modiloader | 5732cf4e7f6b949636c8d448c734b51711aa276ca8108a351908301e05bb432b

General

Target

92fc6765e2551a2ee8d04fc0f555cf5f_JaffaCakes118.exe
Size

480KB
MD5

92fc6765e2551a2ee8d04fc0f555cf5f
SHA1

e01d78c68e15fb40d905c742f11c0d67b32a3eb8
SHA256

5732cf4e7f6b949636c8d448c734b51711aa276ca8108a351908301e05bb432b
SHA512

3a8cce21358aec7499e4df63e70a2c7d98efb742d6f30495b227ec3f6fea3cbce7287993ab58411c130a572342bf0b5b9ae13badfa26636661572b5e28988933
SSDEEP

6144:vb1GWAE410h2yzkcnfktitO6atDfemiAn8nHH9PkU1LjZfn/z8sKwFYu4xtt0tht:TY6nzkcncGO6at/4npz3ZHIsKwZtm

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3.exe	modiloader_stage2
behavioral2/memory/1108-21-0x0000000000400000-0x00000000004BA016-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

4.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 4.exe
Executes dropped EXE 3 IoCs

Processes:

stailuse.exe4.exe3.exe

pid process

4260 stailuse.exe
2504 4.exe
1108 3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	4.exe

pid	process
4260	stailuse.exe
2504	4.exe
1108	3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

stailuse.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	stailuse.exe

Drops file in Program Files directory 1 IoCs

Processes:

3.exe

description ioc process

File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\Fiele Ps.txt 3.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Fiele Ps.txt	3.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

92fc6765e2551a2ee8d04fc0f555cf5f_JaffaCakes118.exestailuse.exe4.exe3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92fc6765e2551a2ee8d04fc0f555cf5f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stailuse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

92fc6765e2551a2ee8d04fc0f555cf5f_JaffaCakes118.exe

pid process

1652 92fc6765e2551a2ee8d04fc0f555cf5f_JaffaCakes118.exe

pid	process
1652	92fc6765e2551a2ee8d04fc0f555cf5f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

92fc6765e2551a2ee8d04fc0f555cf5f_JaffaCakes118.exestailuse.exe4.exe3.exe

description	pid	process	target process
PID 1652 wrote to memory of 4260	1652	92fc6765e2551a2ee8d04fc0f555cf5f_JaffaCakes118.exe	stailuse.exe
PID 1652 wrote to memory of 4260	1652	92fc6765e2551a2ee8d04fc0f555cf5f_JaffaCakes118.exe	stailuse.exe
PID 1652 wrote to memory of 4260	1652	92fc6765e2551a2ee8d04fc0f555cf5f_JaffaCakes118.exe	stailuse.exe
PID 4260 wrote to memory of 2504	4260	stailuse.exe	4.exe
PID 4260 wrote to memory of 2504	4260	stailuse.exe	4.exe
PID 4260 wrote to memory of 2504	4260	stailuse.exe	4.exe
PID 2504 wrote to memory of 1108	2504	4.exe	3.exe
PID 2504 wrote to memory of 1108	2504	4.exe	3.exe
PID 2504 wrote to memory of 1108	2504	4.exe	3.exe
PID 1108 wrote to memory of 2640	1108	3.exe	IEXPLORE.EXE
PID 1108 wrote to memory of 2640	1108	3.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\92fc6765e2551a2ee8d04fc0f555cf5f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\92fc6765e2551a2ee8d04fc0f555cf5f_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652
- \??\c:\stailuse.exe
  c:\stailuse.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4260
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Users\Admin\AppData\Local\Temp\3.exe
      "C:\Users\Admin\AppData\Local\Temp\3.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1108
    - - C:\program files\internet explorer\IEXPLORE.EXE
        
        "C:\program files\internet explorer\IEXPLORE.EXE"
        5⤵
        
        PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3.exe

Filesize
675KB

MD5
085b64aa9a82ae8f6fcbcdcf985a4b8f

SHA1
a7d3f1094cbd8ae774aabe477ce5135b5e5c873c

SHA256
314139973bbd6991a7e3620706b6a139b37e7aefe2ee3f4c7dd8801ae650cbed

SHA512
534d1a29746f6ca2ad079dd49d58c8e2b9e551fee911814dedad65189132771b687bc653941047030a97c55130d0d6509d7f1c3b606061567c28c69fdc6bd60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
684KB

MD5
e0b53c768978c933c51d20af043203e7

SHA1
e2f8c5127c513d465f55dd27d12e59cf0affed92

SHA256
e0966ac4503a1114299627efe838cfed61f653fa196f01f5ca8e2af0a3073b3b

SHA512
6c7178648dd7d5d1316f607f23bc70886404837599d1080a8a589c7b5ac45e98fc426394df238a622f94614fc4eb84ebc2d284f0a2d03aa53381bba315042d55

Download Submit
C:\stailuse.exe

Filesize
451KB

MD5
acdb53230f26df0c2a160820471edc74

SHA1
4f862f11ea5f00a355b9b728b6208c6dc06293d5

SHA256
a1f9651dda04cbbc41947826a6630bc8bdd1f13d9261399be1b6eec9ee17c865

SHA512
a01bf12c8798d04937d93975ed9d9fc65a2d767bd750062c64693d6f7ddc2ad8936d3d4cd4ef313f9b03bd073cbb7c53b60b3aab917b25eab41424f6782b7dc9

Download Submit
memory/1108-21-0x0000000000400000-0x00000000004BA016-memory.dmp

Filesize
744KB

Download
memory/2504-19-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads