modiloader | 3d49f0279742190a61053bb9fc6d05bc19b4d165f2f352f4d233a6017e3b5c6c

General

Target

d68e2fb0f8f92d2fb89efd57c93520fa_JaffaCakes118.exe
Size

3.0MB
MD5

d68e2fb0f8f92d2fb89efd57c93520fa
SHA1

ec93cd779659db975f20981cf4e6b9f1b4da1fa0
SHA256

3d49f0279742190a61053bb9fc6d05bc19b4d165f2f352f4d233a6017e3b5c6c
SHA512

210208242d3d336bc1d710363440fb1b767359d13132399086d1c98002f5f7f62ca4bf9a2094586eba5f0390e738466479391c1491693c8e0132d54f10163830
SSDEEP

49152:p/Lti8u67qHo3rRdegyrNBvOfGpsVLfQo6cEsWL2HNBXc4jcPloQE1hUGF7LE5Nb:DiwJRd2bAYsVLGzP2HX5AP6J3UG9u

Score

10^/10

modiloader discovery evasion trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/1516-32-0x0000000000400000-0x000000000070C000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	d68e2fb0f8f92d2fb89efd57c93520fa_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4756	FP_PL_PFS_INSTALLER.exe
2600	server.exe

Loads dropped DLL 2 IoCs

pid	Process
4756	FP_PL_PFS_INSTALLER.exe
4756	FP_PL_PFS_INSTALLER.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FP_PL_PFS_INSTALLER.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d68e2fb0f8f92d2fb89efd57c93520fa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FP_PL_PFS_INSTALLER.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4756	FP_PL_PFS_INSTALLER.exe
4756	FP_PL_PFS_INSTALLER.exe
2600	server.exe
2600	server.exe
2600	server.exe
2600	server.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1516	d68e2fb0f8f92d2fb89efd57c93520fa_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1516	d68e2fb0f8f92d2fb89efd57c93520fa_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1516	d68e2fb0f8f92d2fb89efd57c93520fa_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1516	d68e2fb0f8f92d2fb89efd57c93520fa_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 4756	1516	d68e2fb0f8f92d2fb89efd57c93520fa_JaffaCakes118.exe	85
PID 1516 wrote to memory of 4756	1516	d68e2fb0f8f92d2fb89efd57c93520fa_JaffaCakes118.exe	85
PID 1516 wrote to memory of 4756	1516	d68e2fb0f8f92d2fb89efd57c93520fa_JaffaCakes118.exe	85
PID 1516 wrote to memory of 2600	1516	d68e2fb0f8f92d2fb89efd57c93520fa_JaffaCakes118.exe	86
PID 1516 wrote to memory of 2600	1516	d68e2fb0f8f92d2fb89efd57c93520fa_JaffaCakes118.exe	86
PID 1516 wrote to memory of 2600	1516	d68e2fb0f8f92d2fb89efd57c93520fa_JaffaCakes118.exe	86
PID 2600 wrote to memory of 3360	2600	server.exe	55
PID 2600 wrote to memory of 3360	2600	server.exe	55
PID 2600 wrote to memory of 3360	2600	server.exe	55
PID 2600 wrote to memory of 3360	2600	server.exe	55
PID 2600 wrote to memory of 3360	2600	server.exe	55
PID 2600 wrote to memory of 3360	2600	server.exe	55

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3360
- C:\Users\Admin\AppData\Local\Temp\d68e2fb0f8f92d2fb89efd57c93520fa_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d68e2fb0f8f92d2fb89efd57c93520fa_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Users\Admin\AppData\Local\Temp\FP_PL_PFS_INSTALLER.exe
    "C:\Users\Admin\AppData\Local\Temp\FP_PL_PFS_INSTALLER.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4756
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CD62.tmp

Filesize
304KB

MD5
dc299b13e8f608358cf69fea25ad8b36

SHA1
35247e9647f74c3fc6c561c80f8f21f3a127b8f9

SHA256
62fe9a85528e037fb7c0345fca12280c51180d4086d242b1cda4797b5f47997d

SHA512
a7e3c7fc5786852e16ed0d0b922078f46cf387e7d7425b91bdb1fdfd36d61d712c440cbdac8ded5939d85b3ab5afd75bd00658f48c8b9230cb1020c784f0048d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CD63.tmp

Filesize
226KB

MD5
5698b99b81d3692bf9fcdee5a07ea250

SHA1
295ee71b7e11f2d27511a8574036fd0d57e04f11

SHA256
8d8998fdb010a5f36176801acc8e90bdb6fa43634ee732f59753615173bafce3

SHA512
533e8ff49ba8f6ffb609fe7c5d9c8e4c55143609d7eb5f6b9fbc94ce0853bc8faf1d431aafb7bb5558edfcc4ce43fbae2c4fded7091dd66d61ecc86fabbb5e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\FP_PL_PFS_INSTALLER.exe

Filesize
2.4MB

MD5
3d288d30b4d0ad4c1620bc37a525e639

SHA1
d56b10b5d69a7daa867a3e698b6b727c2acc004c

SHA256
335ad3726260175fb5342a1772f48f24fb09d4444abfacf604e61a693dc619bd

SHA512
c705f9669a8a00396919943fbe7de0705d8e33cdf1a1b675776ad0dec0ac86b5deeca1ce25913cf15a6f90d2cb6e023b35a73af3b59d6acb6683e46e863184c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
28KB

MD5
6da20d2b0a1242063d991cdbc68e1284

SHA1
389a7a22c1ef61b4adba3b0db158d1927a0e85ec

SHA256
c15abfca3e91ae91e96008f52f0d0ac1f083513f1b73e3d95db3390b6e4bcc5b

SHA512
9286ce360697baaa0c22bfabc435c92ab4e62d18c7b6b52175ab187520ee50049b04ade4eca54fa03395e76f3ab5e1490150388b3610f490b7afd5852848b51a

Download Submit
memory/1516-0-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/1516-32-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/2600-33-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2600-34-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2600-41-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/3360-35-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/3360-37-0x000000007FFC0000-0x000000007FFC6000-memory.dmp

Filesize
24KB

Download
memory/4756-17-0x0000000000320000-0x0000000000595000-memory.dmp

Filesize
2.5MB

Download
memory/4756-42-0x0000000000320000-0x0000000000595000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads