modiloader | 9698257a594c71c1595e62907bb164d407cc61acead6745d7d431be36884df9f

General

Target

f3e9cbc604cfc56d378aed288730a01d_JaffaCakes118.exe
Size

190KB
MD5

f3e9cbc604cfc56d378aed288730a01d
SHA1

84ed0621b0c1b29e951f0fcfaa13b50aa949edfb
SHA256

9698257a594c71c1595e62907bb164d407cc61acead6745d7d431be36884df9f
SHA512

c9a66b6691fe4c3595df31611c759a5afc71dc1640062a5fa309fb901b2b7f20d23e0d29b8dad66cee91d33f60357a557c362c0061290bba1b10f8140bb500b2
SSDEEP

3072:ykT5Bh4vGbkqYb17WpK7zFf2ef53q0xb4zquORfKQPzE9mHst2:ltIKYb17ztE0KOfKQCmHst

Score

10^/10

modiloader collection discovery trojan

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
username
Password:
password

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 5 IoCs

resource	yara_rule
behavioral2/files/0x00070000000234dc-5.dat	modiloader_stage2
behavioral2/memory/4224-41-0x0000000000400000-0x0000000000436000-memory.dmp	modiloader_stage2
behavioral2/files/0x00080000000234d9-51.dat	modiloader_stage2
behavioral2/memory/4344-57-0x0000000018000000-0x000000001801A000-memory.dmp	modiloader_stage2
behavioral2/memory/3736-64-0x0000000000400000-0x0000000000436000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	ldanw32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	f3e9cbc604cfc56d378aed288730a01d_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
3736	ldanw32.exe
4344	winprx.exe
1060	winprx.exe

Loads dropped DLL 2 IoCs

pid	Process
3736	ldanw32.exe
3736	ldanw32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	winprx.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4344 set thread context of 1060	4344	winprx.exe	86

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dnertex32.dll	ldanw32.exe
File created	C:\Windows\mwin.dll	f3e9cbc604cfc56d378aed288730a01d_JaffaCakes118.exe
File created	C:\Windows\ldanw32.exe	f3e9cbc604cfc56d378aed288730a01d_JaffaCakes118.exe
File opened for modification	C:\Windows\ldanw32.exe	f3e9cbc604cfc56d378aed288730a01d_JaffaCakes118.exe
File opened for modification	C:\Windows\mwin.dll	ldanw32.exe
File created	C:\Windows\winprx.exe	ldanw32.exe
File created	C:\Windows\servs.dll	winprx.exe
File created	C:\Windows\dnertex32.dll	ldanw32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3e9cbc604cfc56d378aed288730a01d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ldanw32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winprx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winprx.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	f3e9cbc604cfc56d378aed288730a01d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4224	f3e9cbc604cfc56d378aed288730a01d_JaffaCakes118.exe
4224	f3e9cbc604cfc56d378aed288730a01d_JaffaCakes118.exe
4224	f3e9cbc604cfc56d378aed288730a01d_JaffaCakes118.exe
4224	f3e9cbc604cfc56d378aed288730a01d_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4224	f3e9cbc604cfc56d378aed288730a01d_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3736	ldanw32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 3736	4224	f3e9cbc604cfc56d378aed288730a01d_JaffaCakes118.exe	84
PID 4224 wrote to memory of 3736	4224	f3e9cbc604cfc56d378aed288730a01d_JaffaCakes118.exe	84
PID 4224 wrote to memory of 3736	4224	f3e9cbc604cfc56d378aed288730a01d_JaffaCakes118.exe	84
PID 3736 wrote to memory of 4344	3736	ldanw32.exe	85
PID 3736 wrote to memory of 4344	3736	ldanw32.exe	85
PID 3736 wrote to memory of 4344	3736	ldanw32.exe	85
PID 4344 wrote to memory of 1060	4344	winprx.exe	86
PID 4344 wrote to memory of 1060	4344	winprx.exe	86
PID 4344 wrote to memory of 1060	4344	winprx.exe	86
PID 4344 wrote to memory of 1060	4344	winprx.exe	86
PID 4344 wrote to memory of 1060	4344	winprx.exe	86

C:\Users\Admin\AppData\Local\Temp\f3e9cbc604cfc56d378aed288730a01d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f3e9cbc604cfc56d378aed288730a01d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Windows\ldanw32.exe
  "C:\Windows\ldanw32.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Windows\winprx.exe
    "C:\Windows\winprx.exe" /stext servs.dll
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4344
  - - C:\Windows\winprx.exe
      C:\Windows\winprx.exe /stext servs.dll
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ldanw32.exe

Filesize
190KB

MD5
f3e9cbc604cfc56d378aed288730a01d

SHA1
84ed0621b0c1b29e951f0fcfaa13b50aa949edfb

SHA256
9698257a594c71c1595e62907bb164d407cc61acead6745d7d431be36884df9f

SHA512
c9a66b6691fe4c3595df31611c759a5afc71dc1640062a5fa309fb901b2b7f20d23e0d29b8dad66cee91d33f60357a557c362c0061290bba1b10f8140bb500b2

Download Submit
C:\Windows\mwin.dll

Filesize
16KB

MD5
dbdba8bb92c9a84d0795ede35a6721a8

SHA1
67d503f92e42c7ead84c0c99cc7ff77846488dba

SHA256
e84bd0f745a241cdb0dce1f959b2e33f677c64358bc07396640fcc2865098e86

SHA512
c3402e9d2bf9ae7e55d0e52ba3e8027ce62dee2e9bc15279248c483cca55ac82344700c05442407966aaeaf7e4073fab51aa123ed545459ad26585860f8c6d5f

Download Submit
C:\Windows\winprx.exe

Filesize
83KB

MD5
dbb5dab317acdb0818ae4f2ea1c9b078

SHA1
3544a53f6e40dbb2928ef4fffae3a3689f5b1763

SHA256
a823354b34b305e62d2ac6b0a7af6d542d30c63521e4c633b2bf8536efeec678

SHA512
29daaff50aa002997cf0b48e21b4abdbf124481d7571025b22305768cfce71901a242eb528d125b8b9982a33ed519a8ce1338a640dc1785e7cdd5a7c5ad5af91

Download Submit
memory/1060-55-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1060-59-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1060-60-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1060-61-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3736-64-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3736-65-0x0000000001F50000-0x0000000001F5A000-memory.dmp

Filesize
40KB

Download
memory/4224-41-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4344-57-0x0000000018000000-0x000000001801A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing