modiloader | 64695ef72a53eee76b6055e025af7fbed11cf9c38a765503d7b8637e416229a2

General

Target

f6760b30fc256e6e923b646c9ddd5909_JaffaCakes118.exe
Size

1.7MB
MD5

f6760b30fc256e6e923b646c9ddd5909
SHA1

8e1f8f9346dd26911584f78ad6ccf361c24289f9
SHA256

64695ef72a53eee76b6055e025af7fbed11cf9c38a765503d7b8637e416229a2
SHA512

2fedebe7946de24b0b2c6ea24a08e5cec84d9d1758205b5c9b4bb75081b8e5aa3af9d025fb31a7455918214891e3b533c40485944cdd3a997daaa91b1ad88435
SSDEEP

24576:RaIMsNScd/taTkBc2quTRMxtBVrYa4P3g0tY6Sa2jCed51z5m/lru15w17+zh4T8:l3IcDa4c2bTRGBVrv4tM19m9ruIJ+7

Score

10^/10

modiloader discovery trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/memory/4856-1-0x0000000000401000-0x0000000000403000-memory.dmp	modiloader_stage2
behavioral2/memory/4856-26-0x0000000000400000-0x00000000005CE110-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	f6760b30fc256e6e923b646c9ddd5909_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

pid	Process
4412	1.exe
944	winrar-32Bit-400.exe
1480	1.exe
3976	1.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4412 set thread context of 1480	4412	1.exe	84
PID 1480 set thread context of 3976	1480	1.exe	85

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1480-27-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/1480-32-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/1480-44-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/1480-30-0x0000000000400000-0x0000000000427000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6760b30fc256e6e923b646c9ddd5909_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winrar-32Bit-400.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3976	1.exe
3976	1.exe
3976	1.exe
3976	1.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4412	1.exe
1480	1.exe
944	winrar-32Bit-400.exe
944	winrar-32Bit-400.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 4412	4856	f6760b30fc256e6e923b646c9ddd5909_JaffaCakes118.exe	82
PID 4856 wrote to memory of 4412	4856	f6760b30fc256e6e923b646c9ddd5909_JaffaCakes118.exe	82
PID 4856 wrote to memory of 4412	4856	f6760b30fc256e6e923b646c9ddd5909_JaffaCakes118.exe	82
PID 4856 wrote to memory of 944	4856	f6760b30fc256e6e923b646c9ddd5909_JaffaCakes118.exe	83
PID 4856 wrote to memory of 944	4856	f6760b30fc256e6e923b646c9ddd5909_JaffaCakes118.exe	83
PID 4856 wrote to memory of 944	4856	f6760b30fc256e6e923b646c9ddd5909_JaffaCakes118.exe	83
PID 4412 wrote to memory of 1480	4412	1.exe	84
PID 4412 wrote to memory of 1480	4412	1.exe	84
PID 4412 wrote to memory of 1480	4412	1.exe	84
PID 4412 wrote to memory of 1480	4412	1.exe	84
PID 4412 wrote to memory of 1480	4412	1.exe	84
PID 4412 wrote to memory of 1480	4412	1.exe	84
PID 4412 wrote to memory of 1480	4412	1.exe	84
PID 4412 wrote to memory of 1480	4412	1.exe	84
PID 1480 wrote to memory of 3976	1480	1.exe	85
PID 1480 wrote to memory of 3976	1480	1.exe	85
PID 1480 wrote to memory of 3976	1480	1.exe	85
PID 1480 wrote to memory of 3976	1480	1.exe	85
PID 1480 wrote to memory of 3976	1480	1.exe	85
PID 1480 wrote to memory of 3976	1480	1.exe	85
PID 1480 wrote to memory of 3976	1480	1.exe	85
PID 3976 wrote to memory of 3408	3976	1.exe	56
PID 3976 wrote to memory of 3408	3976	1.exe	56
PID 3976 wrote to memory of 3408	3976	1.exe	56
PID 3976 wrote to memory of 3408	3976	1.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3408
- C:\Users\Admin\AppData\Local\Temp\f6760b30fc256e6e923b646c9ddd5909_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f6760b30fc256e6e923b646c9ddd5909_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4412
  - - C:\Users\Admin\AppData\Local\Temp\1.exe
      C:\Users\Admin\AppData\Local\Temp\1.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1480
    - - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        C:\Users\Admin\AppData\Local\Temp\1.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3976
- - C:\Users\Admin\AppData\Local\Temp\winrar-32Bit-400.exe
    "C:\Users\Admin\AppData\Local\Temp\winrar-32Bit-400.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
286KB

MD5
f2c7bcc4b9096a5eb57ed5d1aad3e85d

SHA1
bf047b8d9df03689eaa83015bb343e379583b8ba

SHA256
d91ecfecbfde91c6646e4bc7783a2df0e77794d36622923973a9f679a77d9e7e

SHA512
c5a547d89b23f9b269fbf82548676024c0a24cc9b82669788c8ac1a94d12cda17fdc62e0bba813a9ce631247331f02f64ef17ded7b532c16d8333f925350f8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\winrar-32Bit-400.exe

Filesize
1.4MB

MD5
bff4de14e81eacd66167c017fe1872b1

SHA1
e5084a96cfb7c385f0f5a20beb198619cc7f2894

SHA256
bf433776706a19de55651786d1b76869f95d109bf020981c5c34bf4cb20e4a15

SHA512
7658b64cc7ce337cc11f4f9791f1a2dce33f2c82816f3fb008a3e2eae5f5f359de1650232d114dd9da5717a0fdfde49010f3b9baa94297e45afe75a16f0a2eb7

Download Submit
memory/944-50-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/944-23-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1480-32-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1480-44-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1480-27-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1480-30-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3408-46-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download
memory/3408-45-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/3976-40-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3976-41-0x0000000000400000-0x00000000004083A0-memory.dmp

Filesize
32KB

Download
memory/3976-37-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4412-13-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4412-36-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4856-0-0x0000000000400000-0x00000000005CE110-memory.dmp

Filesize
1.8MB

Download
memory/4856-26-0x0000000000400000-0x00000000005CE110-memory.dmp

Filesize
1.8MB

Download
memory/4856-1-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing