modiloader | cf92cfd602320ff3b436085f513bf3e5ed9cabda7f3a9532f60e88660a547f20

General

Target

f250a56d62a76d9f243c670b72fd83f5_JaffaCakes118.exe
Size

232KB
MD5

f250a56d62a76d9f243c670b72fd83f5
SHA1

16436fb987d22183561124506f7095d4d3ce69c2
SHA256

cf92cfd602320ff3b436085f513bf3e5ed9cabda7f3a9532f60e88660a547f20
SHA512

8c3d5c17a659043a9f21b06a1572e2ee317b8c11a488cba1617c8766c62661d3663eed61d9c592af1a74d280baad4cb862d8b8f3a773c3de43fdc30f2edb4d8d
SSDEEP

6144:V7F5YVIM7MaJc6mWRHH+o1SiTTuiO++vyX:V707MIc67JHP1SsTue+

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/4740-22-0x0000000000400000-0x0000000000441000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	f250a56d62a76d9f243c670b72fd83f5_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
2372	BaDBoYv4.2.exe
4744	cut.exe
4408	cut.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4744 set thread context of 4408	4744	cut.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cut.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f250a56d62a76d9f243c670b72fd83f5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BaDBoYv4.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cut.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4408	cut.exe
4408	cut.exe
4408	cut.exe
4408	cut.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 2372	4740	f250a56d62a76d9f243c670b72fd83f5_JaffaCakes118.exe	81
PID 4740 wrote to memory of 2372	4740	f250a56d62a76d9f243c670b72fd83f5_JaffaCakes118.exe	81
PID 4740 wrote to memory of 2372	4740	f250a56d62a76d9f243c670b72fd83f5_JaffaCakes118.exe	81
PID 4740 wrote to memory of 4744	4740	f250a56d62a76d9f243c670b72fd83f5_JaffaCakes118.exe	82
PID 4740 wrote to memory of 4744	4740	f250a56d62a76d9f243c670b72fd83f5_JaffaCakes118.exe	82
PID 4740 wrote to memory of 4744	4740	f250a56d62a76d9f243c670b72fd83f5_JaffaCakes118.exe	82
PID 4744 wrote to memory of 4408	4744	cut.exe	83
PID 4744 wrote to memory of 4408	4744	cut.exe	83
PID 4744 wrote to memory of 4408	4744	cut.exe	83
PID 4744 wrote to memory of 4408	4744	cut.exe	83
PID 4744 wrote to memory of 4408	4744	cut.exe	83
PID 4744 wrote to memory of 4408	4744	cut.exe	83
PID 4408 wrote to memory of 3376	4408	cut.exe	56
PID 4408 wrote to memory of 3376	4408	cut.exe	56
PID 4408 wrote to memory of 3376	4408	cut.exe	56
PID 4408 wrote to memory of 3376	4408	cut.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3376
- C:\Users\Admin\AppData\Local\Temp\f250a56d62a76d9f243c670b72fd83f5_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f250a56d62a76d9f243c670b72fd83f5_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Users\Admin\AppData\Local\Temp\BaDBoYv4.2.exe
    "C:\Users\Admin\AppData\Local\Temp\BaDBoYv4.2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2372
- - C:\Users\Admin\AppData\Local\Temp\cut.exe
    "C:\Users\Admin\AppData\Local\Temp\cut.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Users\Admin\AppData\Local\Temp\cut.exe
      ¢C:\Users\Admin\AppData\Local\Temp\cut.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BaDBoYv4.2.exe

Filesize
156KB

MD5
d5ddb945188e6c86a65f28d76938d20e

SHA1
8c8dd29b9b8517eebe72d69a9964d1c2a10bcc44

SHA256
225d1612a84b60c93d8309824ca62cced3ad514265e26369d24ff4fd99f0e1fe

SHA512
db1fd83db80b3cf596fb9928407ec5eeeb912e63f04aa4068a1d014f8dc7192da5c3d6a315ecfa2ee2ccfe541faa91712bd7d2fd9120b8744780207fac35825d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cut.exe

Filesize
64KB

MD5
0b7e05b7df74505405bc108274246e82

SHA1
c2919ce8ab6b46349d7605a09677b2aff1859c6e

SHA256
346bb1ed97075ea5f4ed5e1ddc8332c05592b5a222178ad04d05b380eafc86d5

SHA512
f5ef64a6361a06420bab3bb39b4bf62df11a13a7d5424ced02875e4e561af7894b09e822a3f31b16c53e8df32748f0baec2edb05f70ce601ee97d7352be82d04

Download Submit
memory/3376-30-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/3376-31-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download
memory/4408-23-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4408-26-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4408-27-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4408-28-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4740-22-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing