modiloader | c10bb54564195c206caead5d150e2e93bafd48b00c3388d29ba39bdbdd750425

General

Target

c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe
Size

336KB
MD5

c3c7fa161970b2bb3d91c44500c0e706
SHA1

674bd54a273618fd9f068bbbce8f7ea794c3735d
SHA256

c10bb54564195c206caead5d150e2e93bafd48b00c3388d29ba39bdbdd750425
SHA512

bcefd70804a9960621db9136bda8b502a458411e77bed2765753b8efa45ffed884c0f09e732b95367d40be1f3e43d29b2b0c85619fc7f3935d2b85692f102561
SSDEEP

6144:99uWL0gh/mIHFDPi8zbB8Wmxi16FRQ1Sm//JKbGIi8/ylvEWOvLd49lHWhYBZ:99tL0gh/mMFDp6Wmxi8FRwJAbHjylvEg

Score

10^/10

modiloader defense_evasion discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 4 IoCs

resource	yara_rule
behavioral2/files/0x000e000000023a6a-18.dat	modiloader_stage2
behavioral2/memory/888-27-0x0000000000400000-0x0000000000448000-memory.dmp	modiloader_stage2
behavioral2/memory/768-43-0x0000000000400000-0x0000000000433000-memory.dmp	modiloader_stage2
behavioral2/memory/768-55-0x0000000000400000-0x0000000000433000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	NickChange-1.5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	win2-v2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	win7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	win2-v25.exe

Executes dropped EXE 5 IoCs

pid	Process
624	semoo.exe
888	win2-v25.exe
4348	NickChange-1.5.exe
768	win2-v2.exe
3004	win7.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	semoo.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\NickChange-1.5.plsc	c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe
File opened for modification	C:\Program Files\win2-v2.exe	NickChange-1.5.exe
File created	C:\Program Files\__tmp_rar_sfx_access_check_240609343	NickChange-1.5.exe
File opened for modification	C:\Program Files\NickChange-1.5.plsc	NickChange-1.5.exe
File created	C:\Program Files\win2-v2.exe	NickChange-1.5.exe
File created	C:\Program Files\__tmp_rar_sfx_access_check_240608531	c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe
File opened for modification	C:\Program Files\NickChange-1.5.plsc	c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe
File created	C:\Program Files\semoo.exe	c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe
File opened for modification	C:\Program Files\semoo.exe	c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\C (5).exe:Zone.Identifier	win7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win2-v25.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NickChange-1.5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win2-v2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	semoo.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	NickChange-1.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	win7.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	win7.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\C (5).exe:Zone.Identifier	win7.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2008	OpenWith.exe
3004	win7.exe
5084	OpenWith.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 812 wrote to memory of 624	812	c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe	84
PID 812 wrote to memory of 624	812	c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe	84
PID 812 wrote to memory of 624	812	c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe	84
PID 624 wrote to memory of 888	624	semoo.exe	86
PID 624 wrote to memory of 888	624	semoo.exe	86
PID 624 wrote to memory of 888	624	semoo.exe	86
PID 888 wrote to memory of 4348	888	win2-v25.exe	87
PID 888 wrote to memory of 4348	888	win2-v25.exe	87
PID 888 wrote to memory of 4348	888	win2-v25.exe	87
PID 4348 wrote to memory of 768	4348	NickChange-1.5.exe	88
PID 4348 wrote to memory of 768	4348	NickChange-1.5.exe	88
PID 4348 wrote to memory of 768	4348	NickChange-1.5.exe	88
PID 768 wrote to memory of 3004	768	win2-v2.exe	90
PID 768 wrote to memory of 3004	768	win2-v2.exe	90
PID 768 wrote to memory of 3004	768	win2-v2.exe	90

C:\Users\Admin\AppData\Local\Temp\c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c3c7fa161970b2bb3d91c44500c0e706_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:812
- C:\Program Files\semoo.exe
  "C:\Program Files\semoo.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\win2-v25.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\win2-v25.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:888
  - - C:\Users\Admin\AppData\Local\Temp\NickChange-1.5.exe
      "C:\Users\Admin\AppData\Local\Temp\NickChange-1.5.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4348
    - - C:\Program Files\win2-v2.exe
        
        "C:\Program Files\win2-v2.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:768
      - C:\Users\Admin\AppData\Local\Temp\win7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\win7.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Subvert Trust Controls: Mark-of-the-Web Bypass
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:3004

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2008

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\NickChange-1.5.plsc

Filesize
8KB

MD5
ac9ce25e4e0d40c5b3ee3babc56d0262

SHA1
10f1df059cb62a3d103a45de49cbd9889b9b51bb

SHA256
1a5649177b150bcf8673d191b2f20b05deb00eff13ab4b63ed710de2b7c05b0a

SHA512
76d4e1606740e64599d5d5de44f9a01766f0b6a03efc73d776c41603cda8215957050538508aa6914d9650d521246b3345996e064b796da26cf4243799cffb50

Download Submit
C:\Program Files\semoo.exe

Filesize
292KB

MD5
c71cbb29e7992dcfc63303d55f710019

SHA1
60a42b969dec8d6e456723df29d301fef0cd432b

SHA256
41e278db377e0d08dcb0399477436bdbb29407384620cfc7ea373a9c144692d8

SHA512
1244723886990484bf165e0a3e459e7c1c060294e760df04e169088b7c78767ad2d91075774c6b6aeab80d6e7f2766776052efa58d14d53bdb47498b3d86b180

Download Submit
C:\Program Files\win2-v2.exe

Filesize
96KB

MD5
1a1ce4531faac5f46173274edf33c956

SHA1
d3e4264660e6115a7811d4c906d3aa9d6f1ab77d

SHA256
1d6664e69e02252fad0013c293f8c9bc5a771742fed00b14129bd9ee6df61e89

SHA512
e1680a55e6df3c81ca0ab037d1036b2aa85c9abda1e35bd90c1cbfcb2d7912af355aea25c13a296fa507a7485a2da8b39b7616fbafbe4dda637cbae3dc9e8c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\C (5).exe

Filesize
29KB

MD5
bf1fcccb5ecccd54b525170a1557247f

SHA1
e25a2b16a0d69d9f1ce1e33614ceb05a75d1e448

SHA256
f2a882499fce786cf5babe5625f34030e5d0cdf8522c8ab8005020f84824c60c

SHA512
d81c676cabbe137bfd2837f2543f8dc84964d8d6175ec94a9ca3de4c3848dad03b0656c7229f31bb61a376802e39094a12f43cdc9e00aac11ed298bf6a1bbffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\win2-v25.exe

Filesize
260KB

MD5
518bc2c7dfb237900d902d76442d9e6b

SHA1
7c9d7df603a55f744e5bdeebddcb653e7183265d

SHA256
a2e261b72a916ea8587a8ecab801165d46c0315a0934992b9bed7079abbe9ead

SHA512
ab98b6cc3d3cdc9cd2771fbad5fc3db546a99905e86c2fcf8ee7007f644530fe9f2a8dea24b1d32d6f9998bcf2caf7c8e19ae29069e999b0aeca748e7e769115

Download Submit
C:\Users\Admin\AppData\Local\Temp\NickChange-1.5.exe

Filesize
152KB

MD5
6abb97927cc7dc8ebb02cf68d5f66219

SHA1
1ad170c2479961afe01632203a41144c55afca0e

SHA256
5ed00e6e6290d4ef2cbd7116717dfbd75c48b424b6851becc5e2c038d0dc403a

SHA512
e159ec2e9ead40a8bd8ce8f69a55b6c62ebd3da9cee502a2368528164dd7fe9aad5c9a53f405318ae467529c75feac91a45444152938fef5e1dc229cb90d299c

Download Submit
C:\Users\Admin\AppData\Local\Temp\win7.exe

Filesize
100KB

MD5
f6943c2df5bcfbd8ae2d666193961a23

SHA1
7af6d39e7366d162ca6fc207f948f32dece71b46

SHA256
7cb411b7d2c90621b7dc15202bacb3b1e8c064ad01308b47fdb652bea6e4a059

SHA512
037fb67f4e98f3aa9de3bbc8e55c3add3979b4d629369ebab65b2e9054fa829c552cfa8f305373c1654836589a72d0a41003fd0d8171c458650eb020144113a0

Download Submit
memory/768-43-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/888-27-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads