modiloader | f49b9da3a0a6e7c7821c4ace1529ece8917124037295240503f51e17db789fe5

General

Target

JaffaCakes118_0dfcf96a5bf4b57adca7f7b7be626f64.exe
Size

333KB
MD5

0dfcf96a5bf4b57adca7f7b7be626f64
SHA1

b29e5f05ac7608c012ac1e1fc58f7c0b80d1f2de
SHA256

f49b9da3a0a6e7c7821c4ace1529ece8917124037295240503f51e17db789fe5
SHA512

ffc0638ae0dc0bd9255528c583cacfdb77a6d9391df852587ac10629d41b24c4cea837f78cc37a76fba1165e0f7ff44a38a14a7c818db914d43014d82d39f752
SSDEEP

3072:v0lMPUmWwL20OKsfdk8FnWZ4ufMXjFWT8i1Rw+x3psL4ISZSm/6YUWafcy9K0Rbs:0MPhWwy0PeKgWGu1aNK0dGhxDB

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2024-13-0x0000000000400000-0x000000000045A000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2700	server7.exe
2720	server7.exe

Loads dropped DLL 3 IoCs

pid	Process
2024	JaffaCakes118_0dfcf96a5bf4b57adca7f7b7be626f64.exe
2024	JaffaCakes118_0dfcf96a5bf4b57adca7f7b7be626f64.exe
2700	server7.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2700 set thread context of 2720	2700	server7.exe	33
PID 2700 set thread context of 0	2700	server7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0dfcf96a5bf4b57adca7f7b7be626f64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server7.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1068	DllHost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2700	server7.exe
1068	DllHost.exe
1068	DllHost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2700	2024	JaffaCakes118_0dfcf96a5bf4b57adca7f7b7be626f64.exe	32
PID 2024 wrote to memory of 2700	2024	JaffaCakes118_0dfcf96a5bf4b57adca7f7b7be626f64.exe	32
PID 2024 wrote to memory of 2700	2024	JaffaCakes118_0dfcf96a5bf4b57adca7f7b7be626f64.exe	32
PID 2024 wrote to memory of 2700	2024	JaffaCakes118_0dfcf96a5bf4b57adca7f7b7be626f64.exe	32
PID 2700 wrote to memory of 2720	2700	server7.exe	33
PID 2700 wrote to memory of 2720	2700	server7.exe	33
PID 2700 wrote to memory of 2720	2700	server7.exe	33
PID 2700 wrote to memory of 2720	2700	server7.exe	33
PID 2700 wrote to memory of 2720	2700	server7.exe	33
PID 2700 wrote to memory of 2720	2700	server7.exe	33
PID 2700 wrote to memory of 2720	2700	server7.exe	33
PID 2700 wrote to memory of 2720	2700	server7.exe	33
PID 2700 wrote to memory of 0	2700	server7.exe
PID 2700 wrote to memory of 0	2700	server7.exe
PID 2700 wrote to memory of 0	2700	server7.exe
PID 2700 wrote to memory of 0	2700	server7.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0dfcf96a5bf4b57adca7f7b7be626f64.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0dfcf96a5bf4b57adca7f7b7be626f64.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\server7.exe
  "C:\Users\Admin\AppData\Local\Temp\server7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\server7.exe
    "C:\Users\Admin\AppData\Local\Temp\server7.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2720

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\haifa-wehbe-026[1].jpg

Filesize
69KB

MD5
518a942729d24a175947ac9def09a9bf

SHA1
44e620a97bcc2e1419f4ddeeca82878e575672a0

SHA256
11108b011400b12964f52bd628abdde9ba0127a22282704264bc93e16a943e84

SHA512
2eda8b7a827696101280d73ff5ffea99658de2058f52bebd4c10ab5c5834270a21649cc16f9974bc5feacf04bc560853bdb195e9e108b4a0e209c549100f9b34

Download Submit
\Users\Admin\AppData\Local\Temp\server7.exe

Filesize
252KB

MD5
03ec59d46f70ebcd465e300f3cbfc3db

SHA1
3c5a71e00aaa4cafe4b9a999bfdeac0b14c5c4a5

SHA256
0ff91104c403e3bd08fa4062dd58a1c7b0d46e3ef7c82cd37ab92d3931ea8d15

SHA512
2e81df007a07228d0873286bbc052e765c1994fbca67d983a62a407e655feb2d5300284490d545251484d65a3370cec041adff97621360c26294ba9ae2ef2d4a

Download Submit
memory/1068-2-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/1068-5-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1068-27-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2024-1-0x0000000002340000-0x0000000002342000-memory.dmp

Filesize
8KB

Download
memory/2024-13-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2720-18-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2720-22-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2720-23-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing