modiloader | dabd800fc600631531e376672bd68bbc64e05fecaa9d9c051bf0e1e4816a1eae

General

Target

c38b6531d904c46ccd2a2a1cf9e80543_JaffaCakes118.exe
Size

76KB
MD5

c38b6531d904c46ccd2a2a1cf9e80543
SHA1

a7b8c818099d694ce4f3ed0be90fbe1a6eb8e564
SHA256

dabd800fc600631531e376672bd68bbc64e05fecaa9d9c051bf0e1e4816a1eae
SHA512

16df39b6d2ffc353b2e8a66a8bf45ae9373660fbd4a9a2c6f95c13230a64da0ddeef616798edcf5c6354cccf8ea86a3f62de175def36660c7c1839f4d42a865a
SSDEEP

1536:5K8ddtt1FFxxVToOBz0WlZnbMLJhUUKJ3zzj1w:5K8dJDJDMLJh+ZzzB

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b9a-4.dat	modiloader_stage2
behavioral2/memory/1520-7-0x0000000000400000-0x000000000041A000-memory.dmp	modiloader_stage2
behavioral2/memory/1116-18-0x0000000000400000-0x0000000000417000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	c38b6531d904c46ccd2a2a1cf9e80543_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sex tup yoop egfhhyjewkkksex..mp4jdjjgfffvcsexcvsrghejkeyysgsdff563d2d3s3s3sssssssss3s3333333sd2fdfredgkiieruieueuiiiukjkhjjhijugyugwggdffgfhjuhyueij.3pghdhgygdywegt.exe

Executes dropped EXE 2 IoCs

pid	Process
1116	sex tup yoop egfhhyjewkkksex..mp4jdjjgfffvcsexcvsrghejkeyysgsdff563d2d3s3s3sssssssss3s3333333sd2fdfredgkiieruieueuiiiukjkhjjhijugyugwggdffgfhjuhyueij.3pghdhgygdywegt.exe
784	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c38b6531d904c46ccd2a2a1cf9e80543_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sex tup yoop egfhhyjewkkksex..mp4jdjjgfffvcsexcvsrghejkeyysgsdff563d2d3s3s3sssssssss3s3333333sd2fdfredgkiieruieueuiiiukjkhjjhijugyugwggdffgfhjuhyueij.3pghdhgygdywegt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
784	server.exe
784	server.exe
784	server.exe
784	server.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 1116	1520	c38b6531d904c46ccd2a2a1cf9e80543_JaffaCakes118.exe	82
PID 1520 wrote to memory of 1116	1520	c38b6531d904c46ccd2a2a1cf9e80543_JaffaCakes118.exe	82
PID 1520 wrote to memory of 1116	1520	c38b6531d904c46ccd2a2a1cf9e80543_JaffaCakes118.exe	82
PID 1116 wrote to memory of 784	1116	sex tup yoop egfhhyjewkkksex..mp4jdjjgfffvcsexcvsrghejkeyysgsdff563d2d3s3s3sssssssss3s3333333sd2fdfredgkiieruieueuiiiukjkhjjhijugyugwggdffgfhjuhyueij.3pghdhgygdywegt.exe	83
PID 1116 wrote to memory of 784	1116	sex tup yoop egfhhyjewkkksex..mp4jdjjgfffvcsexcvsrghejkeyysgsdff563d2d3s3s3sssssssss3s3333333sd2fdfredgkiieruieueuiiiukjkhjjhijugyugwggdffgfhjuhyueij.3pghdhgygdywegt.exe	83
PID 1116 wrote to memory of 784	1116	sex tup yoop egfhhyjewkkksex..mp4jdjjgfffvcsexcvsrghejkeyysgsdff563d2d3s3s3sssssssss3s3333333sd2fdfredgkiieruieueuiiiukjkhjjhijugyugwggdffgfhjuhyueij.3pghdhgygdywegt.exe	83
PID 784 wrote to memory of 3532	784	server.exe	56
PID 784 wrote to memory of 3532	784	server.exe	56
PID 784 wrote to memory of 3532	784	server.exe	56
PID 784 wrote to memory of 3532	784	server.exe	56
PID 784 wrote to memory of 3532	784	server.exe	56
PID 784 wrote to memory of 3532	784	server.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3532
- C:\Users\Admin\AppData\Local\Temp\c38b6531d904c46ccd2a2a1cf9e80543_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\c38b6531d904c46ccd2a2a1cf9e80543_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Users\Admin\AppData\Local\Temp\sex tup yoop egfhhyjewkkksex..mp4jdjjgfffvcsexcvsrghejkeyysgsdff563d2d3s3s3sssssssss3s3333333sd2fdfredgkiieruieueuiiiukjkhjjhijugyugwggdffgfhjuhyueij.3pghdhgygdywegt.exe
    "C:\Users\Admin\AppData\Local\Temp\sex tup yoop egfhhyjewkkksex..mp4jdjjgfffvcsexcvsrghejkeyysgsdff563d2d3s3s3sssssssss3s3333333sd2fdfredgkiieruieueuiiiukjkhjjhijugyugwggdffgfhjuhyueij.3pghdhgygdywegt.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
28KB

MD5
7ef4a9f4cffd05a1da4d543e4c19f43c

SHA1
54e7f8f2718a7475f16339c8c77bc975fac5b4c0

SHA256
88c753f12dcf7828b287a67dd343d26ab176a9cbe489096c2c429075069aaa3c

SHA512
ea50b2fe27e2343511be18414b5053ca94056b6dfe48b99a55e4be56218cdcb2e274df3d8a3c07a41eaa210bc35e292f4f0c2d466b24b657becb009bbbc7e06d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sex tup yoop egfhhyjewkkksex..mp4jdjjgfffvcsexcvsrghejkeyysgsdff563d2d3s3s3sssssssss3s3333333sd2fdfredgkiieruieueuiiiukjkhjjhijugyugwggdffgfhjuhyueij.3pghdhgygdywegt.exe

Filesize
63KB

MD5
d512a69ee8bd7d9745d6809c31b5f936

SHA1
6a9eeadc3b184cc74bbd2a53de1a11a6993b43a6

SHA256
505de7dc0b7ceda2443b3a172000874a986b3923cdf15fc609bd13b8fb48442a

SHA512
31b813ea298e8d6456fba585bbd0b582f628fce5860919c4589097965c61daefaf6f983c66b3648ef63344a636bbdccf14d91ee544f8417d74ada6d813428f65

Download Submit
memory/784-17-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/784-20-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/784-28-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/784-27-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1116-18-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1520-7-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3532-21-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/3532-23-0x000000007FFC0000-0x000000007FFC6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing