modiloader | c1f19661fe142568d5292d71b3d1a536cddeb767e67c7a208ec7b7d2b2783c90

General

Target

fc21c75bba1c1e51c67075fc8d7c51d7_JaffaCakes118.exe
Size

213KB
MD5

fc21c75bba1c1e51c67075fc8d7c51d7
SHA1

6279b17f31ea2ea7944c464f59d2eb988293eb5b
SHA256

c1f19661fe142568d5292d71b3d1a536cddeb767e67c7a208ec7b7d2b2783c90
SHA512

c205035df8fb2d2f371cff94ce3af40751204892d582c57ef84bc6fedabd6daa1520eb379cb2b25af301c261052d6c6e5d49319622e1bce45ef302527224164d
SSDEEP

3072:dd2rUPFQYgI0eaqYanzxueMcXEKeYEODaoM06IaSTJUtej:nNP2uWfCVX9+Z06iTJIM

Score

10^/10

modiloader discovery evasion trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/files/0x000700000002342f-38.dat	modiloader_stage2
behavioral2/memory/4784-44-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	fc21c75bba1c1e51c67075fc8d7c51d7_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	jeudiC.exe

Executes dropped EXE 2 IoCs

pid	Process
2980	jeudiC.exe
4784	jeudi.exe

Loads dropped DLL 4 IoCs

pid	Process
1680	fc21c75bba1c1e51c67075fc8d7c51d7_JaffaCakes118.exe
1680	fc21c75bba1c1e51c67075fc8d7c51d7_JaffaCakes118.exe
2980	jeudiC.exe
2980	jeudiC.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jeudi.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\aplib.dll	fc21c75bba1c1e51c67075fc8d7c51d7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\aplib.dll	jeudiC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1608	4784	WerFault.exe	83
4552	4784	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc21c75bba1c1e51c67075fc8d7c51d7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jeudiC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jeudi.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4784	jeudi.exe
Token: SeBackupPrivilege	2324	vssvc.exe
Token: SeRestorePrivilege	2324	vssvc.exe
Token: SeAuditPrivilege	2324	vssvc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1680	fc21c75bba1c1e51c67075fc8d7c51d7_JaffaCakes118.exe
2980	jeudiC.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2980	1680	fc21c75bba1c1e51c67075fc8d7c51d7_JaffaCakes118.exe	82
PID 1680 wrote to memory of 2980	1680	fc21c75bba1c1e51c67075fc8d7c51d7_JaffaCakes118.exe	82
PID 1680 wrote to memory of 2980	1680	fc21c75bba1c1e51c67075fc8d7c51d7_JaffaCakes118.exe	82
PID 2980 wrote to memory of 4784	2980	jeudiC.exe	83
PID 2980 wrote to memory of 4784	2980	jeudiC.exe	83
PID 2980 wrote to memory of 4784	2980	jeudiC.exe	83

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\fc21c75bba1c1e51c67075fc8d7c51d7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc21c75bba1c1e51c67075fc8d7c51d7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Local\Temp\jeudiC.exe
  "C:\Users\Admin\AppData\Local\Temp\jeudiC.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Users\Admin\AppData\Local\Temp\jeudi.exe
    "C:\Users\Admin\AppData\Local\Temp\jeudi.exe"
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4784
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 588
      4⤵
      Program crash
      PID:1608
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 972
      4⤵
      Program crash
      PID:4552

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4784 -ip 4784
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4784 -ip 4784
1⤵
PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jeudi.exe

Filesize
270KB

MD5
ba91b9d7b59dbed24ba308e5c0c68dad

SHA1
4adf0f0d84a6cbcaf46930952bb2a2f2571f3322

SHA256
34735313fcec56540e75800b27440a5c63f49e90b4f03150c5c719d37e9676ca

SHA512
3dcb8244133a0c5c5d19cae48fc5cd55c97592e6fabcb37c3084b200b6718764b2da2efc88c21a61dea05088e08c0531fc3aa2876afd4d61f2e3719f9650d7e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jeudiC.exe

Filesize
190KB

MD5
3b7b2818888ac27d4a95aabb3b8ef59f

SHA1
b36390621524ca1e67a51d9cb60d2e406e6d2727

SHA256
c03fe7761168d02ab4c670817ab100b60a8e6c4d4051fac613e4a75cc4c9a2c2

SHA512
5a4b672a0e7d87c0f2d62199c878b10c705c0716de131fbaaa8cbcf6a7d033d9a0d1016b993b352910c800acfc4678614e2de3bd095b3d79b038e935ceebce5c

Download Submit
C:\Windows\SysWOW64\aplib.dll

Filesize
12KB

MD5
35d174edd3c0bcfa9a32dce19e1abeb9

SHA1
c22638e64f8a5f34809811a2c286ae2f115028f8

SHA256
34194aa58d0eb70b513ea6a876a4f35ba6cc2f19c4fb6d408dd05580dcc74b04

SHA512
f807df3655e6dd0cea2412ae82aa7b3babe3862fa9eee5d38673ee30b26a528b9618e1a25d3a58ef1ff14be36a666fabd32968b5f4dc481539d2372b526c1ead

Download Submit
memory/4784-44-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads