modiloader | 138069e0bf72736ae7cdb5440520404aff42a585b0c63208ea4189253763acd9

General

Target

fe1f14331b8628c6424048e47e5c9cf7_JaffaCakes118.exe
Size

661KB
MD5

fe1f14331b8628c6424048e47e5c9cf7
SHA1

8c7113d4f1aa159234e4c1354a149188cdcd9bfe
SHA256

138069e0bf72736ae7cdb5440520404aff42a585b0c63208ea4189253763acd9
SHA512

88a702b7920e744d826128eff1f1a884bb6370a682b167dea4221fe4bcec64592bb6f5922b89b42735f648c1e6052b1e08df95a8fc234ad76598d100e782b5c0
SSDEEP

12288:2inFP1tOUsMech9smfmd48Z3+5DqF3Z4mxxJDqVTVOCP5w:26s2h9smud4CO5WQmXgVTzhw

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/files/0x00090000000161f6-31.dat	modiloader_stage2
behavioral1/memory/2840-40-0x0000000000400000-0x00000000004B8000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
2840	608.exe

Loads dropped DLL 2 IoCs

pid	Process
2316	fe1f14331b8628c6424048e47e5c9cf7_JaffaCakes118.exe
2316	fe1f14331b8628c6424048e47e5c9cf7_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fe1f14331b8628c6424048e47e5c9cf7_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt	608.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe1f14331b8628c6424048e47e5c9cf7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	608.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2840	2316	fe1f14331b8628c6424048e47e5c9cf7_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2840	2316	fe1f14331b8628c6424048e47e5c9cf7_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2840	2316	fe1f14331b8628c6424048e47e5c9cf7_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2840	2316	fe1f14331b8628c6424048e47e5c9cf7_JaffaCakes118.exe	30
PID 2840 wrote to memory of 2156	2840	608.exe	31
PID 2840 wrote to memory of 2156	2840	608.exe	31
PID 2840 wrote to memory of 2156	2840	608.exe	31
PID 2840 wrote to memory of 2156	2840	608.exe	31

C:\Users\Admin\AppData\Local\Temp\fe1f14331b8628c6424048e47e5c9cf7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe1f14331b8628c6424048e47e5c9cf7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\608.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\608.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\program files\internet explorer\IEXPLORE.EXE
    "C:\program files\internet explorer\IEXPLORE.EXE"
    3⤵
    PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\608.exe

Filesize
671KB

MD5
2590ae0417cb99796ab3fb639e0555b0

SHA1
69a8c83287ca7ba58fe729a10ef5b29d76c1c5f6

SHA256
ab4ca72d8c5f02acd856f7801215ccb643d9e4699ed72655032d90e0bdf92dec

SHA512
3cf519127b974dd73dba3d3857d33bf1e5f7dae5825dbeb9c12195006460cfe4e8afb14494a2e898c8792c09ddce9a6a84f0861f3af4ec8412f11d69634ac475

Download Submit
memory/2316-17-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2316-10-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/2316-8-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/2316-28-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2316-27-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2316-26-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/2316-16-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2316-24-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/2316-23-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/2316-22-0x0000000003120000-0x0000000003123000-memory.dmp

Filesize
12KB

Download
memory/2316-4-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/2316-21-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/2316-20-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/2316-19-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/2316-42-0x0000000001000000-0x00000000010B6000-memory.dmp

Filesize
728KB

Download
memory/2316-18-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/2316-25-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2316-15-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2316-14-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2316-13-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2316-12-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2316-11-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2316-2-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/2316-9-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/2316-7-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/2316-6-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2316-5-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/2316-3-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/2316-1-0x0000000000370000-0x00000000003C4000-memory.dmp

Filesize
336KB

Download
memory/2316-0-0x0000000001000000-0x00000000010B6000-memory.dmp

Filesize
728KB

Download
memory/2316-43-0x0000000000370000-0x00000000003C4000-memory.dmp

Filesize
336KB

Download
memory/2840-40-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads