modiloader | 18e805e5e7c861daeae15010adb04b4b6a594c1f5d049ba483b8bd52053360ed

General

Target

cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe
Size

493KB
MD5

cc3beb8891eae9e320e6396c197e2e19
SHA1

965fc72e664356b7f54b308eee3abaf8ee82cda4
SHA256

18e805e5e7c861daeae15010adb04b4b6a594c1f5d049ba483b8bd52053360ed
SHA512

e4d1907cda9596bb1014fdb6e4f4afa354d273f5889fa92b16737f6928c01f26d431a2f95ad4a583a62962b39888bd00d631aaecd36fa939ff729689a8d2071e
SSDEEP

12288:9Yd+DN2QzXqUgYVhLLNO931vK1ifzNvNRR8W:KIEQzXXLLq3RMEv5

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 6 IoCs

resource	yara_rule
behavioral2/memory/1600-1-0x0000000000400000-0x0000000000426000-memory.dmp	modiloader_stage2
behavioral2/memory/4088-2-0x0000000000400000-0x0000000000480800-memory.dmp	modiloader_stage2
behavioral2/memory/1600-3-0x0000000000400000-0x0000000000426000-memory.dmp	modiloader_stage2
behavioral2/memory/1600-4-0x0000000000400000-0x0000000000426000-memory.dmp	modiloader_stage2
behavioral2/memory/1600-5-0x0000000000400000-0x0000000000426000-memory.dmp	modiloader_stage2
behavioral2/memory/1600-27-0x0000000000400000-0x0000000000426000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4068	Nashy.exe
4020	keygen.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4088 set thread context of 1600	4088	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nashy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4068	Nashy.exe
4068	Nashy.exe
4068	Nashy.exe
4068	Nashy.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 1600	4088	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	82
PID 4088 wrote to memory of 1600	4088	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	82
PID 4088 wrote to memory of 1600	4088	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	82
PID 4088 wrote to memory of 1600	4088	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	82
PID 4088 wrote to memory of 1600	4088	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	82
PID 4088 wrote to memory of 1600	4088	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	82
PID 4088 wrote to memory of 1600	4088	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	82
PID 4088 wrote to memory of 1600	4088	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	82
PID 4088 wrote to memory of 1600	4088	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	82
PID 4088 wrote to memory of 1600	4088	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	82
PID 4088 wrote to memory of 1600	4088	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	82
PID 4088 wrote to memory of 1600	4088	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	82
PID 4088 wrote to memory of 1600	4088	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	82
PID 1600 wrote to memory of 4068	1600	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	83
PID 1600 wrote to memory of 4068	1600	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	83
PID 1600 wrote to memory of 4068	1600	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	83
PID 1600 wrote to memory of 4020	1600	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	84
PID 1600 wrote to memory of 4020	1600	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	84
PID 1600 wrote to memory of 4020	1600	cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe	84
PID 4068 wrote to memory of 3596	4068	Nashy.exe	56
PID 4068 wrote to memory of 3596	4068	Nashy.exe	56
PID 4068 wrote to memory of 3596	4068	Nashy.exe	56
PID 4068 wrote to memory of 3596	4068	Nashy.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3596
- C:\Users\Admin\AppData\Local\Temp\cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Users\Admin\AppData\Local\Temp\cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\cc3beb8891eae9e320e6396c197e2e19_JaffaCakes118.exe
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Users\Admin\AppData\Local\Temp\Nashy.exe
      "C:\Users\Admin\AppData\Local\Temp\Nashy.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4068
  - - C:\Users\Admin\AppData\Local\Temp\keygen.exe
      "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Nashy.exe

Filesize
55KB

MD5
b866ece9263205834d134b16d8870418

SHA1
748af220968259eb89e3e703cd483fca56f203a6

SHA256
827587f1a8666a7f9351a5f9733f4886841f04e72f748f7d231a4fa103908fd8

SHA512
bdd42624de9de6d52edf20a48046a717126cb09db08c6f756ed3c78ecce59892f4723d616cf8cae3d45719ed33cefaf277e881580116e92a1a15d65dcbbbe9e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen.exe

Filesize
34KB

MD5
9288a9ba08b3d9ca13f32b7583daf49e

SHA1
a80cde5b4039550faa118e7b605aba4895f847a3

SHA256
c1e52c56cf65fb0df4f1cdbd80fd9a109a0c81a83c735adfd8e190095f6e83c9

SHA512
e52ca18f977c990de03117fb80101583bfd6aa30f5ac6b0f71bb31efb991a104fdbf63a633544fe7b40eca7954a792c587ab7d011e5ed54a611eca5e4a260b29

Download Submit
memory/1600-4-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1600-27-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1600-3-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1600-5-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1600-21-0x0000000000430000-0x00000000004F9000-memory.dmp

Filesize
804KB

Download
memory/1600-1-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3596-29-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/3596-30-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download
memory/4020-24-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4020-25-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4020-33-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4068-19-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/4088-2-0x0000000000400000-0x0000000000480800-memory.dmp

Filesize
514KB

Download
memory/4088-0-0x0000000000400000-0x0000000000480800-memory.dmp

Filesize
514KB

Download

Analysis

Sharing