modiloader | c2bdb2b1f9a76c1087ac84d303441793e17b4f5e5a59cd4a2269bfe96e5515fa

General

Target

910dfd05b43191f376040a0325b79795_JaffaCakes118.exe
Size

872KB
MD5

910dfd05b43191f376040a0325b79795
SHA1

2cd9d7a05387efd1f28f6f307c5aee1d5661a977
SHA256

c2bdb2b1f9a76c1087ac84d303441793e17b4f5e5a59cd4a2269bfe96e5515fa
SHA512

82a7934ac51ea1e26bd60644b8ae93e07d60df133f3e72dd85c9773a9eb0b44071a0093e76492fed10842b14f2bf2cbe85766f0f155f8be6353aeec7ee3f181d
SSDEEP

24576:k1dlZo5r5SM6Wp7Utyd2ViBiMP4bXvwbtPbWw7Pv:k1dlZor5SMOtVS74zvkaw7n

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4800-28-0x0000000000400000-0x00000000004EB000-memory.dmp	modiloader_stage2
behavioral2/memory/4800-35-0x0000000000400000-0x00000000004EB000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

910dfd05b43191f376040a0325b79795_JaffaCakes118.exe2222.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	910dfd05b43191f376040a0325b79795_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	2222.exe

Executes dropped EXE 2 IoCs

Processes:

2222.exeD.exe

pid	Process
4800	2222.exe
2172	D.exe

Drops file in System32 directory 2 IoCs

Processes:

2222.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\advapi32.dll	2222.exe
File created	C:\Windows\SysWOW64\advapi32.dll	2222.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
3036	4800	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

910dfd05b43191f376040a0325b79795_JaffaCakes118.exe2222.exeD.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	910dfd05b43191f376040a0325b79795_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	D.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

D.exe

pid	Process
2172	D.exe
2172	D.exe
2172	D.exe
2172	D.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

910dfd05b43191f376040a0325b79795_JaffaCakes118.exe2222.exeD.exe

description	pid	Process	procid_target
PID 1544 wrote to memory of 4800	1544	910dfd05b43191f376040a0325b79795_JaffaCakes118.exe	83
PID 1544 wrote to memory of 4800	1544	910dfd05b43191f376040a0325b79795_JaffaCakes118.exe	83
PID 1544 wrote to memory of 4800	1544	910dfd05b43191f376040a0325b79795_JaffaCakes118.exe	83
PID 4800 wrote to memory of 2172	4800	2222.exe	87
PID 4800 wrote to memory of 2172	4800	2222.exe	87
PID 4800 wrote to memory of 2172	4800	2222.exe	87
PID 2172 wrote to memory of 3476	2172	D.exe	56
PID 2172 wrote to memory of 3476	2172	D.exe	56
PID 2172 wrote to memory of 3476	2172	D.exe	56
PID 2172 wrote to memory of 3476	2172	D.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3476
- C:\Users\Admin\AppData\Local\Temp\910dfd05b43191f376040a0325b79795_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\910dfd05b43191f376040a0325b79795_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Users\Admin\AppData\Local\Temp\2222.exe
    "C:\Users\Admin\AppData\Local\Temp\2222.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 256
      4⤵
      Program crash
      PID:3036
  - - C:\Users\Admin\AppData\Local\Temp\D.exe
      "C:\Users\Admin\AppData\Local\Temp\D.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4800 -ip 4800
1⤵
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2222.exe

Filesize
821KB

MD5
86b5bb3f6a58ab52c284a30de8930c26

SHA1
35ab299c53ba50182a4fe4e2adad5249c06f3c33

SHA256
6f9fed677f545a7aa7ade0719e19c62646d3909431109e544fa1dddc6ab57990

SHA512
8a49f4742d399a170c87545a1a9bf2ff8d4e467d9579e4aaa146bbacdd09cad79e70437824e90f28162b395a3e459464d466379772f52e0caf42654a8c2d316d

Download Submit
C:\Users\Admin\AppData\Local\Temp\D.exe

Filesize
31KB

MD5
bebf90842a3fb7606a38e2818c1f6475

SHA1
a1360e2ce4a1888d28feaa389284c205fcd35c06

SHA256
2b9b8642b2bbe746daa426d3dabc0a7c5a30875f1aa69f3f49eea9744af63dbf

SHA512
79314f789931444a2c967c7f2bcda751277a89eefc7936b75e6400ca77e42d940fee4fc0511561facb87e04f8e16e3535f64eb574b9eacd96f86d028f93901ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfx.ini

Filesize
249B

MD5
31a8177375dc81dd2766d3c814ce37d4

SHA1
64c6ea57d5b137c69fad92a815dbe30310fdbfb1

SHA256
997ee54fd1e29bc3f5018f566f580c417a8f43c6e8f80520f530f759c972e56f

SHA512
81bb55629d2668c12d17cf0e450b8f81d52896eb37927830fdbca229d444cda3108619e19712ad1af066b046485330a56b3269a7eab6bdc01af4a25258034bec

Download Submit
memory/2172-36-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/2172-39-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/3476-40-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/3476-41-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download
memory/4800-24-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4800-26-0x000000000043E000-0x0000000000446000-memory.dmp

Filesize
32KB

Download
memory/4800-28-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4800-35-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4800-38-0x000000000043E000-0x0000000000446000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads