modiloader | abd2d026b3745d4b020ac55c1a4c3ea926c4b72c19ddb6efca48c50ac111a941

General

Target

f7a20f72594e93e888cf726e87c827f6_JaffaCakes118.exe
Size

264KB
MD5

f7a20f72594e93e888cf726e87c827f6
SHA1

5f917f08cd58f000c9903d6cf213ce5ea9509813
SHA256

abd2d026b3745d4b020ac55c1a4c3ea926c4b72c19ddb6efca48c50ac111a941
SHA512

da5cd6711edf0a62f680cf9cb094dd93840ea797ab16b71d4a98408e753ae107407aa2bbf913af628963b4ccff2d1ba6e7f3c5e2f7220feced13d46d7022b388
SSDEEP

6144:CVjiJLbA6jiuok9+hyhkMblUBj1zial2j7SxzJvwi:eQb12h2kyluiRvSxzhwi

Score

10^/10

modiloader discovery persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/3672-10-0x0000000000400000-0x0000000000449000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	f7a20f72594e93e888cf726e87c827f6_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
1144	girl123.exe
2704	server.exe
4028	server.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	girl123.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2704 set thread context of 4028	2704	server.exe	84

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023457-22.dat	upx
behavioral2/memory/2704-24-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/2704-35-0x0000000000400000-0x0000000000454000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7a20f72594e93e888cf726e87c827f6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	girl123.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4028	server.exe
4028	server.exe
4028	server.exe
4028	server.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2704	server.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 1144	3672	f7a20f72594e93e888cf726e87c827f6_JaffaCakes118.exe	82
PID 3672 wrote to memory of 1144	3672	f7a20f72594e93e888cf726e87c827f6_JaffaCakes118.exe	82
PID 3672 wrote to memory of 1144	3672	f7a20f72594e93e888cf726e87c827f6_JaffaCakes118.exe	82
PID 1144 wrote to memory of 2704	1144	girl123.exe	83
PID 1144 wrote to memory of 2704	1144	girl123.exe	83
PID 1144 wrote to memory of 2704	1144	girl123.exe	83
PID 2704 wrote to memory of 4028	2704	server.exe	84
PID 2704 wrote to memory of 4028	2704	server.exe	84
PID 2704 wrote to memory of 4028	2704	server.exe	84
PID 2704 wrote to memory of 4028	2704	server.exe	84
PID 2704 wrote to memory of 4028	2704	server.exe	84
PID 2704 wrote to memory of 4028	2704	server.exe	84
PID 2704 wrote to memory of 4028	2704	server.exe	84
PID 4028 wrote to memory of 3488	4028	server.exe	56
PID 4028 wrote to memory of 3488	4028	server.exe	56
PID 4028 wrote to memory of 3488	4028	server.exe	56
PID 4028 wrote to memory of 3488	4028	server.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3488
- C:\Users\Admin\AppData\Local\Temp\f7a20f72594e93e888cf726e87c827f6_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f7a20f72594e93e888cf726e87c827f6_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\Users\Admin\AppData\Local\Temp\girl123.exe
    "C:\Users\Admin\AppData\Local\Temp\girl123.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1144
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
92KB

MD5
076745fadd0b7dc4a8906c2c2cff1dc0

SHA1
cde3c5e53a3507b3db0cd4421fc604d02b26043d

SHA256
95fcbc874853c171353fde26213bb7c0f7442429a870f7a002663c7c526de9ec

SHA512
d9734fb7c7d5505435bb6b320429970bbf0384b5366ed7764c237062751c738cb3828821cf1d743415855ed4dc45adb01e720c78f1a7cde062d81311e9294c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\girl123.exe

Filesize
252KB

MD5
969cbe4eed6dc4f0d1416e0e2e051b12

SHA1
e0a47ace284761d6a94a8c0ccd4db4ab5003920f

SHA256
d48e75fe3d73a683c588b2950fa6a70b3530324778ed66bb6eb919aa494652b8

SHA512
0a7be0375e9b8619606505f1ea993c291dedc03c2620d20caea58e6d411cff69c7c8497c0326c8f415b24de3516b65a8269126852cdd2c6db1654458e2938787

Download Submit
memory/1144-37-0x0000000001000000-0x000000000103F000-memory.dmp

Filesize
252KB

Download
memory/1144-12-0x0000000001001000-0x0000000001003000-memory.dmp

Filesize
8KB

Download
memory/1144-17-0x0000000001000000-0x000000000103F000-memory.dmp

Filesize
252KB

Download
memory/1144-16-0x0000000001000000-0x000000000103F000-memory.dmp

Filesize
252KB

Download
memory/1144-15-0x0000000001000000-0x000000000103F000-memory.dmp

Filesize
252KB

Download
memory/1144-18-0x0000000001000000-0x000000000103F000-memory.dmp

Filesize
252KB

Download
memory/1144-19-0x0000000001000000-0x000000000103F000-memory.dmp

Filesize
252KB

Download
memory/1144-13-0x0000000001000000-0x000000000103F000-memory.dmp

Filesize
252KB

Download
memory/2704-24-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2704-35-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3488-39-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download
memory/3488-38-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/3672-10-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4028-31-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4028-32-0x0000000000400000-0x00000000004083A0-memory.dmp

Filesize
32KB

Download
memory/4028-33-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4028-28-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4028-42-0x0000000000410000-0x00000000004D9000-memory.dmp

Filesize
804KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads