modiloader | 0ee7ba499d324fdda533c85a7bc8c1a47d0e352e2c4ee34c3908ae0aef7c0e7b

General

Target

df0e91aa54b4db95c393ebe489c60c1c_JaffaCakes118.exe
Size

1.5MB
MD5

df0e91aa54b4db95c393ebe489c60c1c
SHA1

c1743673b32cfbd2debfb673908b92dc94a71720
SHA256

0ee7ba499d324fdda533c85a7bc8c1a47d0e352e2c4ee34c3908ae0aef7c0e7b
SHA512

1196e3e1cc84cee894ca21684e01838754ce08844aee9ad3d93c8318dad8ce1485751c9bb2cf3da5b1a2f3efbc76628976e5ba8d47456a820a4df0953e124197
SSDEEP

12288:2DEpUTy2uN7CdXfjJh2SXGXUIaJ1kR5aZmjwgJAaZmjwgJQgJnaZmjs:lbN7CdXfNh2+mUnwR5YNu

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/1284-21-0x0000000000400000-0x000000000058B000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	df0e91aa54b4db95c393ebe489c60c1c_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
2108	clean.exe
1012	ÈÑäÇãÌ ÒíÇÏÉ ÍÓÇÈ ÇáÓßÇíÈ.exe
4832	clean.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	clean.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	clean.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2108 set thread context of 4832	2108	clean.exe	88

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	clean.exe
File created	C:\Windows\assembly\Desktop.ini	clean.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	clean.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1892	4832	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df0e91aa54b4db95c393ebe489c60c1c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clean.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ÈÑäÇãÌ ÒíÇÏÉ ÍÓÇÈ ÇáÓßÇíÈ.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	clean.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1012	ÈÑäÇãÌ ÒíÇÏÉ ÍÓÇÈ ÇáÓßÇíÈ.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4832	clean.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 2108	1284	df0e91aa54b4db95c393ebe489c60c1c_JaffaCakes118.exe	85
PID 1284 wrote to memory of 2108	1284	df0e91aa54b4db95c393ebe489c60c1c_JaffaCakes118.exe	85
PID 1284 wrote to memory of 2108	1284	df0e91aa54b4db95c393ebe489c60c1c_JaffaCakes118.exe	85
PID 1284 wrote to memory of 1012	1284	df0e91aa54b4db95c393ebe489c60c1c_JaffaCakes118.exe	86
PID 1284 wrote to memory of 1012	1284	df0e91aa54b4db95c393ebe489c60c1c_JaffaCakes118.exe	86
PID 1284 wrote to memory of 1012	1284	df0e91aa54b4db95c393ebe489c60c1c_JaffaCakes118.exe	86
PID 2108 wrote to memory of 4832	2108	clean.exe	88
PID 2108 wrote to memory of 4832	2108	clean.exe	88
PID 2108 wrote to memory of 4832	2108	clean.exe	88
PID 2108 wrote to memory of 4832	2108	clean.exe	88
PID 2108 wrote to memory of 4832	2108	clean.exe	88
PID 2108 wrote to memory of 4832	2108	clean.exe	88
PID 2108 wrote to memory of 4832	2108	clean.exe	88
PID 2108 wrote to memory of 4832	2108	clean.exe	88

C:\Users\Admin\AppData\Local\Temp\df0e91aa54b4db95c393ebe489c60c1c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df0e91aa54b4db95c393ebe489c60c1c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Local\Temp\clean.exe
  "C:\Users\Admin\AppData\Local\Temp\clean.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Users\Admin\AppData\Local\Temp\clean.exe
    C:\Users\Admin\AppData\Local\Temp\clean.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of UnmapMainImage
    PID:4832
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 12
      4⤵
      Program crash
      PID:1892
- C:\Users\Admin\AppData\Local\Temp\ÈÑäÇãÌ ÒíÇÏÉ ÍÓÇÈ ÇáÓßÇíÈ.exe
  "C:\Users\Admin\AppData\Local\Temp\ÈÑäÇãÌ ÒíÇÏÉ ÍÓÇÈ ÇáÓßÇíÈ.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4832 -ip 4832
1⤵
PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\clean.exe

Filesize
409KB

MD5
fd390e7de47ffa0e4115da779c877663

SHA1
c60660a2eb031e18d5bad8ea356ffbc1664c7c89

SHA256
bd418649672cc1b4cb9e0267cb60a91ad9bb4be2d6a3bbe6ad98a08111dcda9b

SHA512
99cdb78642a505a2e6c01dd25012f3b51c6cfc6801323bb118316e3d05ae8c858fcfec62813445d649fd573a6ba95bb89aa030d51554b97cc68ef975fb3fd515

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÈÑäÇãÌ ÒíÇÏÉ ÍÓÇÈ ÇáÓßÇíÈ.exe

Filesize
1.1MB

MD5
41969e613bd7b243d3f541a3008c4ad1

SHA1
c4dc824a3c7d7a8c05084bf8e33b4b8c5f0764b9

SHA256
85f5b4ae3320eeeed167646e4c9a81ed52ce418b4a16682f794296cd72783f82

SHA512
a3064a5acda2cee99088ff7a18d70d5be06e987a6f58db9b74f45f3b2eb67041d1d025b39aef74e670b352e8a5f8d905c19aed655df82862000ba543c1b17631

Download Submit
memory/1284-21-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/2108-24-0x0000000074002000-0x0000000074003000-memory.dmp

Filesize
4KB

Download
memory/2108-26-0x0000000074000000-0x00000000745B1000-memory.dmp

Filesize
5.7MB

Download
memory/2108-27-0x0000000074000000-0x00000000745B1000-memory.dmp

Filesize
5.7MB

Download
memory/2108-33-0x0000000074000000-0x00000000745B1000-memory.dmp

Filesize
5.7MB

Download
memory/4832-30-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing