modiloader | 9f862cef754e726bc881e9dbbef31c22dd8c4355d0c9a9b30b03ef95a2a2d6b3

General

Target

d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe
Size

385KB
MD5

d16b5cb93349fdf2b2058059cdfe9490
SHA1

0bc44ed6a29d60535d0fe65fd0b4358869f872f5
SHA256

9f862cef754e726bc881e9dbbef31c22dd8c4355d0c9a9b30b03ef95a2a2d6b3
SHA512

0bf12034cbf7d388b637a5ff0d3450f813477e84e2605dce8bb741f0f821c402f9ae4d32efd283ce63f43c47d8c4d697d07cf20bd717e2237ac29e87706876a2
SSDEEP

12288:7axtmuVh7uAINQvlaGUo9fi4JEXyMeKiQrhxb1v4:79lNQvlNUo84iXyMeJAxb1A

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe ZReload.scr"	csrss.exe

ModiLoader Second Stage 9 IoCs

resource	yara_rule
behavioral1/memory/1232-1-0x0000000000010000-0x0000000000077000-memory.dmp	modiloader_stage2
behavioral1/files/0x00080000000174a8-5.dat	modiloader_stage2
behavioral1/memory/1232-13-0x0000000000010000-0x0000000000077000-memory.dmp	modiloader_stage2
behavioral1/memory/2952-17-0x0000000001D80000-0x0000000001E2A000-memory.dmp	modiloader_stage2
behavioral1/files/0x00080000000174af-21.dat	modiloader_stage2
behavioral1/memory/2148-39-0x0000000000010000-0x0000000000077000-memory.dmp	modiloader_stage2
behavioral1/memory/676-43-0x0000000001D80000-0x0000000001E2A000-memory.dmp	modiloader_stage2
behavioral1/memory/2952-45-0x0000000001D80000-0x0000000001E2A000-memory.dmp	modiloader_stage2
behavioral1/memory/676-71-0x0000000001D80000-0x0000000001E2A000-memory.dmp	modiloader_stage2

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\services.exe	csrss.exe

Executes dropped EXE 3 IoCs

pid	Process
2148	csrss.exe
676	csrss.exe
2848	services.exe

Loads dropped DLL 4 IoCs

pid	Process
1232	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe
2148	csrss.exe
676	csrss.exe
676	csrss.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rlog.dllx	csrss.exe
File created	C:\Windows\SysWOW64\ZReload.scrx	csrss.exe
File created	C:\Windows\SysWOW64\Zreload.scr	csrss.exe
File opened for modification	C:\Windows\SysWOW64\ZReload.scr	csrss.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1232 set thread context of 2952	1232	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe	30
PID 2148 set thread context of 676	2148	csrss.exe	34

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\csrss.exe	cmd.exe
File opened for modification	C:\Windows\csrss.exe	csrss.exe
File created	C:\Windows\csrss.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2848	services.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 2952	1232	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe	30
PID 1232 wrote to memory of 2952	1232	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe	30
PID 1232 wrote to memory of 2952	1232	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe	30
PID 1232 wrote to memory of 2952	1232	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe	30
PID 1232 wrote to memory of 2952	1232	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe	30
PID 1232 wrote to memory of 2952	1232	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe	30
PID 2952 wrote to memory of 2084	2952	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe	31
PID 2952 wrote to memory of 2084	2952	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe	31
PID 2952 wrote to memory of 2084	2952	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe	31
PID 2952 wrote to memory of 2084	2952	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe	31
PID 2952 wrote to memory of 2148	2952	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe	33
PID 2952 wrote to memory of 2148	2952	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe	33
PID 2952 wrote to memory of 2148	2952	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe	33
PID 2952 wrote to memory of 2148	2952	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe	33
PID 2148 wrote to memory of 676	2148	csrss.exe	34
PID 2148 wrote to memory of 676	2148	csrss.exe	34
PID 2148 wrote to memory of 676	2148	csrss.exe	34
PID 2148 wrote to memory of 676	2148	csrss.exe	34
PID 2148 wrote to memory of 676	2148	csrss.exe	34
PID 2148 wrote to memory of 676	2148	csrss.exe	34
PID 676 wrote to memory of 2848	676	csrss.exe	35
PID 676 wrote to memory of 2848	676	csrss.exe	35
PID 676 wrote to memory of 2848	676	csrss.exe	35
PID 676 wrote to memory of 2848	676	csrss.exe	35

C:\Users\Admin\AppData\Local\Temp\d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Users\Admin\AppData\Local\Temp\d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy "C:\Users\Admin\AppData\Local\Temp\d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe" "C:\Windows\csrss.exe"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2084
- - C:\Windows\csrss.exe
    "C:\Windows\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Windows\csrss.exe
      C:\Windows\csrss.exe
      4⤵
      Modifies WinLogon for persistence
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:676
    - - C:\Windows\SysWOW64\drivers\services.exe
        
        C:\Windows\system32\drivers\services.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kacir.bin

Filesize
10KB

MD5
ddb56c87d10647289236f9fe752d80cd

SHA1
e698b332a1a05bab72eb9f8f25d7e98314ae0124

SHA256
bd2e3f399610c873da9bc27204024524f481b10a22947193f6558246f05fae15

SHA512
c97e78ca6562a285270966b4af35e5103b8b9005a9c0b7c741cb58b941ab18ce2a6894c06087c0e7e0adae0a36113609583dbdc99a803dba0c63fbe3a768998c

Download Submit
C:\Windows\SysWOW64\Zreload.scr

Filesize
14KB

MD5
6abb069dc49bd126d961a5f6a86f6476

SHA1
ed739f57de5865f50e2d45c6ff561a7dac1d9aba

SHA256
5b8472a155319b7efb5c1014ac2e496a5d8d1983cf03c01109e5f9fc84856d11

SHA512
eb655772d493654a15a4ac43b5d26d4e17b934e720f0ea434177bf5cb3c4432ce3d0d4e5813b5da7925cedde729305bc4d8cb263ee20e618dc389dbd4bb0a246

Download Submit
C:\Windows\csrss.exe

Filesize
385KB

MD5
d16b5cb93349fdf2b2058059cdfe9490

SHA1
0bc44ed6a29d60535d0fe65fd0b4358869f872f5

SHA256
9f862cef754e726bc881e9dbbef31c22dd8c4355d0c9a9b30b03ef95a2a2d6b3

SHA512
0bf12034cbf7d388b637a5ff0d3450f813477e84e2605dce8bb741f0f821c402f9ae4d32efd283ce63f43c47d8c4d697d07cf20bd717e2237ac29e87706876a2

Download Submit
\Users\Admin\AppData\Local\Temp\kacir.dll

Filesize
19KB

MD5
dda37de6068ad16771e3a6464bb8778b

SHA1
903317703bfcd07e9bea7246920de98916017e08

SHA256
e5fa2290f69a152c53dec772142ddb3d4c04cb2ee25ad05b0ec97ab202361f11

SHA512
1d38ba967b34c6d48b8048bf282484bc6c8d6f3644a127a8102d3edbcf5dd854744da7e8f15b10b93b6124db634a7c891c1c175fca8a7b2e6810fc204132ea05

Download Submit
\Windows\SysWOW64\drivers\services.exe

Filesize
17KB

MD5
0a1fddec35b3b40756a26c044e22dbe1

SHA1
017d4e673666088307951a7cdc7bce85a351faaf

SHA256
a8da23fe337876557631d6122ae1ea0ab4fb1fd02f2c2b2c18317b53cd0c81b7

SHA512
7a3c30fa5cf5ea19774c094c54627a18beb7f21570710808d1c10e43aebcca654c13192617d027a264807fa4171cb2f52204642fd1be841a15d231bf75cf074b

Download Submit
memory/676-46-0x0000000003BC0000-0x0000000003BC1000-memory.dmp

Filesize
4KB

Download
memory/676-42-0x00000000005B0000-0x000000000065D000-memory.dmp

Filesize
692KB

Download
memory/676-74-0x0000000003BC0000-0x0000000003BC1000-memory.dmp

Filesize
4KB

Download
memory/676-71-0x0000000001D80000-0x0000000001E2A000-memory.dmp

Filesize
680KB

Download
memory/676-43-0x0000000001D80000-0x0000000001E2A000-memory.dmp

Filesize
680KB

Download
memory/1232-1-0x0000000000010000-0x0000000000077000-memory.dmp

Filesize
412KB

Download
memory/1232-13-0x0000000000010000-0x0000000000077000-memory.dmp

Filesize
412KB

Download
memory/1232-12-0x000000007FFF0000-0x0000000080FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2148-39-0x0000000000010000-0x0000000000077000-memory.dmp

Filesize
412KB

Download
memory/2148-38-0x000000007FFF0000-0x0000000080FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2848-73-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2952-18-0x0000000003DE0000-0x0000000003DE1000-memory.dmp

Filesize
4KB

Download
memory/2952-45-0x0000000001D80000-0x0000000001E2A000-memory.dmp

Filesize
680KB

Download
memory/2952-16-0x00000000005B0000-0x000000000065D000-memory.dmp

Filesize
692KB

Download
memory/2952-8-0x00000000005B0000-0x000000000065D000-memory.dmp

Filesize
692KB

Download
memory/2952-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2952-17-0x0000000001D80000-0x0000000001E2A000-memory.dmp

Filesize
680KB

Download
memory/2952-11-0x00000000005B0000-0x000000000065D000-memory.dmp

Filesize
692KB

Download
memory/2952-15-0x00000000005B0000-0x000000000065D000-memory.dmp

Filesize
692KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads