modiloader | d6ac8915bd833f8f58989a300b4707e1f4a1d15953f05e9081e12da57dd98642

General

Target

e689cbd5b6decdbdd116535028dfb14e_JaffaCakes118.exe
Size

700KB
MD5

e689cbd5b6decdbdd116535028dfb14e
SHA1

1537b6acc219492730eb4dcd29ff724704a7513e
SHA256

d6ac8915bd833f8f58989a300b4707e1f4a1d15953f05e9081e12da57dd98642
SHA512

c13a9f7f7e4dca35856f6f29282b59b077210618aae71c156a48c463bc560c2bfe653a4ca709b453259decb1824690a6a07e99449198bfa6be64e8b1eadc0e78
SSDEEP

12288:4rmRu5u2ev63GCTSp3axiLFcF4Px8TYl99HK1qxbhk8bPOIG:4rm851eS270ih64p8TYl9UahksPOIG

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe ZReload.scr"	csrss.exe

ModiLoader Second Stage 24 IoCs

resource	yara_rule
behavioral2/files/0x00070000000234e7-11.dat	modiloader_stage2
behavioral2/memory/4384-18-0x0000000013140000-0x00000000131EE000-memory.dmp	modiloader_stage2
behavioral2/memory/764-17-0x0000000000400000-0x00000000004B6000-memory.dmp	modiloader_stage2
behavioral2/memory/4384-25-0x0000000013140000-0x00000000131EE000-memory.dmp	modiloader_stage2
behavioral2/files/0x00080000000234e7-31.dat	modiloader_stage2
behavioral2/files/0x00090000000234e4-39.dat	modiloader_stage2
behavioral2/files/0x00070000000234eb-53.dat	modiloader_stage2
behavioral2/memory/2648-61-0x0000000013140000-0x00000000131EE000-memory.dmp	modiloader_stage2
behavioral2/memory/2648-64-0x0000000013140000-0x00000000131EE000-memory.dmp	modiloader_stage2
behavioral2/memory/2648-66-0x00000000042F0000-0x00000000042F9000-memory.dmp	modiloader_stage2
behavioral2/memory/2648-65-0x00000000023F0000-0x00000000023FA000-memory.dmp	modiloader_stage2
behavioral2/memory/2648-88-0x0000000013140000-0x00000000131EE000-memory.dmp	modiloader_stage2
behavioral2/memory/2648-113-0x0000000013140000-0x00000000131EE000-memory.dmp	modiloader_stage2
behavioral2/memory/2648-136-0x0000000013140000-0x00000000131EE000-memory.dmp	modiloader_stage2
behavioral2/memory/2648-159-0x0000000013140000-0x00000000131EE000-memory.dmp	modiloader_stage2
behavioral2/memory/2648-182-0x0000000013140000-0x00000000131EE000-memory.dmp	modiloader_stage2
behavioral2/memory/2648-205-0x0000000013140000-0x00000000131EE000-memory.dmp	modiloader_stage2
behavioral2/memory/2648-228-0x0000000013140000-0x00000000131EE000-memory.dmp	modiloader_stage2
behavioral2/memory/2648-251-0x0000000013140000-0x00000000131EE000-memory.dmp	modiloader_stage2
behavioral2/memory/2648-274-0x0000000013140000-0x00000000131EE000-memory.dmp	modiloader_stage2
behavioral2/memory/2648-297-0x0000000013140000-0x00000000131EE000-memory.dmp	modiloader_stage2
behavioral2/memory/2648-318-0x0000000013140000-0x00000000131EE000-memory.dmp	modiloader_stage2
behavioral2/memory/2648-341-0x0000000013140000-0x00000000131EE000-memory.dmp	modiloader_stage2
behavioral2/memory/2648-364-0x0000000013140000-0x00000000131EE000-memory.dmp	modiloader_stage2

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\slogs.sys	csrss.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	e689cbd5b6decdbdd116535028dfb14e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	SERVER.EXE

Executes dropped EXE 3 IoCs

pid	Process
3580	MULTI.EXE
4384	SERVER.EXE
2648	csrss.exe

Loads dropped DLL 4 IoCs

pid	Process
2648	csrss.exe
2648	csrss.exe
2648	csrss.exe
2648	csrss.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fhide.dll	csrss.exe
File opened for modification	C:\Windows\SysWOW64\ZReload.scr	csrss.exe
File opened for modification	C:\Windows\SysWOW64\Fhide.dll	csrss.exe
File created	C:\Windows\SysWOW64\ZReload.scrx	csrss.exe
File created	C:\Windows\SysWOW64\Zreload.scr	csrss.exe
File created	C:\Windows\SysWOW64\rlog.dllx	csrss.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\csrss.exe	cmd.exe
File opened for modification	C:\Windows\csrss.exe	csrss.exe
File created	C:\Windows\csrss.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e689cbd5b6decdbdd116535028dfb14e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2648	csrss.exe
2648	csrss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 3580	764	e689cbd5b6decdbdd116535028dfb14e_JaffaCakes118.exe	82
PID 764 wrote to memory of 3580	764	e689cbd5b6decdbdd116535028dfb14e_JaffaCakes118.exe	82
PID 764 wrote to memory of 3580	764	e689cbd5b6decdbdd116535028dfb14e_JaffaCakes118.exe	82
PID 764 wrote to memory of 4384	764	e689cbd5b6decdbdd116535028dfb14e_JaffaCakes118.exe	83
PID 764 wrote to memory of 4384	764	e689cbd5b6decdbdd116535028dfb14e_JaffaCakes118.exe	83
PID 764 wrote to memory of 4384	764	e689cbd5b6decdbdd116535028dfb14e_JaffaCakes118.exe	83
PID 4384 wrote to memory of 428	4384	SERVER.EXE	84
PID 4384 wrote to memory of 428	4384	SERVER.EXE	84
PID 4384 wrote to memory of 428	4384	SERVER.EXE	84
PID 4384 wrote to memory of 2648	4384	SERVER.EXE	86
PID 4384 wrote to memory of 2648	4384	SERVER.EXE	86
PID 4384 wrote to memory of 2648	4384	SERVER.EXE	86

C:\Users\Admin\AppData\Local\Temp\e689cbd5b6decdbdd116535028dfb14e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e689cbd5b6decdbdd116535028dfb14e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:764
- C:\Users\Admin\AppData\Local\Temp\MULTI.EXE
  "C:\Users\Admin\AppData\Local\Temp\MULTI.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3580
- C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
  "C:\Users\Admin\AppData\Local\Temp\SERVER.EXE"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy "C:\Users\Admin\AppData\Local\Temp\SERVER.EXE" "C:\Windows\csrss.exe"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:428
- - C:\Windows\csrss.exe
    "C:\Windows\csrss.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MULTI.EXE

Filesize
14KB

MD5
0bf4c33f6a431e39644f7ef099c55eb4

SHA1
e9d064c45c58b6cab7d144f703d3a867fe47f16c

SHA256
37e077e369dfcb6056d7d3d66cea64c0658550035eb8d9b99291366d0e9008ff

SHA512
3f196a97d09f325ae8c579c13b9512d895bca432420a220c15f7061bb3abae2c47de03b806e03f894923730bc10646395134834aee2b727e11e6bc706905c630

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVER.EXE

Filesize
667KB

MD5
f3c1ad6bd4f49823aec1cd4a90bbb8a9

SHA1
ea515807b9f0c1db332001ac81fd904691c63777

SHA256
0697402669de1d69b4458d4afe29ea932f1380305e3720fc182ac52fc632a913

SHA512
ea4d5673e8e72167cd87a8337c731495d9dc11eeeb5cefb9f724234ad8be0e8e4c62a2cfe8fe4cb07580a4827a075aee40b5c1920d8b3a509a06de2fa82d489f

