modiloader | e608cd2c919f15124e55ddc4dcc7456fca38461d59987d3b5d77223eb9292b3e

General

Target

003cff0b46b1494232b58775361eaf65_JaffaCakes118.exe
Size

722KB
MD5

003cff0b46b1494232b58775361eaf65
SHA1

7ef624ec274c51a9fe203cd91c670d33c2b4a69d
SHA256

e608cd2c919f15124e55ddc4dcc7456fca38461d59987d3b5d77223eb9292b3e
SHA512

85bf2ea80759cbfb84be28c2e4f1470a4c381010e61866aaf0c8b50f32ba17fa1427168843494da8959ba4781fd6ec41321ce711cdc762d64cf999a956c004a5
SSDEEP

12288:jRBjhLRSanSMItoRpsyPxVbZAxOxNiq4tqbVIsyPxVbZAxOxNiq4t:3jhFSaSXoRFP3bZWWiq4tEUP3bZWWiqW

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 5 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023447-15.dat	modiloader_stage2
behavioral2/memory/4260-28-0x0000000000400000-0x00000000004BC000-memory.dmp	modiloader_stage2
behavioral2/memory/2344-49-0x00000000769A0000-0x0000000076A90000-memory.dmp	modiloader_stage2
behavioral2/memory/3588-52-0x0000000000400000-0x0000000000483000-memory.dmp	modiloader_stage2
behavioral2/memory/3588-65-0x0000000000400000-0x0000000000483000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	003cff0b46b1494232b58775361eaf65_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	ÕæÑå Çáí ÇáÞÑíå.exe

Executes dropped EXE 4 IoCs

pid	Process
2408	bsdrKgd.EXE
3588	ÕæÑå Çáí ÇáÞÑíå.exe
2344	bsdrKgd.EXE
4000	bsdrKgd.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bsdrKgd.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ÕæÑå Çáí ÇáÞÑíå.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bsdrKgd.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bsdrKgd.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	003cff0b46b1494232b58775361eaf65_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 2408	4260	003cff0b46b1494232b58775361eaf65_JaffaCakes118.exe	82
PID 4260 wrote to memory of 2408	4260	003cff0b46b1494232b58775361eaf65_JaffaCakes118.exe	82
PID 4260 wrote to memory of 2408	4260	003cff0b46b1494232b58775361eaf65_JaffaCakes118.exe	82
PID 4260 wrote to memory of 3588	4260	003cff0b46b1494232b58775361eaf65_JaffaCakes118.exe	83
PID 4260 wrote to memory of 3588	4260	003cff0b46b1494232b58775361eaf65_JaffaCakes118.exe	83
PID 4260 wrote to memory of 3588	4260	003cff0b46b1494232b58775361eaf65_JaffaCakes118.exe	83
PID 3588 wrote to memory of 2344	3588	ÕæÑå Çáí ÇáÞÑíå.exe	84
PID 3588 wrote to memory of 2344	3588	ÕæÑå Çáí ÇáÞÑíå.exe	84
PID 3588 wrote to memory of 2344	3588	ÕæÑå Çáí ÇáÞÑíå.exe	84
PID 3588 wrote to memory of 4000	3588	ÕæÑå Çáí ÇáÞÑíå.exe	85
PID 3588 wrote to memory of 4000	3588	ÕæÑå Çáí ÇáÞÑíå.exe	85
PID 3588 wrote to memory of 4000	3588	ÕæÑå Çáí ÇáÞÑíå.exe	85

C:\Users\Admin\AppData\Local\Temp\003cff0b46b1494232b58775361eaf65_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\003cff0b46b1494232b58775361eaf65_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Users\Admin\AppData\Local\Temp\bsdrKgd.EXE
  "C:\Users\Admin\AppData\Local\Temp\bsdrKgd.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2408
- C:\Users\Admin\AppData\Local\Temp\ÕæÑå Çáí ÇáÞÑíå.exe
  "C:\Users\Admin\AppData\Local\Temp\ÕæÑå Çáí ÇáÞÑíå.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\Users\Admin\AppData\Local\Temp\bsdrKgd.EXE
    "C:\Users\Admin\AppData\Local\Temp\bsdrKgd.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2344
- - C:\Users\Admin\AppData\Local\Temp\bsdrKgd.EXE
    "C:\Users\Admin\AppData\Local\Temp\bsdrKgd.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bsdrKgd.EXE

Filesize
216KB

MD5
5e2c492048c8c4b39ada38865600b079

SHA1
13d92ec807d5ca544bbc8cb6f1c58d2241a3284f

SHA256
55849f6dfb69299c6220cda34866dbe0face4e751483fb65736b45c27a160095

SHA512
83ec1eb9de6303aad15d48154182028911a35f2f2ad4c89005815fd393392ce72292b57a482c99950c6b7d17a224ac926c9c2ed6b89a3c1790d9206d21fe1b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÕæÑå Çáí ÇáÞÑíå.exe

Filesize
494KB

MD5
b0088c49f6e22f89979e6177310e7edf

SHA1
679eeadbe81240f745e5d4728438eb709861a89a

SHA256
620a646092bc8e4cf413f40accd83c2202420ef151641ac26637cfbba2181b0f

SHA512
66115bfa86dfa034356bf964b2e61766e46551c281bb64991ca678321aea79a87e5d83c99f12c7fbddd0b736a8218efc755eb6cad6e335f53f408009d5fc70f1

Download Submit
memory/2344-47-0x00000000769A0000-0x0000000076A90000-memory.dmp

Filesize
960KB

Download
memory/2344-53-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2344-54-0x00000000769A0000-0x0000000076A90000-memory.dmp

Filesize
960KB

Download
memory/2344-44-0x00000000769A0000-0x0000000076A90000-memory.dmp

Filesize
960KB

Download
memory/2344-45-0x00000000769A0000-0x0000000076A90000-memory.dmp

Filesize
960KB

Download
memory/2344-46-0x00000000769A0000-0x0000000076A90000-memory.dmp

Filesize
960KB

Download
memory/2344-48-0x00000000769A0000-0x0000000076A90000-memory.dmp

Filesize
960KB

Download
memory/2344-49-0x00000000769A0000-0x0000000076A90000-memory.dmp

Filesize
960KB

Download
memory/2344-50-0x00000000769A0000-0x0000000076A90000-memory.dmp

Filesize
960KB

Download
memory/2344-51-0x00000000769A0000-0x0000000076A90000-memory.dmp

Filesize
960KB

Download
memory/2408-26-0x00000000769C0000-0x00000000769C1000-memory.dmp

Filesize
4KB

Download
memory/2408-25-0x0000000002220000-0x0000000002230000-memory.dmp

Filesize
64KB

Download
memory/2408-31-0x00000000769A0000-0x0000000076A90000-memory.dmp

Filesize
960KB

Download
memory/2408-30-0x00000000020D0000-0x000000000211C000-memory.dmp

Filesize
304KB

Download
memory/2408-20-0x0000000002220000-0x0000000002230000-memory.dmp

Filesize
64KB

Download
memory/2408-22-0x0000000002190000-0x00000000021A0000-memory.dmp

Filesize
64KB

Download
memory/2408-24-0x00000000021E0000-0x00000000021F0000-memory.dmp

Filesize
64KB

Download
memory/2408-29-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2408-16-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/2408-27-0x00000000769A0000-0x0000000076A90000-memory.dmp

Filesize
960KB

Download
memory/2408-23-0x0000000077642000-0x0000000077643000-memory.dmp

Filesize
4KB

Download
memory/2408-17-0x00000000020D0000-0x000000000211C000-memory.dmp

Filesize
304KB

Download
memory/3588-52-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3588-65-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4000-67-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4260-28-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download

Analysis

Sharing