modiloader | c0068ed0fc424d0ee1e2289e4a193c5bf59cb2f4c1554f6a1cae07afcfae3045

General

Target

a3e52dd9e070867e0b73aa46889a07ac_JaffaCakes118.exe
Size

121KB
MD5

a3e52dd9e070867e0b73aa46889a07ac
SHA1

dc0641953ef61c28735472028d6b63f812777987
SHA256

c0068ed0fc424d0ee1e2289e4a193c5bf59cb2f4c1554f6a1cae07afcfae3045
SHA512

648011c60442b0da6354ee510f64a75489f76b14bdc0485b786bae305845ac4cfd6616655674668ce8b7a538b7f86f11989afa9658b2d4cf114f98c1b2eb7670
SSDEEP

1536:hNyF6t22nmHjy9xh4Z/O8I9dtt1LAjkKhiqk+VZGq67mmbXt+VXHX6XdWOj8s:hEElYQxqdO8WJU5PGhb9+VXKgOj8s

Score

10^/10

modiloader discovery trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c97-16.dat	modiloader_stage2
behavioral2/memory/2304-23-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/1548-31-0x0000000000400000-0x0000000000418000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	a3e52dd9e070867e0b73aa46889a07ac_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
2688	proxy NeW.exe
1548	proXy.exe
4856	proxy.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2688 set thread context of 4856	2688	proxy NeW.exe	87

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000d000000023b7c-4.dat	upx
behavioral2/memory/2688-13-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2688-28-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2888	4856	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a3e52dd9e070867e0b73aa46889a07ac_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	proxy NeW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	proXy.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2688	proxy NeW.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2688	2304	a3e52dd9e070867e0b73aa46889a07ac_JaffaCakes118.exe	85
PID 2304 wrote to memory of 2688	2304	a3e52dd9e070867e0b73aa46889a07ac_JaffaCakes118.exe	85
PID 2304 wrote to memory of 2688	2304	a3e52dd9e070867e0b73aa46889a07ac_JaffaCakes118.exe	85
PID 2304 wrote to memory of 1548	2304	a3e52dd9e070867e0b73aa46889a07ac_JaffaCakes118.exe	86
PID 2304 wrote to memory of 1548	2304	a3e52dd9e070867e0b73aa46889a07ac_JaffaCakes118.exe	86
PID 2304 wrote to memory of 1548	2304	a3e52dd9e070867e0b73aa46889a07ac_JaffaCakes118.exe	86
PID 2688 wrote to memory of 4856	2688	proxy NeW.exe	87
PID 2688 wrote to memory of 4856	2688	proxy NeW.exe	87
PID 2688 wrote to memory of 4856	2688	proxy NeW.exe	87
PID 2688 wrote to memory of 4856	2688	proxy NeW.exe	87
PID 2688 wrote to memory of 4856	2688	proxy NeW.exe	87
PID 2688 wrote to memory of 4856	2688	proxy NeW.exe	87
PID 2688 wrote to memory of 4856	2688	proxy NeW.exe	87

C:\Users\Admin\AppData\Local\Temp\a3e52dd9e070867e0b73aa46889a07ac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a3e52dd9e070867e0b73aa46889a07ac_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\proxy NeW.exe
  "C:\Users\Admin\AppData\Local\Temp\proxy NeW.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Users\Admin\AppData\Local\Temp\proxy.exe
    C:\Users\Admin\AppData\Local\Temp\proxy NeW.exe
    3⤵
    - Executes dropped EXE
    PID:4856
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 188
      4⤵
      Program crash
      PID:2888
- C:\Users\Admin\AppData\Local\Temp\proXy.exe
  "C:\Users\Admin\AppData\Local\Temp\proXy.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4856 -ip 4856
1⤵
PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\proXy.exe

Filesize
67KB

MD5
125958ddfe58b7a5c792450cc10d3c47

SHA1
d12ae5d5b969f649aa641cba63963a606c39a1a3

SHA256
648e28a86e9bd49a1db86fc3a425b5cb29346df5e1836964c6a171a30b678eb6

SHA512
f9d6f9358bd0bc447483943dfcfc48f95762346f4484bfcb5ad9a47ae0cc09dc5ca437d2376c0aac79f253cc6a879c053abf0b09a20382aafd25da89132c823e

Download Submit
C:\Users\Admin\AppData\Local\Temp\proxy NeW.exe

Filesize
28KB

MD5
67a91d0dbd67f95bc14784a8a2e080b5

SHA1
691f5dd5dd0eb1011856af7078f13ebf81cd1443

SHA256
2e9effcae960bb8543269b1c49b911bc35091bb40b955ee46e4543a4f2d156f6

SHA512
302123a0201f7703cd2fa63c23e9fce03bfbda4d06317f8565f36bf1c3d907b261f8b768b2e15e591a5ca5b225ba14472987041e160f214e3226257eecfb1a03

Download Submit
memory/1548-31-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2304-23-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2688-13-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2688-28-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4856-26-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4856-22-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4856-27-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4856-30-0x0000000000400000-0x0000000000402200-memory.dmp

Filesize
8KB

Download

Analysis

Sharing