modiloader | 9f862cef754e726bc881e9dbbef31c22dd8c4355d0c9a9b30b03ef95a2a2d6b3

General

Target

d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe
Size

385KB
MD5

d16b5cb93349fdf2b2058059cdfe9490
SHA1

0bc44ed6a29d60535d0fe65fd0b4358869f872f5
SHA256

9f862cef754e726bc881e9dbbef31c22dd8c4355d0c9a9b30b03ef95a2a2d6b3
SHA512

0bf12034cbf7d388b637a5ff0d3450f813477e84e2605dce8bb741f0f821c402f9ae4d32efd283ce63f43c47d8c4d697d07cf20bd717e2237ac29e87706876a2
SSDEEP

12288:7axtmuVh7uAINQvlaGUo9fi4JEXyMeKiQrhxb1v4:79lNQvlNUo84iXyMeJAxb1A

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe ZReload.scr"	csrss.exe

ModiLoader Second Stage 10 IoCs

resource	yara_rule
behavioral2/memory/5052-0-0x0000000000010000-0x0000000000077000-memory.dmp	modiloader_stage2
behavioral2/files/0x000900000002345c-4.dat	modiloader_stage2
behavioral2/memory/5016-14-0x0000000002150000-0x00000000021FA000-memory.dmp	modiloader_stage2
behavioral2/memory/5052-13-0x0000000000010000-0x0000000000077000-memory.dmp	modiloader_stage2
behavioral2/files/0x000700000002346e-18.dat	modiloader_stage2
behavioral2/memory/5016-36-0x0000000002150000-0x00000000021FA000-memory.dmp	modiloader_stage2
behavioral2/memory/4960-38-0x00000000005B0000-0x000000000065D000-memory.dmp	modiloader_stage2
behavioral2/memory/2100-37-0x0000000000010000-0x0000000000077000-memory.dmp	modiloader_stage2
behavioral2/memory/4960-39-0x0000000000730000-0x00000000007DA000-memory.dmp	modiloader_stage2
behavioral2/memory/4960-60-0x0000000000730000-0x00000000007DA000-memory.dmp	modiloader_stage2

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\services.exe	csrss.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
2100	csrss.exe
4960	csrss.exe
1704	services.exe

Loads dropped DLL 4 IoCs

pid	Process
5052	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe
5052	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe
2100	csrss.exe
2100	csrss.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Zreload.scr	csrss.exe
File created	C:\Windows\SysWOW64\rlog.dllx	csrss.exe
File opened for modification	C:\Windows\SysWOW64\ZReload.scr	csrss.exe
File created	C:\Windows\SysWOW64\ZReload.scrx	csrss.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5052 set thread context of 5016	5052	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe	83
PID 2100 set thread context of 4960	2100	csrss.exe	90

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\csrss.exe	cmd.exe
File opened for modification	C:\Windows\csrss.exe	cmd.exe
File opened for modification	C:\Windows\csrss.exe	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1704	services.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 5016	5052	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe	83
PID 5052 wrote to memory of 5016	5052	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe	83
PID 5052 wrote to memory of 5016	5052	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe	83
PID 5052 wrote to memory of 5016	5052	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe	83
PID 5052 wrote to memory of 5016	5052	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe	83
PID 5016 wrote to memory of 2956	5016	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe	84
PID 5016 wrote to memory of 2956	5016	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe	84
PID 5016 wrote to memory of 2956	5016	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe	84
PID 5016 wrote to memory of 2100	5016	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe	89
PID 5016 wrote to memory of 2100	5016	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe	89
PID 5016 wrote to memory of 2100	5016	d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe	89
PID 2100 wrote to memory of 4960	2100	csrss.exe	90
PID 2100 wrote to memory of 4960	2100	csrss.exe	90
PID 2100 wrote to memory of 4960	2100	csrss.exe	90
PID 2100 wrote to memory of 4960	2100	csrss.exe	90
PID 2100 wrote to memory of 4960	2100	csrss.exe	90
PID 4960 wrote to memory of 1704	4960	csrss.exe	91
PID 4960 wrote to memory of 1704	4960	csrss.exe	91
PID 4960 wrote to memory of 1704	4960	csrss.exe	91

C:\Users\Admin\AppData\Local\Temp\d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Users\Admin\AppData\Local\Temp\d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy "C:\Users\Admin\AppData\Local\Temp\d16b5cb93349fdf2b2058059cdfe9490_JaffaCakes118.exe" "C:\Windows\csrss.exe"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2956
- - C:\Windows\csrss.exe
    "C:\Windows\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Windows\csrss.exe
      C:\Windows\csrss.exe
      4⤵
      Modifies WinLogon for persistence
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4960
    - - C:\Windows\SysWOW64\drivers\services.exe
        
        C:\Windows\system32\drivers\services.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kacir.bin

Filesize
10KB

MD5
ddb56c87d10647289236f9fe752d80cd

SHA1
e698b332a1a05bab72eb9f8f25d7e98314ae0124

SHA256
bd2e3f399610c873da9bc27204024524f481b10a22947193f6558246f05fae15

SHA512
c97e78ca6562a285270966b4af35e5103b8b9005a9c0b7c741cb58b941ab18ce2a6894c06087c0e7e0adae0a36113609583dbdc99a803dba0c63fbe3a768998c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kacir.dll

Filesize
19KB

MD5
dda37de6068ad16771e3a6464bb8778b

SHA1
903317703bfcd07e9bea7246920de98916017e08

SHA256
e5fa2290f69a152c53dec772142ddb3d4c04cb2ee25ad05b0ec97ab202361f11

SHA512
1d38ba967b34c6d48b8048bf282484bc6c8d6f3644a127a8102d3edbcf5dd854744da7e8f15b10b93b6124db634a7c891c1c175fca8a7b2e6810fc204132ea05

Download Submit
C:\Windows\SysWOW64\Zreload.scr

Filesize
14KB

MD5
6abb069dc49bd126d961a5f6a86f6476

SHA1
ed739f57de5865f50e2d45c6ff561a7dac1d9aba

SHA256
5b8472a155319b7efb5c1014ac2e496a5d8d1983cf03c01109e5f9fc84856d11

SHA512
eb655772d493654a15a4ac43b5d26d4e17b934e720f0ea434177bf5cb3c4432ce3d0d4e5813b5da7925cedde729305bc4d8cb263ee20e618dc389dbd4bb0a246

Download Submit
C:\Windows\SysWOW64\drivers\services.exe

Filesize
17KB

MD5
0a1fddec35b3b40756a26c044e22dbe1

SHA1
017d4e673666088307951a7cdc7bce85a351faaf

SHA256
a8da23fe337876557631d6122ae1ea0ab4fb1fd02f2c2b2c18317b53cd0c81b7

SHA512
7a3c30fa5cf5ea19774c094c54627a18beb7f21570710808d1c10e43aebcca654c13192617d027a264807fa4171cb2f52204642fd1be841a15d231bf75cf074b

Download Submit
C:\Windows\csrss.exe

Filesize
385KB

MD5
d16b5cb93349fdf2b2058059cdfe9490

SHA1
0bc44ed6a29d60535d0fe65fd0b4358869f872f5

SHA256
9f862cef754e726bc881e9dbbef31c22dd8c4355d0c9a9b30b03ef95a2a2d6b3

SHA512
0bf12034cbf7d388b637a5ff0d3450f813477e84e2605dce8bb741f0f821c402f9ae4d32efd283ce63f43c47d8c4d697d07cf20bd717e2237ac29e87706876a2

Download Submit
memory/1704-62-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2100-37-0x0000000000010000-0x0000000000077000-memory.dmp

Filesize
412KB

Download
memory/4960-63-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/4960-60-0x0000000000730000-0x00000000007DA000-memory.dmp

Filesize
680KB

Download
memory/4960-44-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/4960-39-0x0000000000730000-0x00000000007DA000-memory.dmp

Filesize
680KB

Download
memory/4960-38-0x00000000005B0000-0x000000000065D000-memory.dmp

Filesize
692KB

Download
memory/5016-36-0x0000000002150000-0x00000000021FA000-memory.dmp

Filesize
680KB

Download
memory/5016-33-0x00000000005B0000-0x000000000065D000-memory.dmp

Filesize
692KB

Download
memory/5016-11-0x00000000005B0000-0x000000000065D000-memory.dmp

Filesize
692KB

Download
memory/5016-12-0x00000000005B0000-0x000000000065D000-memory.dmp

Filesize
692KB

Download
memory/5016-14-0x0000000002150000-0x00000000021FA000-memory.dmp

Filesize
680KB

Download
memory/5016-15-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download
memory/5016-9-0x00000000005B0000-0x000000000065D000-memory.dmp

Filesize
692KB

Download
memory/5052-0-0x0000000000010000-0x0000000000077000-memory.dmp

Filesize
412KB

Download
memory/5052-13-0x0000000000010000-0x0000000000077000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads