modiloader | 10b24899511bcd992d87bd2ac542d9fd4a8f88cd7351122f3aba5c5e3e2a56de

General

Target

JaffaCakes118_917448b418c1e7f90f0790ba7379ae45.exe
Size

593KB
MD5

917448b418c1e7f90f0790ba7379ae45
SHA1

5f358bf0cc8f6cb55b9c585936d244c4019bbc50
SHA256

10b24899511bcd992d87bd2ac542d9fd4a8f88cd7351122f3aba5c5e3e2a56de
SHA512

ea5e093369c3d75e22ec0428cb0040163782ddf112bb9c684fde15c198e7a087392048a4a46d845f4f5d5e305c1865874b69395ec68ce9a9383ac1163685f4a8
SSDEEP

12288:mb+yuFbtXnmVCVUJpbd6rbyqdVOxp6xRQ1kwruDrSe/mIz:Iv4tXnmbxd662AGFBHFm0

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/memory/264-21-0x0000000000220000-0x0000000000244000-memory.dmp	modiloader_stage2
behavioral1/memory/2380-24-0x00000000024D0000-0x00000000024F4000-memory.dmp	modiloader_stage2
behavioral1/memory/264-29-0x0000000000220000-0x0000000000244000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
264	server.exe

Loads dropped DLL 4 IoCs

pid	Process
2900	JaffaCakes118_917448b418c1e7f90f0790ba7379ae45.exe
2900	JaffaCakes118_917448b418c1e7f90f0790ba7379ae45.exe
264	server.exe
2380	DllHost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\atmQQ2.dll	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_917448b418c1e7f90f0790ba7379ae45.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
264	server.exe
264	server.exe
264	server.exe
264	server.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2380	DllHost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
264	server.exe
2380	DllHost.exe
2380	DllHost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 264	2900	JaffaCakes118_917448b418c1e7f90f0790ba7379ae45.exe	31
PID 2900 wrote to memory of 264	2900	JaffaCakes118_917448b418c1e7f90f0790ba7379ae45.exe	31
PID 2900 wrote to memory of 264	2900	JaffaCakes118_917448b418c1e7f90f0790ba7379ae45.exe	31
PID 2900 wrote to memory of 264	2900	JaffaCakes118_917448b418c1e7f90f0790ba7379ae45.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_917448b418c1e7f90f0790ba7379ae45.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_917448b418c1e7f90f0790ba7379ae45.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:264

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0449296[1].jpg

Filesize
58KB

MD5
9737f61430bf246de68a446631e0280a

SHA1
7637141520e11505bf56a1dd9dbf3bdb027ad448

SHA256
0fc2269a9843c4a5ed07ee2fd7b3abc36e0e2ee601595af814c3c958e81b8bb4

SHA512
f736e02dcf48ba8db33a612b0f4e669aa48e509914ad1a355b8eb286c50e04ea81676b8a51c7cad10a14befa510fd97c47b02f4a5c5828871a5ad0d1ca27734a

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\atmQQ2.dll

Filesize
21KB

MD5
c0b2ee2b58f1116e1f189400e8fd0546

SHA1
3c7ec31c9c5bf1e6cc9ca4be7420de3028020ec1

SHA256
07da60db73af5a7152c729d3e5fb6e6e67064d142abf5347eb02f054562486d0

SHA512
3ed12b7432b966254546e6f52a26e995aff0cbb7d811bf1d3da6391430757cedd1fad69749a6b27f16a437c4f88eeaeaee7a72a8a74a498d22714e5622b7a39d

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
40KB

MD5
b64a531ac458a9465e7e24d400d6d5fe

SHA1
9b04997818407a5313c33c6a868d7ce87b04d6c0

SHA256
a0ff17ab2a2385e26b5b6d4065067f426aee21d001051cf85e2676f07a4b95a6

SHA512
6264c0a3052673697e951e9ad08f188f292701a61182d83ca99b452fd0f4776bf210d387819be6969b86bb70ca4ff8108b712ba083133739bce45bb71c16f824

Download Submit
memory/264-21-0x0000000000220000-0x0000000000244000-memory.dmp

Filesize
144KB

Download
memory/264-29-0x0000000000220000-0x0000000000244000-memory.dmp

Filesize
144KB

Download
memory/264-28-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/264-27-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/264-16-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2380-26-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2380-24-0x00000000024D0000-0x00000000024F4000-memory.dmp

Filesize
144KB

Download
memory/2380-6-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2380-3-0x0000000000170000-0x0000000000172000-memory.dmp

Filesize
8KB

Download
memory/2900-15-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2900-9-0x00000000035F0000-0x0000000003625000-memory.dmp

Filesize
212KB

Download
memory/2900-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2900-2-0x00000000033B0000-0x00000000033B2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing