost.exe
    C:\Users\Admin\ezhost.exe
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe
    3⤵
    PID:548
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

1

T1057

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\azhost.exe

Filesize
248KB

MD5
27ef898ce7ec9c0b79a6996a0b419de1

SHA1
4e8aed756fbc6133af13028c33366d2eaa43f954

SHA256
f08df8dd8e3fe3de4a1ba4ba3bd355a233cf7febd5917b982ec5a949726c36a6

SHA512
5c7fa67e7ed1e8ce238e58f0b55618d1fc13af4e19d9267f6e88e277beb2f10e6c0f0027a532a2d1d4b6e40da1b31dfcacf50ccb71a75dc231ff876869b6787a

Download Submit
C:\Users\Admin\bzhost.exe

Filesize
138KB

MD5
4e22775699416e81275fea3266e14bba

SHA1
32cc2479a30abd1b40b3b7e959ac32317fa124fd

SHA256
95dc812e94d5ba0842af45685ca7262b55607336fcf4becda83dbb6416beffa9

SHA512
34b13e9142a9c4251c78d876f02f9e86f22253950d3f9126dacd8ec6f0f3bbd36146381ce16b130d794c4bbc1ba08aa4df8e2e7af0c3900035d486242c81e3bf

Download Submit
C:\Users\Admin\czhost.exe

Filesize
96KB

MD5
fb7e8882346223dfbad778b5a7f74f32

SHA1
8285032fbab2f9f52533657d46df457ab64d0e15

SHA256
6d6fa60b26cd2fc87c94afb20e7f3b35d6eca76d5a46191b8df802d30d4cbc3e

SHA512
31e3963dd156da4a57b3ffd37b857ee1d433c61dc22eb56356f2171b282f3735a1c31d65b3a0b431151b55bfebf964f82c5aa13a12f1c2a8a580840a7ea5da32

Download Submit
C:\Users\Admin\dHY4IvP3.exe

Filesize
288KB

MD5
e2a16fca33158332dbb3c66021fe8e3b

SHA1
9b784a05bf73e0bffbc2d6afe9acb4ca9d44a355

SHA256
17b36341825621fdf4a959b52c510dbf1295e89d380499b2d02a87d76ed68a82

SHA512
6ec42b9cbd79a0835abdb2e7e4484d143bea726d9d17929482d1efb16590d895bcbe24e7957dcfc26f093f7a6d1dc07644c649d5918227f101a2515dddb86550

Download Submit
C:\Users\Admin\dzhost.exe

Filesize
221KB

MD5
5b414fb77d0dbec97ee529ec0bbcbeaf

SHA1
359cd24cd341f75eb46b99375824f6b649443f8e

SHA256
62027b13d4918e5e644952c977960a5e6dfe241e2bb35b387de0bfd0b752e882

SHA512
887b1b93e51d21927ffba49536f281003eef1dbee7634a08cab256f07701d54fe755acab7ae4a513c754067e4144c44c3580689ce187fd584ba440ab748a2360

Download Submit
C:\Users\Admin\ezhost.exe

Filesize
28KB

MD5
46ede15ce82c221c24bf81b2de1be7e8

SHA1
c332a5ec7aeb213c13449626156f6623351a4393

SHA256
a360c27de3799bf85f2501d4b375744394643fd50f8ecf5241d170b5cb7f6782

SHA512
517f497a4783a0f67ccfca641d93b7f20505c89d6252229f5b97df674f7be20ae48d4732c137ba081c2c1f8ec712371fa4ba4602873e11c0e02b109a00b6c316

Download Submit
C:\Users\Admin\ziuoqat.exe

Filesize
288KB

MD5
f3e39f8a1d361c1318782708d7b36a2a

SHA1
62bd505584b5446ba073a63233229ba501263ef9

SHA256
6bf14663a661b786fe26a4ef03a1c898ab102460a21d7249080b9fa36091380e

SHA512
4d1b1bc2415a9529a18ad33ac15d90aa68b41d1cc9cd844d8dddc65eaad8e51f86e52bc37e5115eeb8ee4bfe645d3bc3dda9c17799fe819f08efdb2a25ec21d8

Download Submit
memory/652-83-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1084-85-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1084-87-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1084-86-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1084-80-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1084-79-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1152-61-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1972-4-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2264-62-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2264-1-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2264-6-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2264-5-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2264-7-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2264-8-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2264-123-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2264-0-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2432-90-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2432-95-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2856-73-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3540-56-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3540-54-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3540-92-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3540-55-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3540-59-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3540-57-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3640-67-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3640-70-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3640-74-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3640-75-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3640-102-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing