modiloader | 259ec179be1b7362f26ae44c9fae099f421f533717ab8ad21e4f6011ff065625

General

Target

JaffaCakes118_044bb67ef79368248d90297e17ca515e.exe
Size

707KB
MD5

044bb67ef79368248d90297e17ca515e
SHA1

76b621d9f387c5c34b66bf00f9e2444b70c8d93b
SHA256

259ec179be1b7362f26ae44c9fae099f421f533717ab8ad21e4f6011ff065625
SHA512

90bcbab424a6639f928339286ed3a37cfe9a1fb7e1ed9d7df6d3f5a40ea9a84b3399b47dc2316b4c4a0a8f7d265cf6b9d20f1f4a7864068018f0e9558c7941ab
SSDEEP

12288:3Zj/S5Ys9wAKbdVLO+KwtL1kYzz5z4nJ/cwqt0DMT78:pLSD9wA+/p1fd4n+wHMTw

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 20 IoCs

resource	yara_rule
behavioral2/memory/3324-1-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral2/memory/3324-0-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral2/memory/3676-2-0x0000000000400000-0x00000000004B8000-memory.dmp	modiloader_stage2
behavioral2/memory/3324-3-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral2/memory/3324-4-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral2/memory/3324-5-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral2/memory/3324-6-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral2/files/0x0008000000023c9a-10.dat	modiloader_stage2
behavioral2/memory/2204-15-0x0000000000400000-0x00000000004B8000-memory.dmp	modiloader_stage2
behavioral2/memory/3324-17-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral2/memory/4008-18-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral2/memory/4008-20-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral2/memory/4008-22-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral2/memory/4008-21-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral2/memory/4008-23-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral2/memory/4008-24-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral2/memory/4008-30-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral2/memory/4008-31-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral2/memory/4008-37-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2
behavioral2/memory/4008-38-0x0000000000400000-0x00000000004C0000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2204	ggf.exe
4008	ggf.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3676 set thread context of 3324	3676	JaffaCakes118_044bb67ef79368248d90297e17ca515e.exe	83
PID 2204 set thread context of 4008	2204	ggf.exe	85

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\ggf.exe	JaffaCakes118_044bb67ef79368248d90297e17ca515e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\ggf.exe	JaffaCakes118_044bb67ef79368248d90297e17ca515e.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_044bb67ef79368248d90297e17ca515e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_044bb67ef79368248d90297e17ca515e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ggf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ggf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 3324	3676	JaffaCakes118_044bb67ef79368248d90297e17ca515e.exe	83
PID 3676 wrote to memory of 3324	3676	JaffaCakes118_044bb67ef79368248d90297e17ca515e.exe	83
PID 3676 wrote to memory of 3324	3676	JaffaCakes118_044bb67ef79368248d90297e17ca515e.exe	83
PID 3676 wrote to memory of 3324	3676	JaffaCakes118_044bb67ef79368248d90297e17ca515e.exe	83
PID 3676 wrote to memory of 3324	3676	JaffaCakes118_044bb67ef79368248d90297e17ca515e.exe	83
PID 3324 wrote to memory of 2204	3324	JaffaCakes118_044bb67ef79368248d90297e17ca515e.exe	84
PID 3324 wrote to memory of 2204	3324	JaffaCakes118_044bb67ef79368248d90297e17ca515e.exe	84
PID 3324 wrote to memory of 2204	3324	JaffaCakes118_044bb67ef79368248d90297e17ca515e.exe	84
PID 2204 wrote to memory of 4008	2204	ggf.exe	85
PID 2204 wrote to memory of 4008	2204	ggf.exe	85
PID 2204 wrote to memory of 4008	2204	ggf.exe	85
PID 2204 wrote to memory of 4008	2204	ggf.exe	85
PID 2204 wrote to memory of 4008	2204	ggf.exe	85
PID 3324 wrote to memory of 1752	3324	JaffaCakes118_044bb67ef79368248d90297e17ca515e.exe	86
PID 3324 wrote to memory of 1752	3324	JaffaCakes118_044bb67ef79368248d90297e17ca515e.exe	86
PID 3324 wrote to memory of 1752	3324	JaffaCakes118_044bb67ef79368248d90297e17ca515e.exe	86

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_044bb67ef79368248d90297e17ca515e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_044bb67ef79368248d90297e17ca515e.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_044bb67ef79368248d90297e17ca515e.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_044bb67ef79368248d90297e17ca515e.exe
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3324
- - C:\Program Files\Common Files\Microsoft Shared\MSINFO\ggf.exe
    "C:\Program Files\Common Files\Microsoft Shared\MSINFO\ggf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Program Files\Common Files\Microsoft Shared\MSINFO\ggf.exe
      "C:\Program Files\Common Files\Microsoft Shared\MSINFO\ggf.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4008
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c erase /F C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_044bb67ef79368248d90297e17ca515e.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\MSInfo\ggf.exe

Filesize
707KB

MD5
044bb67ef79368248d90297e17ca515e

SHA1
76b621d9f387c5c34b66bf00f9e2444b70c8d93b

SHA256
259ec179be1b7362f26ae44c9fae099f421f533717ab8ad21e4f6011ff065625

SHA512
90bcbab424a6639f928339286ed3a37cfe9a1fb7e1ed9d7df6d3f5a40ea9a84b3399b47dc2316b4c4a0a8f7d265cf6b9d20f1f4a7864068018f0e9558c7941ab

Download Submit
memory/2204-15-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3324-1-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3324-0-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3324-3-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3324-4-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3324-5-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3324-6-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3324-17-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3676-2-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4008-18-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4008-20-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4008-22-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4008-21-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4008-23-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4008-24-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4008-30-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4008-31-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4008-37-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4008-38-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download

Analysis

Sharing