modiloader | 494136e6c04604c4f69dd6af191cbbf555be4cb359e4febe47ff28bde6b17935

General

Target

JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe
Size

481KB
MD5

98425a307e6127b8cfdd89e97464b34c
SHA1

5d2d09033cf0a7e2da947422277b73be6c0feabe
SHA256

494136e6c04604c4f69dd6af191cbbf555be4cb359e4febe47ff28bde6b17935
SHA512

7ffc43004be7c74c23bdb99673ec2ef12dc36257e948206046b23e45094c9734aa132675255c2a082fac581961a77804b2616bd7c588ffe9deaf742faa78a5ed
SSDEEP

12288:80kgguy60j/7cRyfOSZ5w9zsYXDg6CIMALp4DtB7Yh3nS0Bt:800Ljo+ZnilC98eMh3S8t

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 10 IoCs

resource	yara_rule
behavioral1/memory/2400-12-0x0000000000400000-0x0000000000476000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-10-0x0000000000400000-0x0000000000476000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-19-0x0000000000400000-0x0000000000476000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-21-0x0000000000400000-0x0000000000476000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-18-0x0000000000400000-0x0000000000476000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-17-0x0000000000400000-0x0000000000476000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-14-0x0000000000400000-0x0000000000476000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-8-0x0000000000400000-0x0000000000476000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-6-0x0000000000400000-0x0000000000476000-memory.dmp	modiloader_stage2
behavioral1/memory/2400-40-0x0000000000400000-0x0000000000476000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2540	serveur.exe
2992	Loader.exe

Loads dropped DLL 3 IoCs

pid	Process
2400	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe
2400	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe
2400	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1364 set thread context of 2400	1364	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1364	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 2400	1364	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	28
PID 1364 wrote to memory of 2400	1364	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	28
PID 1364 wrote to memory of 2400	1364	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	28
PID 1364 wrote to memory of 2400	1364	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	28
PID 1364 wrote to memory of 2400	1364	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	28
PID 1364 wrote to memory of 2400	1364	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	28
PID 1364 wrote to memory of 2400	1364	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	28
PID 1364 wrote to memory of 2400	1364	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	28
PID 1364 wrote to memory of 2400	1364	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	28
PID 1364 wrote to memory of 2400	1364	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	28
PID 1364 wrote to memory of 2400	1364	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	28
PID 1364 wrote to memory of 2400	1364	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	28
PID 2400 wrote to memory of 2540	2400	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	29
PID 2400 wrote to memory of 2540	2400	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	29
PID 2400 wrote to memory of 2540	2400	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	29
PID 2400 wrote to memory of 2540	2400	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	29
PID 2400 wrote to memory of 2992	2400	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	30
PID 2400 wrote to memory of 2992	2400	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	30
PID 2400 wrote to memory of 2992	2400	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	30
PID 2400 wrote to memory of 2992	2400	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Users\Admin\AppData\Local\Temp\serveur.exe
    "C:\Users\Admin\AppData\Local\Temp\serveur.exe"
    3⤵
    - Executes dropped EXE
    PID:2540
- - C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C19H28O2.ini

Filesize
130B

MD5
0f3770cc22fab7b20d5141d7fc535dc0

SHA1
9f28e97abdc6f8ebd29c22fd5f8647bc862d1ca5

SHA256
570c8487e7c043f34a3cf0268b68c4e5763502124e6664ed158f74ae66e66c69

SHA512
d374a158b846831dcb33cb05a75f60fe8b3939f51153ac4b39606eb84fa1be1f0d7b931c4e82cc3e9fead7cd36ae6c8ff4d261ca761efe410c345d3daf4c06d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
425KB

MD5
d23870dfc80a0a66c163c983f5c2b9c3

SHA1
45abee8e6d13682e5332edb0533af211c31021ff

SHA256
119b89e2989184f8d1d6c45d45e778fe13e5cb800ed8cb5e974862cbc571233f

SHA512
03dd00c115614da28585dd4957bcdb06cb712e4b57e862c5715f08ac2f0bba8c763d94300c6776b358e93ae082fdb22ec96db2cae721f3243f53a1b388c8e414

Download Submit
C:\Users\Admin\AppData\Local\Temp\serveur.exe

Filesize
10KB

MD5
e385fca84eb38eb437399f25c9650cdc

SHA1
a88f78a46d3e9f0e79b4e8f3f72117f44f430f64

SHA256
2c28bd7c0c235c3164a6e6b4b8d28c10860bdbc192cf99af69881932f82c7a41

SHA512
0e5a1b0c072c329ca428a4edd344ec45d4511a4cb4639d45e8f239b19970b176d4078066b6d9ea2ffe8cc3a02ba1373c6d3b4ac140d7ff7827799d5032add409

Download Submit
memory/2400-18-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2400-6-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2400-17-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2400-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2400-14-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2400-21-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2400-8-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2400-12-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2400-4-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2400-2-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2400-40-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2400-19-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2400-35-0x00000000025E0000-0x0000000002650000-memory.dmp

Filesize
448KB

Download
memory/2400-10-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2992-52-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2992-53-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing