modiloader | a54d77207216846a752b63e2c573f2de5fef47656225efc4decd158455f61582

General

Target

JaffaCakes118_03c03727ff292aafd48d6abcbebc8d76.exe
Size

1.2MB
MD5

03c03727ff292aafd48d6abcbebc8d76
SHA1

cb9f5c55a44a49138a998c2884e8828746386597
SHA256

a54d77207216846a752b63e2c573f2de5fef47656225efc4decd158455f61582
SHA512

1742fc065f139a47c03ff32df3b6b2bb14d9e18eff3529d366d420fd0c4557dfae1b334942745db6b873335e49d745bb6606d0c938e8350f9bf6c8963671a92f
SSDEEP

24576:G99jZm9amAuGmG/N2jVoyy5kiubya6PjauAUeM3Nw5W+7ma+I:G99j8amAuG9V2RoX5/XaEhB3qgO

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/1684-36-0x0000000000400000-0x000000000072C000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
236	dox.exe
2716	EromUpgrade.exe

Loads dropped DLL 4 IoCs

pid	Process
1684	JaffaCakes118_03c03727ff292aafd48d6abcbebc8d76.exe
1684	JaffaCakes118_03c03727ff292aafd48d6abcbebc8d76.exe
1684	JaffaCakes118_03c03727ff292aafd48d6abcbebc8d76.exe
1684	JaffaCakes118_03c03727ff292aafd48d6abcbebc8d76.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_03c03727ff292aafd48d6abcbebc8d76.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EromUpgrade.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
236	dox.exe
236	dox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2716	EromUpgrade.exe
2716	EromUpgrade.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 236	1684	JaffaCakes118_03c03727ff292aafd48d6abcbebc8d76.exe	30
PID 1684 wrote to memory of 236	1684	JaffaCakes118_03c03727ff292aafd48d6abcbebc8d76.exe	30
PID 1684 wrote to memory of 236	1684	JaffaCakes118_03c03727ff292aafd48d6abcbebc8d76.exe	30
PID 1684 wrote to memory of 236	1684	JaffaCakes118_03c03727ff292aafd48d6abcbebc8d76.exe	30
PID 1684 wrote to memory of 2716	1684	JaffaCakes118_03c03727ff292aafd48d6abcbebc8d76.exe	31
PID 1684 wrote to memory of 2716	1684	JaffaCakes118_03c03727ff292aafd48d6abcbebc8d76.exe	31
PID 1684 wrote to memory of 2716	1684	JaffaCakes118_03c03727ff292aafd48d6abcbebc8d76.exe	31
PID 1684 wrote to memory of 2716	1684	JaffaCakes118_03c03727ff292aafd48d6abcbebc8d76.exe	31
PID 236 wrote to memory of 1208	236	dox.exe	21
PID 236 wrote to memory of 1208	236	dox.exe	21
PID 236 wrote to memory of 1208	236	dox.exe	21
PID 236 wrote to memory of 1208	236	dox.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_03c03727ff292aafd48d6abcbebc8d76.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_03c03727ff292aafd48d6abcbebc8d76.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Users\Admin\AppData\Local\Temp\dox.exe
    "C:\Users\Admin\AppData\Local\Temp\dox.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:236
- - C:\Users\Admin\AppData\Local\Temp\EromUpgrade.exe
    "C:\Users\Admin\AppData\Local\Temp\EromUpgrade.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EromUpgrade.exe

Filesize
384KB

MD5
8b8cabd93997db913a68cfc39a0b881e

SHA1
f0fea8e209dbfa28452047eb571d22720a3c7674

SHA256
25a1f18fb6ae9d208a2c0b218bdc38fbad2f50c4c510c756a11b16e452d830b3

SHA512
3470e85b514a4855e9c7eaa2802a4fe94f834135a54324476817a3a05c855d86b69449b6379dfe0266eb3a1e2479f02adb6834334d9895cd50629322ad141e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\compatui.dll

Filesize
437KB

MD5
9afd61a19fdd19ebf9c6691832e55b72

SHA1
fd815bfbd74e68c08e9be7fd2ad57907b61b5da5

SHA256
6fc86274873dbe417b02b296d881e85b84f34fd8b64717f36ea12de634674b76

SHA512
61be9e4f4f9accd62efbd4e1658f07b8ff92a654a974ad93dc9a9100697e1c919c4777b6b25e89b7c438c109600ae009341801575702a585dcd9939eefaf8605

Download Submit
\Users\Admin\AppData\Local\Temp\dox.exe

Filesize
29KB

MD5
c751cd28dcd80bdb3896a599d93309a3

SHA1
fa4be6f399e91f0eeb99fae11b402ff3bec4782f

SHA256
07c56308846620a0e7a83cbf968372b4e68c6c34bf2da54542df557cd7e8fa41

SHA512
ad1ee1b87de8a8454c6beaec37a015098352d1e65246c510afa32e19d7d96eb07246a9c49381abc0ddf2ede2d2dedc10554541b716eb81758feab962b5326444

Download Submit
memory/236-21-0x0000000000400000-0x00000000004083A0-memory.dmp

Filesize
32KB

Download
memory/1208-43-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1208-40-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1684-3-0x0000000002060000-0x0000000002070000-memory.dmp

Filesize
64KB

Download
memory/1684-4-0x0000000001FB0000-0x0000000001FC0000-memory.dmp

Filesize
64KB

Download
memory/1684-7-0x0000000076CD0000-0x0000000076DE0000-memory.dmp

Filesize
1.1MB

Download
memory/1684-10-0x0000000076CD0000-0x0000000076DE0000-memory.dmp

Filesize
1.1MB

Download
memory/1684-2-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/1684-18-0x0000000001FD0000-0x0000000001FD9000-memory.dmp

Filesize
36KB

Download
memory/1684-0-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1684-8-0x0000000076CD0000-0x0000000076DE0000-memory.dmp

Filesize
1.1MB

Download
memory/1684-5-0x00000000777E0000-0x00000000777E1000-memory.dmp

Filesize
4KB

Download
memory/1684-36-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/1684-37-0x0000000001E80000-0x0000000001ECE000-memory.dmp

Filesize
312KB

Download
memory/1684-38-0x0000000076CD0000-0x0000000076DE0000-memory.dmp

Filesize
1.1MB

Download
memory/1684-6-0x0000000076CE1000-0x0000000076CE2000-memory.dmp

Filesize
4KB

Download
memory/1684-1-0x0000000001E80000-0x0000000001ECE000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing