modiloader | 03d596c4e2ec8536abb673e0629fc31d4c5df8863f378a1372546cd8cae7caf8

General

Target

9e20a516f7cc4eaecffcc0808b50fb64_JaffaCakes118.exe
Size

314KB
MD5

9e20a516f7cc4eaecffcc0808b50fb64
SHA1

1681838951cffa50dbb5c61bb686ecc424b24a94
SHA256

03d596c4e2ec8536abb673e0629fc31d4c5df8863f378a1372546cd8cae7caf8
SHA512

c0a5d56faa997cca2536031e0a1ce56ac0b9bb926b8e65f7e2209097453845058249e515f9a9d89fc873173af22bb916382cb3516317efea4d253cfd7a5a2776
SSDEEP

6144:TB+pgUmaidOrFsPlz67WoiAoMYC/yc2MbsLQcSQj2qzZyc76K:TgOaoyuPlzo3i7/QyfI+QRc7X

Score

10^/10

modiloader discovery execution trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	1052	mshta.exe	85

ModiLoader Second Stage 11 IoCs

resource	yara_rule
behavioral2/memory/3460-21-0x0000000000400000-0x000000000043C000-memory.dmp	modiloader_stage2
behavioral2/memory/3460-26-0x0000000000400000-0x000000000043C000-memory.dmp	modiloader_stage2
behavioral2/memory/3460-28-0x0000000003310000-0x00000000033EA000-memory.dmp	modiloader_stage2
behavioral2/memory/3460-27-0x0000000003310000-0x00000000033EA000-memory.dmp	modiloader_stage2
behavioral2/memory/3460-30-0x0000000003310000-0x00000000033EA000-memory.dmp	modiloader_stage2
behavioral2/memory/3460-32-0x0000000003310000-0x00000000033EA000-memory.dmp	modiloader_stage2
behavioral2/memory/3460-31-0x0000000003310000-0x00000000033EA000-memory.dmp	modiloader_stage2
behavioral2/memory/3460-29-0x0000000003310000-0x00000000033EA000-memory.dmp	modiloader_stage2
behavioral2/memory/3460-33-0x0000000003310000-0x00000000033EA000-memory.dmp	modiloader_stage2
behavioral2/memory/3460-34-0x0000000003310000-0x00000000033EA000-memory.dmp	modiloader_stage2
behavioral2/memory/3460-56-0x0000000003310000-0x00000000033EA000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	mshta.exe

Loads dropped DLL 1 IoCs

pid	Process
3460	9e20a516f7cc4eaecffcc0808b50fb64_JaffaCakes118.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2044	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e20a516f7cc4eaecffcc0808b50fb64_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2044	powershell.exe
2044	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2044	powershell.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3460	9e20a516f7cc4eaecffcc0808b50fb64_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 2044	3456	mshta.exe	87
PID 3456 wrote to memory of 2044	3456	mshta.exe	87
PID 3456 wrote to memory of 2044	3456	mshta.exe	87

C:\Users\Admin\AppData\Local\Temp\9e20a516f7cc4eaecffcc0808b50fb64_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9e20a516f7cc4eaecffcc0808b50fb64_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:3460

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" javascript:cxawN3="LmO";v30q=new%20ActiveXObject("WScript.Shell");yc48inSJh="9";UL2YV=v30q.RegRead("HKCU\\software\\ftgnFgKaX\\E8R40Suyr0");j41cRbFJn="kwDgXyKq";eval(UL2YV);OPEV0d5="g";
1⤵
- Process spawned unexpected child process
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:qbjzxloh
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yelrte4a.x3d.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\contact.php

Filesize
319B

MD5
48b7875eddf3913382a3c299e84a27f1

SHA1
6a05bcea4829a70ce0e1c105d0568ac5031d3e89

SHA256
88332868551ed40475c1d8b88613910b60773ccb5760083b2037c55a21c002f5

SHA512
d5b3a2f141d07242f9b6fdb71d77b821df76edb9677a2992ddfd16f242afc9df12ce5ae0dbd4c029d1c9dd7dc92b4069467c0ee4816c61e1693c46a8857d4a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvAD0B.tmp\System.dll

Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\privacy_policy.php

Filesize
3KB

MD5
dab2f129c75c2369479d341a4f754e52

SHA1
b88958b6379579bd380661ed83625114a41c1a5b

SHA256
136ac48f0f2c86d9ba706455349703f76b9097271e8c61c94efa00a882ffc985

SHA512
63058fd68daf8f02b4e0d7dea32ce8fb9fd456188878ebbe626bc354a394a8ca16f7aec2617d585e6e799801058775c29c6c08891fa77b05de857d409762e87e

Download Submit
memory/2044-53-0x0000000007B10000-0x000000000818A000-memory.dmp

Filesize
6.5MB

Download
memory/2044-52-0x00000000063B0000-0x00000000063FC000-memory.dmp

Filesize
304KB

Download
memory/2044-36-0x0000000002C50000-0x0000000002C86000-memory.dmp

Filesize
216KB

Download
memory/2044-51-0x0000000006370000-0x000000000638E000-memory.dmp

Filesize
120KB

Download
memory/2044-50-0x0000000005EA0000-0x00000000061F4000-memory.dmp

Filesize
3.3MB

Download
memory/2044-54-0x0000000007420000-0x000000000743A000-memory.dmp

Filesize
104KB

Download
memory/2044-40-0x0000000005E30000-0x0000000005E96000-memory.dmp

Filesize
408KB

Download
memory/2044-39-0x0000000005DC0000-0x0000000005E26000-memory.dmp

Filesize
408KB

Download
memory/2044-38-0x00000000055E0000-0x0000000005602000-memory.dmp

Filesize
136KB

Download
memory/2044-37-0x0000000005790000-0x0000000005DB8000-memory.dmp

Filesize
6.2MB

Download
memory/3460-28-0x0000000003310000-0x00000000033EA000-memory.dmp

Filesize
872KB

Download
memory/3460-34-0x0000000003310000-0x00000000033EA000-memory.dmp

Filesize
872KB

Download
memory/3460-33-0x0000000003310000-0x00000000033EA000-memory.dmp

Filesize
872KB

Download
memory/3460-29-0x0000000003310000-0x00000000033EA000-memory.dmp

Filesize
872KB

Download
memory/3460-31-0x0000000003310000-0x00000000033EA000-memory.dmp

Filesize
872KB

Download
memory/3460-32-0x0000000003310000-0x00000000033EA000-memory.dmp

Filesize
872KB

Download
memory/3460-30-0x0000000003310000-0x00000000033EA000-memory.dmp

Filesize
872KB

Download
memory/3460-27-0x0000000003310000-0x00000000033EA000-memory.dmp

Filesize
872KB

Download
memory/3460-26-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3460-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3460-19-0x0000000003030000-0x000000000306B000-memory.dmp

Filesize
236KB

Download
memory/3460-55-0x0000000003030000-0x000000000306B000-memory.dmp

Filesize
236KB

Download
memory/3460-56-0x0000000003310000-0x00000000033EA000-memory.dmp

Filesize
872KB

Download

Analysis

Sharing