modiloader | b1925f44345d9f742e63320c812839c5cf6f2938da0262b6e153bac22fefa5a2

General

Target

de4647924f965d6eac627712b5135de9_JaffaCakes118.exe
Size

373KB
MD5

de4647924f965d6eac627712b5135de9
SHA1

90af1a55a113ceb135a7b07de86820a2871e5804
SHA256

b1925f44345d9f742e63320c812839c5cf6f2938da0262b6e153bac22fefa5a2
SHA512

66a35ec351de0de6b383b82be295b16ed1b3086300dc9c1d71d85ba7df455944b054c04ddc445ede2bd27cb92454717757ede54498c875fe0615ec7b1c1e5326
SSDEEP

6144:0Vs61FDrfb139bFDMbtw7C6iKlve+eJq8pp3f/0RS2rmlcNMn9okhizy03y14:Unf13xFZ7OK1kq8bf/0RWCR3zy0C2

Score

10^/10

modiloader discovery persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 15 IoCs

resource	yara_rule
behavioral2/memory/4720-33-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/4748-38-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/4748-37-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/4748-40-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/4748-42-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/4748-44-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/4748-46-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/4748-48-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/4748-50-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/4748-52-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/4748-54-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/4748-56-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/4748-58-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/4748-60-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/4748-62-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	de4647924f965d6eac627712b5135de9_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	mod_sa_by_fyp.43.1.0_0.3e.exe

Executes dropped EXE 3 IoCs

pid	Process
4720	mod_sa_by_fyp.43.1.0_0.3e.exe
3436	easy hack.exe
4748	winmouse.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win32loader = "C:\\Users\\Admin\\AppData\\Local\\winmouse.exe"	winmouse.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023c98-4.dat	upx
behavioral2/memory/4720-12-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/files/0x0007000000023c9b-13.dat	upx
behavioral2/memory/3436-22-0x0000000000400000-0x0000000000532000-memory.dmp	upx
behavioral2/memory/4720-33-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/3436-34-0x0000000000400000-0x0000000000532000-memory.dmp	upx
behavioral2/memory/4748-38-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4748-37-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4748-40-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4748-42-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4748-44-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4748-46-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4748-48-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4748-50-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4748-52-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4748-54-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4748-56-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4748-58-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4748-60-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral2/memory/4748-62-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de4647924f965d6eac627712b5135de9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mod_sa_by_fyp.43.1.0_0.3e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	easy hack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winmouse.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4748	winmouse.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4684 wrote to memory of 4720	4684	de4647924f965d6eac627712b5135de9_JaffaCakes118.exe	84
PID 4684 wrote to memory of 4720	4684	de4647924f965d6eac627712b5135de9_JaffaCakes118.exe	84
PID 4684 wrote to memory of 4720	4684	de4647924f965d6eac627712b5135de9_JaffaCakes118.exe	84
PID 4684 wrote to memory of 3436	4684	de4647924f965d6eac627712b5135de9_JaffaCakes118.exe	85
PID 4684 wrote to memory of 3436	4684	de4647924f965d6eac627712b5135de9_JaffaCakes118.exe	85
PID 4684 wrote to memory of 3436	4684	de4647924f965d6eac627712b5135de9_JaffaCakes118.exe	85
PID 4720 wrote to memory of 4748	4720	mod_sa_by_fyp.43.1.0_0.3e.exe	86
PID 4720 wrote to memory of 4748	4720	mod_sa_by_fyp.43.1.0_0.3e.exe	86
PID 4720 wrote to memory of 4748	4720	mod_sa_by_fyp.43.1.0_0.3e.exe	86

C:\Users\Admin\AppData\Local\Temp\de4647924f965d6eac627712b5135de9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\de4647924f965d6eac627712b5135de9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Users\Admin\AppData\Local\Temp\mod_sa_by_fyp.43.1.0_0.3e.exe
  "C:\Users\Admin\AppData\Local\Temp\mod_sa_by_fyp.43.1.0_0.3e.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Users\Admin\AppData\Local\winmouse.exe
    "C:\Users\Admin\AppData\Local\winmouse.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:4748
- C:\Users\Admin\AppData\Local\Temp\easy hack.exe
  "C:\Users\Admin\AppData\Local\Temp\easy hack.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\easy hack.exe

Filesize
351KB

MD5
8a269ea56f2753dcf4355c7092782986

SHA1
cb7a075ed9b8b4da0954dac23531d83da3789894

SHA256
956a24e3043659e90b070e53c19f1ea2077e3d5c08a37ed63682600db4430ebd

SHA512
ce6a306fda60676e0acc557a8693ad907c1f56db7cc29ea0c378593f5337b727b190cda47108bffcb2cf84ec5489816a4f582bf751c72de554ea93035d475ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mod_sa_by_fyp.43.1.0_0.3e.exe

Filesize
17KB

MD5
cfcc4f645a5319a4699a625e05b1fc7e

SHA1
8e2519efd7669dfa4a03740cabe9b09e79a6382b

SHA256
78c76c6165021c2a6740cdddeabd67778565cd9e5627ab6c574c53c066ab3114

SHA512
51e484410fa5f563888aae506042326514dfeffe95c650526a4cae0817a98be9f140e89b7bb7826e1dfdecd2cf59fff12748eacef142dc4df0bbdcf46625a4d5

Download Submit
memory/3436-22-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/3436-23-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/3436-34-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/3436-35-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/4720-12-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4720-33-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4748-40-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4748-50-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4748-38-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4748-42-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4748-44-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4748-46-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4748-48-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4748-37-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4748-52-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4748-54-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4748-56-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4748-58-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4748-60-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4748-62-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads