modiloader | 22b66c1abab1e0f7a30db72426404815300c715bc1bc49f3d0b1edb4b4cb3e27

General

Target

f7a097ec7811f82c11296085e9cd539d_JaffaCakes118.exe
Size

1.9MB
MD5

f7a097ec7811f82c11296085e9cd539d
SHA1

b40d0447a9d5ba906d56551b78311f2c39ec9838
SHA256

22b66c1abab1e0f7a30db72426404815300c715bc1bc49f3d0b1edb4b4cb3e27
SHA512

a9373f0239b42b061b8784018893824531ca44cb8f1098c1b7043253ad659fc2acade29066edbcc2a2181e2db1e1f209d958139fb1b0dacf60fd1afedd93f83a
SSDEEP

49152:aSwf/YI9og/xeRK9jj18c8GuwhkRIjx1apgubKe3:aS0Q2o+xkK5j1lSwhkix1DQR

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/5052-18-0x0000000000400000-0x00000000005EB000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	f7a097ec7811f82c11296085e9cd539d_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4428	win.exe
1436	win.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4428 set thread context of 1436	4428	win.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7a097ec7811f82c11296085e9cd539d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	f7a097ec7811f82c11296085e9cd539d_JaffaCakes118.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4776	vlc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1436	win.exe
1436	win.exe
1436	win.exe
1436	win.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4776	vlc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	4520	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4520	AUDIODG.EXE
Token: 33	4776	vlc.exe
Token: SeIncBasePriorityPrivilege	4776	vlc.exe

Suspicious use of FindShellTrayWindow 19 IoCs

pid	Process
4776	vlc.exe
4776	vlc.exe
4776	vlc.exe
4776	vlc.exe
4776	vlc.exe
4776	vlc.exe
4776	vlc.exe
4776	vlc.exe
4776	vlc.exe
4776	vlc.exe
4776	vlc.exe
4776	vlc.exe
4776	vlc.exe
4776	vlc.exe
4776	vlc.exe
4776	vlc.exe
4776	vlc.exe
4776	vlc.exe
4776	vlc.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
4776	vlc.exe
4776	vlc.exe
4776	vlc.exe
4776	vlc.exe
4776	vlc.exe
4776	vlc.exe
4776	vlc.exe
4776	vlc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4776	vlc.exe
4776	vlc.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 4428	5052	f7a097ec7811f82c11296085e9cd539d_JaffaCakes118.exe	82
PID 5052 wrote to memory of 4428	5052	f7a097ec7811f82c11296085e9cd539d_JaffaCakes118.exe	82
PID 5052 wrote to memory of 4428	5052	f7a097ec7811f82c11296085e9cd539d_JaffaCakes118.exe	82
PID 5052 wrote to memory of 4776	5052	f7a097ec7811f82c11296085e9cd539d_JaffaCakes118.exe	83
PID 5052 wrote to memory of 4776	5052	f7a097ec7811f82c11296085e9cd539d_JaffaCakes118.exe	83
PID 4428 wrote to memory of 1436	4428	win.exe	85
PID 4428 wrote to memory of 1436	4428	win.exe	85
PID 4428 wrote to memory of 1436	4428	win.exe	85
PID 4428 wrote to memory of 1436	4428	win.exe	85
PID 4428 wrote to memory of 1436	4428	win.exe	85
PID 4428 wrote to memory of 1436	4428	win.exe	85
PID 4428 wrote to memory of 1436	4428	win.exe	85
PID 1436 wrote to memory of 3424	1436	win.exe	56
PID 1436 wrote to memory of 3424	1436	win.exe	56
PID 1436 wrote to memory of 3424	1436	win.exe	56
PID 1436 wrote to memory of 3424	1436	win.exe	56
PID 1436 wrote to memory of 3424	1436	win.exe	56
PID 1436 wrote to memory of 3424	1436	win.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3424
- C:\Users\Admin\AppData\Local\Temp\f7a097ec7811f82c11296085e9cd539d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f7a097ec7811f82c11296085e9cd539d_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Users\Admin\AppData\Local\Temp\win.exe
    "C:\Users\Admin\AppData\Local\Temp\win.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Users\Admin\AppData\Local\Temp\win.exe
      R
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1436
- - C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Exclusive Girls beautiful show ass Get Fucked(1).scr.mpg"
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:4776

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x520 0x528
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Exclusive Girls beautiful show ass Get Fucked(1).scr.mpg

Filesize
1.8MB

MD5
bb4bac0f1b7a2babc942346fef8a097a

SHA1
883f7aa12ce70671b15b6a9d687c05228b85b605

SHA256
c8f9ae95042b57e8a42dbf9037563db42a2c3e4a571d0178c0deb27ccdaaf5a2

SHA512
bf037b13ac8d416a0b09443903934c1625b6b7e788c2010ce369d2d8e9659b3d424e39ea56a8d0ff8e883e379e7d7b58813cf637e9b0bc2bdb10e898c3627fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\win.exe

Filesize
82KB

MD5
70d8b66d2dc979835ec43fb0afe8fee4

SHA1
a5c047bd5af8c4660227ab21a535dd6fdbc6f332

SHA256
e3cb606532867110847f0b992b5731b75cc3c8be153293a818c2996de33cc7ed

SHA512
e18c856da156caad49c3cabaf49e486c0973780ecbf90597f4e786d9c8eead653f4bf67fdd747545eba2b99fbc9cc81fe59a32ef5ba9553f6d063e2085cd5d33

Download Submit
memory/1436-30-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1436-25-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1436-29-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1436-26-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3424-35-0x000000007FFC0000-0x000000007FFC6000-memory.dmp

Filesize
24KB

Download
memory/3424-33-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/4428-31-0x0000000000400000-0x00000000004151F0-memory.dmp

Filesize
84KB

Download
memory/4776-50-0x00007FFFEF570000-0x00007FFFEF581000-memory.dmp

Filesize
68KB

Download
memory/4776-55-0x00007FFFEED40000-0x00007FFFEED58000-memory.dmp

Filesize
96KB

Download
memory/4776-70-0x00007FFFDE7F0000-0x00007FFFDF8A0000-memory.dmp

Filesize
16.7MB

Download
memory/4776-61-0x00007FFFEE0D0000-0x00007FFFEE386000-memory.dmp

Filesize
2.7MB

Download
memory/4776-52-0x00007FFFDE7F0000-0x00007FFFDF8A0000-memory.dmp

Filesize
16.7MB

Download
memory/4776-42-0x00007FFFF2590000-0x00007FFFF25C4000-memory.dmp

Filesize
208KB

Download
memory/4776-41-0x00007FF6EFBA0000-0x00007FF6EFC98000-memory.dmp

Filesize
992KB

Download
memory/4776-53-0x00007FFFEED60000-0x00007FFFEEDA1000-memory.dmp

Filesize
260KB

Download
memory/4776-43-0x00007FFFEE0D0000-0x00007FFFEE386000-memory.dmp

Filesize
2.7MB

Download
memory/4776-49-0x00007FFFF00F0000-0x00007FFFF010D000-memory.dmp

Filesize
116KB

Download
memory/4776-51-0x00007FFFDF8A0000-0x00007FFFDFAAB000-memory.dmp

Filesize
2.0MB

Download
memory/4776-48-0x00007FFFF2350000-0x00007FFFF2361000-memory.dmp

Filesize
68KB

Download
memory/4776-47-0x00007FFFF2520000-0x00007FFFF2537000-memory.dmp

Filesize
92KB

Download
memory/4776-46-0x00007FFFF2540000-0x00007FFFF2551000-memory.dmp

Filesize
68KB

Download
memory/4776-45-0x00007FFFF26E0000-0x00007FFFF26F7000-memory.dmp

Filesize
92KB

Download
memory/4776-44-0x00007FFFF46C0000-0x00007FFFF46D8000-memory.dmp

Filesize
96KB

Download
memory/4776-58-0x00007FFFEECE0000-0x00007FFFEECF1000-memory.dmp

Filesize
68KB

Download
memory/4776-57-0x00007FFFEED00000-0x00007FFFEED11000-memory.dmp

Filesize
68KB

Download
memory/4776-56-0x00007FFFEED20000-0x00007FFFEED31000-memory.dmp

Filesize
68KB

Download
memory/4776-54-0x00007FFFEF540000-0x00007FFFEF561000-memory.dmp

Filesize
132KB

Download
memory/5052-18-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/5052-11-0x0000000003690000-0x00000000036A0000-memory.dmp

Filesize
64KB

Download
memory/5052-15-0x0000000003690000-0x00000000036A0000-memory.dmp

Filesize
64KB

Download
memory/5052-14-0x0000000003690000-0x00000000036A0000-memory.dmp

Filesize
64KB

Download
memory/5052-13-0x0000000003690000-0x00000000036A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing