modiloader | fd8c7023c782ef9543a59a9562d2c5c0afc88e02421a9f5a758fd6449a4c28dd

General

Target

e49c6000102b0ac46d175ffa026cc790_JaffaCakes118.exe
Size

85KB
MD5

e49c6000102b0ac46d175ffa026cc790
SHA1

38a6ee53afa2744b78ad8d3331bbb6e597954547
SHA256

fd8c7023c782ef9543a59a9562d2c5c0afc88e02421a9f5a758fd6449a4c28dd
SHA512

a0110ff2d4d1adecc7353e2d0c22446399762c3f76468f80958c78acbab0f2e31047a8156f7c0d03748a0b41897a3338b915d21ca782891d4d088d2cb8f9f2c9
SSDEEP

1536:sqqu7R0GQ5d4ZytlyH/Kp9k7b4IVB0BByJtXZMa2cNfo4KoOI:f0d4EOivoZruByJtXOa2gr

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 5 IoCs

resource	yara_rule
behavioral2/memory/5072-27-0x0000000000580000-0x0000000000593000-memory.dmp	modiloader_stage2
behavioral2/files/0x00070000000234e3-26.dat	modiloader_stage2
behavioral2/memory/5072-31-0x0000000000400000-0x000000000042A000-memory.dmp	modiloader_stage2
behavioral2/memory/5072-32-0x0000000000580000-0x0000000000593000-memory.dmp	modiloader_stage2
behavioral2/memory/5072-42-0x0000000000580000-0x0000000000593000-memory.dmp	modiloader_stage2

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\Beep.sys	e49c6000102b0ac46d175ffa026cc790_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Beep.sys	e49c6000102b0ac46d175ffa026cc790_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	e49c6000102b0ac46d175ffa026cc790_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
5072	ÅÜÅÜ¿¨¶¡³µ¼¯ÆøÐ¡¹¤¾ß.exe
4756	csol.exe

Loads dropped DLL 2 IoCs

pid	Process
5072	ÅÜÅÜ¿¨¶¡³µ¼¯ÆøÐ¡¹¤¾ß.exe
5072	ÅÜÅÜ¿¨¶¡³µ¼¯ÆøÐ¡¹¤¾ß.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.dll	ÅÜÅÜ¿¨¶¡³µ¼¯ÆøÐ¡¹¤¾ß.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2200	4756	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e49c6000102b0ac46d175ffa026cc790_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ÅÜÅÜ¿¨¶¡³µ¼¯ÆøÐ¡¹¤¾ß.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csol.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5072	ÅÜÅÜ¿¨¶¡³µ¼¯ÆøÐ¡¹¤¾ß.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 5072	1548	e49c6000102b0ac46d175ffa026cc790_JaffaCakes118.exe	82
PID 1548 wrote to memory of 5072	1548	e49c6000102b0ac46d175ffa026cc790_JaffaCakes118.exe	82
PID 1548 wrote to memory of 5072	1548	e49c6000102b0ac46d175ffa026cc790_JaffaCakes118.exe	82
PID 1548 wrote to memory of 4756	1548	e49c6000102b0ac46d175ffa026cc790_JaffaCakes118.exe	83
PID 1548 wrote to memory of 4756	1548	e49c6000102b0ac46d175ffa026cc790_JaffaCakes118.exe	83
PID 1548 wrote to memory of 4756	1548	e49c6000102b0ac46d175ffa026cc790_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\e49c6000102b0ac46d175ffa026cc790_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e49c6000102b0ac46d175ffa026cc790_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Users\Admin\AppData\Local\Temp\ÅÜÅÜ¿¨¶¡³µ¼¯ÆøÐ¡¹¤¾ß.exe
  "C:\Users\Admin\AppData\Local\Temp\ÅÜÅÜ¿¨¶¡³µ¼¯ÆøÐ¡¹¤¾ß.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5072
- C:\Users\Admin\AppData\Local\Temp\csol.exe
  "C:\Users\Admin\AppData\Local\Temp\csol.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 228
    3⤵
    - Program crash
    PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 4756 -ip 4756
1⤵
PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\MSInfo\SysInfo.dll

Filesize
57KB

MD5
9de9a9c8f0d23036322a52ae48f7dd9a

SHA1
68e09169b60ef65b2742900f716f5d2941d827ce

SHA256
9ddf0e209197699fe001cad217d0da14fa629b2c196d30bdb91cbf808ceabd1d

SHA512
7735dc24003cff4102c182063ef4e4c7ab8afffa9eebb06af55b1503e533cf7b1a01e63e19963ae6f9084d6927a4d0ed84f0bb5d6d71a1b43010d37ba18fadd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\csol.exe

Filesize
20KB

MD5
30f4acd300eabc29d24bef6b532216a6

SHA1
93f42f54949eb2dc6870f4edea86144d45e9ad78

SHA256
d230e71da3e6231ee2f050d501f466353790882a6c4338e93b839ac0e4a4cfa0

SHA512
d5456bae3911a5d9dbc8c56f196d72284c340fe41013c480fe24ba6eb06ffc0745367499bb1d2aa18eb880176ce411b0e39c2b5f35928d48176a830bbf18e140

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÅÜÅÜ¿¨¶¡³µ¼¯ÆøÐ¡¹¤¾ß.exe

Filesize
29KB

MD5
a5014d677eebb5511fe416ceaee1cf91

SHA1
62344e63ec8a147920537152bf2c180e0001ccf6

SHA256
2e71096b2518792c626c8e3771b9e0d642064901dc170a6b5ece717c2ac92892

SHA512
d6b04e5fe95250e5286f5f5b5cc6a90aaa1ec46a26d5a92fdf9b1b505b14293b815ad1e24295a315afff063d2ed0d9e6c17e3808eca90f6d363e295ad1e0170a

Download Submit
memory/1548-23-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4756-22-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4756-30-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/5072-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5072-27-0x0000000000580000-0x0000000000593000-memory.dmp

Filesize
76KB

Download
memory/5072-31-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5072-32-0x0000000000580000-0x0000000000593000-memory.dmp

Filesize
76KB

Download
memory/5072-42-0x0000000000580000-0x0000000000593000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing