modiloader | c30de93ba586648ea6b3c897840d1a3a11ae1962c11ac15e82ba153d271e54fe

General

Target

8b22d40166f7316a7c8ae0375f60e984_JaffaCakes118.exe
Size

80KB
MD5

8b22d40166f7316a7c8ae0375f60e984
SHA1

3c2c700ce1553b6d96cf1f83f280acd7bca6f143
SHA256

c30de93ba586648ea6b3c897840d1a3a11ae1962c11ac15e82ba153d271e54fe
SHA512

e7f035678ff593dbf90c810634c33428be074f6d41cd0e3f14a1a6a2990b30ae31ceceec0077144b7f8a5531bb330783316ae982168513946c8b95c1da9f73fb
SSDEEP

1536:4q6u9kHqyY71zdfMIn8ofsx3MfwzjNO6HPG1ab/K/xypMcUwjgVU/eDSWqESb3:4qMqXxdEaKhSwnVPG1aDK/spMhwsDSWq

Score

10^/10

modiloader discovery persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 16 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b9d-14.dat	modiloader_stage2
behavioral2/memory/2980-27-0x0000000000400000-0x000000000040E000-memory.dmp	modiloader_stage2
behavioral2/memory/2272-30-0x0000000000400000-0x000000000040E000-memory.dmp	modiloader_stage2
behavioral2/memory/2272-32-0x0000000000400000-0x000000000040E000-memory.dmp	modiloader_stage2
behavioral2/memory/2272-34-0x0000000000400000-0x000000000040E000-memory.dmp	modiloader_stage2
behavioral2/memory/2272-36-0x0000000000400000-0x000000000040E000-memory.dmp	modiloader_stage2
behavioral2/memory/2272-38-0x0000000000400000-0x000000000040E000-memory.dmp	modiloader_stage2
behavioral2/memory/2272-40-0x0000000000400000-0x000000000040E000-memory.dmp	modiloader_stage2
behavioral2/memory/2272-42-0x0000000000400000-0x000000000040E000-memory.dmp	modiloader_stage2
behavioral2/memory/2272-44-0x0000000000400000-0x000000000040E000-memory.dmp	modiloader_stage2
behavioral2/memory/2272-46-0x0000000000400000-0x000000000040E000-memory.dmp	modiloader_stage2
behavioral2/memory/2272-48-0x0000000000400000-0x000000000040E000-memory.dmp	modiloader_stage2
behavioral2/memory/2272-50-0x0000000000400000-0x000000000040E000-memory.dmp	modiloader_stage2
behavioral2/memory/2272-52-0x0000000000400000-0x000000000040E000-memory.dmp	modiloader_stage2
behavioral2/memory/2272-54-0x0000000000400000-0x000000000040E000-memory.dmp	modiloader_stage2
behavioral2/memory/2272-56-0x0000000000400000-0x000000000040E000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	8b22d40166f7316a7c8ae0375f60e984_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Result.exe

Executes dropped EXE 3 IoCs

pid	Process
5016	Çàÿâêà.exe
2980	Result.exe
2272	B K.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\B K = "C:\\Users\\Admin\\AppData\\Local\\B K.exe"	B K.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c000000023b9a-4.dat	upx
behavioral2/memory/5016-12-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/5016-29-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b22d40166f7316a7c8ae0375f60e984_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Çàÿâêà.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Result.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	B K.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2272	B K.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5016	Çàÿâêà.exe
5016	Çàÿâêà.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 5016	3320	8b22d40166f7316a7c8ae0375f60e984_JaffaCakes118.exe	84
PID 3320 wrote to memory of 5016	3320	8b22d40166f7316a7c8ae0375f60e984_JaffaCakes118.exe	84
PID 3320 wrote to memory of 5016	3320	8b22d40166f7316a7c8ae0375f60e984_JaffaCakes118.exe	84
PID 3320 wrote to memory of 2980	3320	8b22d40166f7316a7c8ae0375f60e984_JaffaCakes118.exe	85
PID 3320 wrote to memory of 2980	3320	8b22d40166f7316a7c8ae0375f60e984_JaffaCakes118.exe	85
PID 3320 wrote to memory of 2980	3320	8b22d40166f7316a7c8ae0375f60e984_JaffaCakes118.exe	85
PID 2980 wrote to memory of 2272	2980	Result.exe	89
PID 2980 wrote to memory of 2272	2980	Result.exe	89
PID 2980 wrote to memory of 2272	2980	Result.exe	89

C:\Users\Admin\AppData\Local\Temp\8b22d40166f7316a7c8ae0375f60e984_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8b22d40166f7316a7c8ae0375f60e984_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Users\Admin\AppData\Local\Temp\Çàÿâêà.exe
  "C:\Users\Admin\AppData\Local\Temp\Çàÿâêà.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5016
- C:\Users\Admin\AppData\Local\Temp\Result.exe
  "C:\Users\Admin\AppData\Local\Temp\Result.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Users\Admin\AppData\Local\B K.exe
    "C:\Users\Admin\AppData\Local\B K.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Result.exe

Filesize
33KB

MD5
45a87bd79091655ae31f6711504094f8

SHA1
f29e273ff1346c80b47daa1ce5c47f453295afe9

SHA256
f79d920ca8f0ab7a94914b6e5961b45da1594cdcb6e5a38c4904e0ce792e1bb3

SHA512
03e71aa3d29bf531f7f0d748f4d423fbb722637efbd5dd40da9cd9bbb6063987b39d50d87fe19dba29cd1fe1ac68c5e1727450d7857cc377c1223131925fcb5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Çàÿâêà.exe

Filesize
60KB

MD5
cad096f3414b20e21f0a7b529384d526

SHA1
baf9a9a04b8436398909fd377f2d993ddb273aaf

SHA256
b99207197e7ceb396c892de843c58b778c1c46bebe6b55c97128523d77fc46b7

SHA512
8fb4dafd676eff1d55223d8cef42ed979a3260a6ba31e736f1351e0940fd1e92bce2de1d62fd97dcb3cb45f2330ab601a00eb13c6eed46f27fafe5485fca70a4

Download Submit
memory/2272-44-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2272-42-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2272-56-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2272-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2272-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2272-34-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2272-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2272-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2272-40-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2272-54-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2272-52-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2272-46-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2272-48-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2272-50-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2980-27-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5016-12-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5016-29-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads