modiloader | d1b089f79f28d32676832588bf3b7ce2e8cad71f23f84544066cb9e85c792669

General

Target

JaffaCakes118_1c0ee75595c06ee92f829fbf06710198.exe
Size

237KB
MD5

1c0ee75595c06ee92f829fbf06710198
SHA1

7d90b75f2fa732511b4f8459dc1e91ec8944f9e4
SHA256

d1b089f79f28d32676832588bf3b7ce2e8cad71f23f84544066cb9e85c792669
SHA512

86ada2872cb95d2133b3db0dfa1a05ceb32c68c2c4a1f4225173e96f3793d9f4c7628d8dcb6a963690dafa0d97487037b3d2e3d87d092b069e3b5f29059a55a0
SSDEEP

6144:UfVqfF+Nx6wk7tl7/kRUqBVyv3W/MMwohDewIw:wSQ2dhu0M7qw

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2292-35-0x0000000000400000-0x000000000047E000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
1692	Setup.exe
2292	ade.exe

Loads dropped DLL 9 IoCs

pid	Process
604	JaffaCakes118_1c0ee75595c06ee92f829fbf06710198.exe
1692	Setup.exe
1692	Setup.exe
1692	Setup.exe
1692	Setup.exe
1692	Setup.exe
2292	ade.exe
2292	ade.exe
2292	ade.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Setup.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1c0ee75595c06ee92f829fbf06710198.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ade.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 604 wrote to memory of 1692	604	JaffaCakes118_1c0ee75595c06ee92f829fbf06710198.exe	31
PID 604 wrote to memory of 1692	604	JaffaCakes118_1c0ee75595c06ee92f829fbf06710198.exe	31
PID 604 wrote to memory of 1692	604	JaffaCakes118_1c0ee75595c06ee92f829fbf06710198.exe	31
PID 604 wrote to memory of 1692	604	JaffaCakes118_1c0ee75595c06ee92f829fbf06710198.exe	31
PID 604 wrote to memory of 1692	604	JaffaCakes118_1c0ee75595c06ee92f829fbf06710198.exe	31
PID 604 wrote to memory of 1692	604	JaffaCakes118_1c0ee75595c06ee92f829fbf06710198.exe	31
PID 604 wrote to memory of 1692	604	JaffaCakes118_1c0ee75595c06ee92f829fbf06710198.exe	31
PID 1692 wrote to memory of 2292	1692	Setup.exe	32
PID 1692 wrote to memory of 2292	1692	Setup.exe	32
PID 1692 wrote to memory of 2292	1692	Setup.exe	32
PID 1692 wrote to memory of 2292	1692	Setup.exe	32
PID 1692 wrote to memory of 2292	1692	Setup.exe	32
PID 1692 wrote to memory of 2292	1692	Setup.exe	32
PID 1692 wrote to memory of 2292	1692	Setup.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c0ee75595c06ee92f829fbf06710198.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c0ee75595c06ee92f829fbf06710198.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:604
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  C:\Users\Admin\AppData\Local\Temp\Setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ade.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ade.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ade.exe

Filesize
189KB

MD5
7c26e6695100d65f74dd4721a31f1e03

SHA1
c16e59d86420898e2fad1fd3ac80b4129fb4d72c

SHA256
4a7953a1b570493bf44316c936ade1a97f7068cc5a0a1758f9b117d9817b6d1b

SHA512
0e04ee7615db7118e5309e9fd556c4b77e0276fad54ea011ad8aac70457b7d2286e5b3491b171aa52e5bc2fa1570ef3597708a7115ff0d166382051ae37f97e2

Download Submit
\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
204KB

MD5
81debcf35a5b32c1e948a609c7ee7f85

SHA1
27b3995a7e660c4818a9128ec793fa5204853cee

SHA256
a38801fd2e91d91605e1f66c273e84ed57681fb6405e0526f54bddde71bcaaeb

SHA512
527690d2f9ab802da7d67f0d80cd3f985a92d418d50f257d43830af3989955fcdc7013c59450ec15fe47453dbc81148044cd1cb623716adae9d2a55a5992c479

Download Submit
memory/604-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/604-4-0x0000000000220000-0x0000000000292000-memory.dmp

Filesize
456KB

Download
memory/604-36-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1692-25-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1692-12-0x0000000000170000-0x00000000001E2000-memory.dmp

Filesize
456KB

Download
memory/1692-15-0x0000000001000000-0x0000000001072000-memory.dmp

Filesize
456KB

Download
memory/1692-13-0x000000000103D000-0x000000000103E000-memory.dmp

Filesize
4KB

Download
memory/1692-14-0x0000000001000000-0x0000000001072000-memory.dmp

Filesize
456KB

Download
memory/1692-24-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1692-32-0x0000000001000000-0x0000000001072000-memory.dmp

Filesize
456KB

Download
memory/1692-33-0x000000000103D000-0x000000000103E000-memory.dmp

Filesize
4KB

Download
memory/1692-34-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1692-8-0x0000000001000000-0x0000000001072000-memory.dmp

Filesize
456KB

Download
memory/2292-27-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2292-35-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads