modiloader | 7b9f238467b4dcbaf60557068a8619c85866b5d835ec9a5a41e0d0f92fafb089

General

Target

e135841a19710afe8fc153ed636e2d01_JaffaCakes118.exe
Size

966KB
MD5

e135841a19710afe8fc153ed636e2d01
SHA1

a8f7a622ff176e8089ea7017d6c88ca7a0b8d1fb
SHA256

7b9f238467b4dcbaf60557068a8619c85866b5d835ec9a5a41e0d0f92fafb089
SHA512

2a9586da69b0d5b6d34ba8805c1e65ac4deed9ee622655d751e72d5dee49e142baab5e760d5ea35a1226aec9c235f1128f9336660c6f4f16df4a987972e70e90
SSDEEP

12288:iZQ9MEgfyJJhZfkD5JFZvgxJIvCTSmGul+hRkb2NdLk04pLdDj1ay3F:iZQqEoYJf2Jv4PSmdl+vL6G6F

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/4716-25-0x0000000000400000-0x00000000004F9000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	e135841a19710afe8fc153ed636e2d01_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

pid	Process
1200	zoka.exe
3692	HarrysFilters40.exe
1224	HarrysFilters40.tmp
3156	tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e135841a19710afe8fc153ed636e2d01_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zoka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HarrysFilters40.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HarrysFilters40.tmp

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3156	tmp.exe
3156	tmp.exe
3156	tmp.exe
3156	tmp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1200	zoka.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 1200	4716	e135841a19710afe8fc153ed636e2d01_JaffaCakes118.exe	92
PID 4716 wrote to memory of 1200	4716	e135841a19710afe8fc153ed636e2d01_JaffaCakes118.exe	92
PID 4716 wrote to memory of 1200	4716	e135841a19710afe8fc153ed636e2d01_JaffaCakes118.exe	92
PID 4716 wrote to memory of 3692	4716	e135841a19710afe8fc153ed636e2d01_JaffaCakes118.exe	93
PID 4716 wrote to memory of 3692	4716	e135841a19710afe8fc153ed636e2d01_JaffaCakes118.exe	93
PID 4716 wrote to memory of 3692	4716	e135841a19710afe8fc153ed636e2d01_JaffaCakes118.exe	93
PID 3692 wrote to memory of 1224	3692	HarrysFilters40.exe	94
PID 3692 wrote to memory of 1224	3692	HarrysFilters40.exe	94
PID 3692 wrote to memory of 1224	3692	HarrysFilters40.exe	94
PID 1200 wrote to memory of 3156	1200	zoka.exe	95
PID 1200 wrote to memory of 3156	1200	zoka.exe	95
PID 1200 wrote to memory of 3156	1200	zoka.exe	95
PID 3156 wrote to memory of 3492	3156	tmp.exe	56
PID 3156 wrote to memory of 3492	3156	tmp.exe	56
PID 3156 wrote to memory of 3492	3156	tmp.exe	56
PID 3156 wrote to memory of 3492	3156	tmp.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3492
- C:\Users\Admin\AppData\Local\Temp\e135841a19710afe8fc153ed636e2d01_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e135841a19710afe8fc153ed636e2d01_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Users\Admin\AppData\Local\Temp\zoka.exe
    "C:\Users\Admin\AppData\Local\Temp\zoka.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Users\Admin\AppData\Local\Temp\tmp.exe
      C:\Users\Admin\AppData\Local\Temp\tmp.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3156
- - C:\Users\Admin\AppData\Local\Temp\HarrysFilters40.exe
    "C:\Users\Admin\AppData\Local\Temp\HarrysFilters40.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3692
  - - C:\Users\Admin\AppData\Local\Temp\is-URHMR.tmp\HarrysFilters40.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-URHMR.tmp\HarrysFilters40.tmp" /SL5="$90116,485556,54272,C:\Users\Admin\AppData\Local\Temp\HarrysFilters40.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4020,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4108 /prefetch:8
1⤵
PID:4180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HarrysFilters40.exe

Filesize
841KB

MD5
13afb37ab12199a98333cfd750d03626

SHA1
fabb38e4ca7d285e332c52c6d66697c967d82830

SHA256
5964a6f9165a9104891b6c943f8de76d142e24c7a70ee67b89d8abe92ed3c30c

SHA512
0964978ce5f6c4d98fff5781a702714ed3e4c3f5993ac956a2569a01eb269db2107a27d90f4667efcc61f6104f58532bf45b12b8889321757a4d2cd1cd2d8660

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-URHMR.tmp\HarrysFilters40.tmp

Filesize
696KB

MD5
8aa8c628f7b7b7f3e96eff00557bd0bf

SHA1
9af9cf61707cbba7bf0d7cbed94e8db91aff8bd6

SHA256
14d4fa3ea6c3fbf6e9d284de717e73a1ebb5e77f3d5c8c98808e40ade359ea9d

SHA512
5e0a4765873684fce159af81310e37b6918c923ccede0c4de0bd1e2e221425109131830cff02e3f910f15b0401ee3b4ae68700b6d29a5e8466f6d4ee1dcd6eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
31KB

MD5
d811471dfbcc6b9764e0f8c31d87c5b3

SHA1
6cc5e219193149b1260a2fc7af25f670d9f65aff

SHA256
95974775c340267e20b692e87fe16b4360d5a6e6fb1094d375a6f0f430e1cc67

SHA512
ae3990f0cadf3eb3e12ad694c2fe6c8c9352f55d5a0efd38b5fe2855b5dab81b7edbc29e2cbb195939c3e99aaf015e9331f73f5861c3c74eaccfd78094000aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zoka.exe

Filesize
112KB

MD5
a675138bbf24712bf92e2c35aed18727

SHA1
5313ba03c0ecbc9507719e13bc504f5dea0246b1

SHA256
73d7ac786c5594f3d90ecd34970c2210606efe48edeeaa2fa10edd67e95e6069

SHA512
e81aee548b84546672ec879d526c94ed02d2af194f76ff564e13f1d54fc755525a8fc4f3459d1df6aba47145805e89224ed0495a6919c16184fb3aa394f1299d

Download Submit
memory/1200-11-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-46-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-52-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1224-33-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3156-41-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/3156-39-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/3492-43-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download
memory/3492-42-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/3692-28-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/3692-26-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3692-53-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4716-25-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download

Analysis

Sharing