Download Submit
C:\Windows\SysWOW64\Fhide.dll

Filesize
15KB

MD5
ed7838fe286979e4d8444a8741fce92f

SHA1
e231bea3093a4b01d23b7a5150b60595e71a4ffc

SHA256
1fdb0e12d7202dadba4c08687ecb7bf5ddf324dd673d04293c7963b2264291b0

SHA512
ed35df305fb4d56968aa42844ce7d88ba74c6c92f18f594b9c2bd3f664fcdce182be5bb899d38a5fd03c9efa6c21f32297ed4cda7d18ec722dbdc849fd8213f2

Download Submit
C:\Windows\SysWOW64\Zreload.scr

Filesize
18KB

MD5
8cfb6b02ab6a839656eae2d2af218d39

SHA1
6f95718d8575871255dde12a801ec9638945f84e

SHA256
794a54e567f644324ee897e7dfd6efe003e21741377ba4d2c57bd4e8afc1b866

SHA512
cbfc0068a8f22540bb20f1fc9bd300019dc65b295edbe92bc93c9f9641c8f8e99e047dc0e5e28acb3a82b9ef093fe729f3a97d8fe3d24e63792336af068edd04

Download Submit
C:\Windows\SysWOW64\drivers\slogs.sys

Filesize
20KB

MD5
12280391c6e096f9e204ccce3d8f711b

SHA1
e4c1afeacbbb743f826377a3e59b6fa698093197

SHA256
9ae3003a3292288c6d174f82279fb32985a83d21c2fee679a70a20b61e26ef52

SHA512
97940705da06007d54dc6d293d766cbd2a27bde7a2675695d0c1be6d3944ab10398c25dca190142f5826d67594ef0dec2553d27f7847b79e7d18e34b2161f9fe

Download Submit
memory/764-17-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2648-65-0x00000000023F0000-0x00000000023FA000-memory.dmp

Filesize
40KB

Download
memory/2648-113-0x0000000013140000-0x00000000131EE000-memory.dmp

Filesize
696KB

Download
memory/2648-364-0x0000000013140000-0x00000000131EE000-memory.dmp

Filesize
696KB

Download
memory/2648-341-0x0000000013140000-0x00000000131EE000-memory.dmp

Filesize
696KB

Download
memory/2648-318-0x0000000013140000-0x00000000131EE000-memory.dmp

Filesize
696KB

Download
memory/2648-61-0x0000000013140000-0x00000000131EE000-memory.dmp

Filesize
696KB

Download
memory/2648-64-0x0000000013140000-0x00000000131EE000-memory.dmp

Filesize
696KB

Download
memory/2648-66-0x00000000042F0000-0x00000000042F9000-memory.dmp

Filesize
36KB

Download
memory/2648-297-0x0000000013140000-0x00000000131EE000-memory.dmp

Filesize
696KB

Download
memory/2648-67-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/2648-88-0x0000000013140000-0x00000000131EE000-memory.dmp

Filesize
696KB

Download
memory/2648-26-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/2648-136-0x0000000013140000-0x00000000131EE000-memory.dmp

Filesize
696KB

Download
memory/2648-159-0x0000000013140000-0x00000000131EE000-memory.dmp

Filesize
696KB

Download
memory/2648-182-0x0000000013140000-0x00000000131EE000-memory.dmp

Filesize
696KB

Download
memory/2648-205-0x0000000013140000-0x00000000131EE000-memory.dmp

Filesize
696KB

Download
memory/2648-228-0x0000000013140000-0x00000000131EE000-memory.dmp

Filesize
696KB

Download
memory/2648-251-0x0000000013140000-0x00000000131EE000-memory.dmp

Filesize
696KB

Download
memory/2648-274-0x0000000013140000-0x00000000131EE000-memory.dmp

Filesize
696KB

Download
memory/3580-15-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4384-18-0x0000000013140000-0x00000000131EE000-memory.dmp

Filesize
696KB

Download
memory/4384-19-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/4384-25-0x0000000013140000-0x00000000131EE000-memory.dmp

Filesize
696KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads