modiloader | 72683be5df459f9f67ee4cf9a670663166f0df7f72bb2bdf80ad459d52cc966e

General

Target

df0e10451d74d8b0f6dec9307b3af3e8_JaffaCakes118.exe
Size

98KB
MD5

df0e10451d74d8b0f6dec9307b3af3e8
SHA1

7b37e201b9d7393b17a4476bead0e63dd4bb76fd
SHA256

72683be5df459f9f67ee4cf9a670663166f0df7f72bb2bdf80ad459d52cc966e
SHA512

d188330aad45c043074ca92ab873708d09a776fad18b16ad6074ae8dd35434c3404aeee8fb2359fee5e2a9b44a79bae9c21b56552c023adc6105a9350c8cae8b
SSDEEP

3072:q3HnXCsf2Cp2GivcxwPnzEx6bfd7DmhqUxWs:CHnXTfv3gzEx6bVOzxF

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/memory/3076-67-0x00000000005A0000-0x00000000005C4000-memory.dmp	modiloader_stage2
behavioral2/memory/3076-77-0x00000000005A0000-0x00000000005C4000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	df0e10451d74d8b0f6dec9307b3af3e8_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3076	server.exe
4828	xxx.exe

Loads dropped DLL 2 IoCs

pid	Process
3076	server.exe
3076	server.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\atmQQ2.dll	server.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\server.exe	df0e10451d74d8b0f6dec9307b3af3e8_JaffaCakes118.exe
File opened for modification	C:\Windows\server.exe	df0e10451d74d8b0f6dec9307b3af3e8_JaffaCakes118.exe
File created	C:\Windows\xxx.exe	df0e10451d74d8b0f6dec9307b3af3e8_JaffaCakes118.exe
File opened for modification	C:\Windows\xxx.exe	df0e10451d74d8b0f6dec9307b3af3e8_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df0e10451d74d8b0f6dec9307b3af3e8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	df0e10451d74d8b0f6dec9307b3af3e8_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3076	server.exe
3076	server.exe
3076	server.exe
3076	server.exe
3076	server.exe
3076	server.exe
3076	server.exe
3076	server.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3076	server.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 3076	1456	df0e10451d74d8b0f6dec9307b3af3e8_JaffaCakes118.exe	87
PID 1456 wrote to memory of 3076	1456	df0e10451d74d8b0f6dec9307b3af3e8_JaffaCakes118.exe	87
PID 1456 wrote to memory of 3076	1456	df0e10451d74d8b0f6dec9307b3af3e8_JaffaCakes118.exe	87
PID 1456 wrote to memory of 4828	1456	df0e10451d74d8b0f6dec9307b3af3e8_JaffaCakes118.exe	88
PID 1456 wrote to memory of 4828	1456	df0e10451d74d8b0f6dec9307b3af3e8_JaffaCakes118.exe	88
PID 1456 wrote to memory of 4828	1456	df0e10451d74d8b0f6dec9307b3af3e8_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\df0e10451d74d8b0f6dec9307b3af3e8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df0e10451d74d8b0f6dec9307b3af3e8_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Windows\server.exe
  "C:\Windows\server.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3076
- C:\Windows\xxx.exe
  "C:\Windows\xxx.exe"
  2⤵
  - Executes dropped EXE
  PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\MSInfo\atmQQ2.dll

Filesize
21KB

MD5
1d6f80e5d05076409fe5255cfbc56757

SHA1
62fea744b42c26c08d221c38322f131eaffae396

SHA256
ab18033ac1306fa7ca59ba0037666281c7a6bb0ebb9f5225d666776cac49fea0

SHA512
09e586f12b9459c548bec494c1f2fd1fa1b3329f4d8b1f0071aef51473c7032b463ff448fc8b8aa8625032e3cdfd897e1d55a50a986962c7d6e475f4ebecc2ce

Download Submit
C:\Windows\server.exe

Filesize
40KB

MD5
7c67cf44104eaf84cde156d293c7cdc4

SHA1
039f624f4715b49f4ff7ee8412a5d741e5693e92

SHA256
cedc20a15986f5cc6b47beccab4b189f04229690aba348119eadf7cef83ce8a9

SHA512
3223de47c6635674f7724f2e3ac4813ef0b4ea184584815e0a4eea9e19661727b8ea08ac2657ae5e525ef9e1f0da1ab4fa646d6d7b4f301863ef99b4caab2d08

Download Submit
C:\Windows\xxx.exe

Filesize
36KB

MD5
f39bd96ffb30e8b7768481befe09377c

SHA1
644f2bb43148e8f361a0703aff5db8b04fe051a9

SHA256
ddf9037243c7b07f6521eed1ba47b44d5dcc7e74ce3caa7ee5cea3f7963371bc

SHA512
0824ad22ffecb9701f7d47113ae2a83f2f57709f2ca8fd193326cbf9e36b62f07a6441c089fe92eb6f2f8fb6c8a773ccd5f3991ae0525abc97f6a04a692819c2

Download Submit
memory/1456-74-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3076-37-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3076-67-0x00000000005A0000-0x00000000005C4000-memory.dmp

Filesize
144KB

Download
memory/3076-36-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3076-75-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3076-76-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3076-77-0x00000000005A0000-0x00000000005C4000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing