modiloader | 0a0331f9887d4d9f0bfe9c27f70f5c11c79385ca05c6a6075bd2c7bf4fb18910

General

Target

cf2bbbaa0c1af1aca33ad14a5719bed0_JaffaCakes118.exe
Size

5.1MB
MD5

cf2bbbaa0c1af1aca33ad14a5719bed0
SHA1

c173454068457bbc6f66e76f0401ff46520b06c0
SHA256

0a0331f9887d4d9f0bfe9c27f70f5c11c79385ca05c6a6075bd2c7bf4fb18910
SHA512

7819d0a1b77105f3cfc03f74af50fa700d369fab268bcf444546fd7e7be04044b1a7a551d3f330ea6bccc6233a0b0ff733a040d4f6a8ddf9c8c8b69e947e1bed
SSDEEP

98304:nQvUpQW/y5O2AWmvGgob+Dw15qhvyu0fKyK0zyf:nfj/+Obn50qX0f

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/2348-16-0x0000000000400000-0x0000000000923000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	cf2bbbaa0c1af1aca33ad14a5719bed0_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3368	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf2bbbaa0c1af1aca33ad14a5719bed0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	cf2bbbaa0c1af1aca33ad14a5719bed0_JaffaCakes118.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2268	vlc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3368	server.exe
3368	server.exe
3368	server.exe
3368	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2268	vlc.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2348	cf2bbbaa0c1af1aca33ad14a5719bed0_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2348	cf2bbbaa0c1af1aca33ad14a5719bed0_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2348	cf2bbbaa0c1af1aca33ad14a5719bed0_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2348	cf2bbbaa0c1af1aca33ad14a5719bed0_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2348	cf2bbbaa0c1af1aca33ad14a5719bed0_JaffaCakes118.exe
Token: 33	4796	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4796	AUDIODG.EXE
Token: 33	2268	vlc.exe
Token: SeIncBasePriorityPrivilege	2268	vlc.exe

Suspicious use of FindShellTrayWindow 20 IoCs

pid	Process
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 3368	2348	cf2bbbaa0c1af1aca33ad14a5719bed0_JaffaCakes118.exe	83
PID 2348 wrote to memory of 3368	2348	cf2bbbaa0c1af1aca33ad14a5719bed0_JaffaCakes118.exe	83
PID 2348 wrote to memory of 3368	2348	cf2bbbaa0c1af1aca33ad14a5719bed0_JaffaCakes118.exe	83
PID 3368 wrote to memory of 3456	3368	server.exe	56
PID 2348 wrote to memory of 2268	2348	cf2bbbaa0c1af1aca33ad14a5719bed0_JaffaCakes118.exe	84
PID 2348 wrote to memory of 2268	2348	cf2bbbaa0c1af1aca33ad14a5719bed0_JaffaCakes118.exe	84
PID 3368 wrote to memory of 3456	3368	server.exe	56
PID 3368 wrote to memory of 3456	3368	server.exe	56
PID 3368 wrote to memory of 3456	3368	server.exe	56
PID 3368 wrote to memory of 3456	3368	server.exe	56
PID 3368 wrote to memory of 3456	3368	server.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3456
- C:\Users\Admin\AppData\Local\Temp\cf2bbbaa0c1af1aca33ad14a5719bed0_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\cf2bbbaa0c1af1aca33ad14a5719bed0_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3368
- - C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\EYES.flv"
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2268

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8 0x444
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EYES.flv

Filesize
4.5MB

MD5
55f210db4806cb8f9b6fcc2ec216ce5e

SHA1
8d869e72690b0bb46787528d31e60576944d589a

SHA256
51d49b5df7c6751bc3f9d542bbc935f506da884090a11e9e95992f76c5afa6e9

SHA512
0c37280480f7054a73ff0594a6aa897165a0f872001448067f93b79af5fd24cf78cb93fc31450a341354d7253222975313133bda230528f156e1e3b943cd42db

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
28KB

MD5
db0352ff88fa46f9e1f9c5dc50baf9f3

SHA1
68f4c143ebc79b6f3c06335a22da8c5a93efee62

SHA256
850fc15cd4a12449476d7f850e10a424e983d9fc32a16af609777fe2bb3e60d1

SHA512
fa76097effef2f845820a92843739c97feb72b52055ba644380971a46e22f9f81045f42573e502136e9bcd6b01cdf04aa9b0e626a82f6de5b187132a3ddb844e

Download Submit
memory/2268-33-0x00007FFD686B0000-0x00007FFD686C7000-memory.dmp

Filesize
92KB

Download
memory/2268-67-0x00007FFD57290000-0x00007FFD57546000-memory.dmp

Filesize
2.7MB

Download
memory/2268-29-0x00007FFD57290000-0x00007FFD57546000-memory.dmp

Filesize
2.7MB

Download
memory/2268-57-0x00007FFD55DE0000-0x00007FFD56E90000-memory.dmp

Filesize
16.7MB

Download
memory/2268-38-0x00007FFD55DE0000-0x00007FFD56E90000-memory.dmp

Filesize
16.7MB

Download
memory/2268-39-0x00007FFD66870000-0x00007FFD668B1000-memory.dmp

Filesize
260KB

Download
memory/2268-27-0x00007FF663CA0000-0x00007FF663D98000-memory.dmp

Filesize
992KB

Download
memory/2268-28-0x00007FFD66B80000-0x00007FFD66BB4000-memory.dmp

Filesize
208KB

Download
memory/2268-36-0x00007FFD66940000-0x00007FFD66951000-memory.dmp

Filesize
68KB

Download
memory/2268-35-0x00007FFD66DA0000-0x00007FFD66DBD000-memory.dmp

Filesize
116KB

Download
memory/2268-32-0x00007FFD6A1F0000-0x00007FFD6A201000-memory.dmp

Filesize
68KB

Download
memory/2268-34-0x00007FFD66ED0000-0x00007FFD66EE1000-memory.dmp

Filesize
68KB

Download
memory/2268-40-0x00007FFD66910000-0x00007FFD66931000-memory.dmp

Filesize
132KB

Download
memory/2268-37-0x00007FFD56E90000-0x00007FFD5709B000-memory.dmp

Filesize
2.0MB

Download
memory/2268-41-0x00007FFD66850000-0x00007FFD66868000-memory.dmp

Filesize
96KB

Download
memory/2268-31-0x00007FFD6A2D0000-0x00007FFD6A2E7000-memory.dmp

Filesize
92KB

Download
memory/2268-30-0x00007FFD6E0B0000-0x00007FFD6E0C8000-memory.dmp

Filesize
96KB

Download
memory/2268-44-0x00007FFD66670000-0x00007FFD66681000-memory.dmp

Filesize
68KB

Download
memory/2268-45-0x00007FFD55670000-0x00007FFD5577E000-memory.dmp

Filesize
1.1MB

Download
memory/2268-43-0x00007FFD66810000-0x00007FFD66821000-memory.dmp

Filesize
68KB

Download
memory/2268-42-0x00007FFD66830000-0x00007FFD66841000-memory.dmp

Filesize
68KB

Download
memory/2348-16-0x0000000000400000-0x0000000000923000-memory.dmp

Filesize
5.1MB

Download
memory/2348-0-0x0000000000400000-0x0000000000923000-memory.dmp

Filesize
5.1MB

Download
memory/3368-12-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/3368-9-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3456-11-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/3456-17-0x000000007FFC0000-0x000000007FFC6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing