modiloader | dc1e362c5a4d1f149b899055345e1918c35dc17ebfcd3586739e9f1820270138

General

Target

e189768c394785e0604c98b9dad150d9_JaffaCakes118.exe
Size

180KB
MD5

e189768c394785e0604c98b9dad150d9
SHA1

a60a6b7b228ea4c680ef49f46ffd385a43e66b8d
SHA256

dc1e362c5a4d1f149b899055345e1918c35dc17ebfcd3586739e9f1820270138
SHA512

427776eafc10c2ced5e9f074d00b306b7ea840daf301f6c0e2b0d04bc398829c243c8cb094482057e86064920641ab145621311f71389d0e4ab31ca19fdc0ef4
SSDEEP

3072:IRorUPEGTTYJ8J19b6ue97KlQ1YUhSTJqIoH5vcuy1qiMwP0bCbX:S3PEG/Y2JGL97j1YUhSiZvcuy/MwPOkX

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b94-15.dat	modiloader_stage2
behavioral2/memory/2868-26-0x0000000020000000-0x0000000020047000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	e189768c394785e0604c98b9dad150d9_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	auto2.exe

Executes dropped EXE 4 IoCs

pid	Process
2868	auto2.exe
408	auto2.exe
3192	AutoClick Rosa!.exe
1472	auto.exe

Loads dropped DLL 2 IoCs

pid	Process
2664	e189768c394785e0604c98b9dad150d9_JaffaCakes118.exe
2664	e189768c394785e0604c98b9dad150d9_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\aplib.dll	e189768c394785e0604c98b9dad150d9_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2868 set thread context of 408	2868	auto2.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e189768c394785e0604c98b9dad150d9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	auto2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	auto2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoClick Rosa!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	auto.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
408	auto2.exe
408	auto2.exe
408	auto2.exe
408	auto2.exe
408	auto2.exe
408	auto2.exe
408	auto2.exe
408	auto2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2664	e189768c394785e0604c98b9dad150d9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2868	2664	e189768c394785e0604c98b9dad150d9_JaffaCakes118.exe	85
PID 2664 wrote to memory of 2868	2664	e189768c394785e0604c98b9dad150d9_JaffaCakes118.exe	85
PID 2664 wrote to memory of 2868	2664	e189768c394785e0604c98b9dad150d9_JaffaCakes118.exe	85
PID 2868 wrote to memory of 408	2868	auto2.exe	86
PID 2868 wrote to memory of 408	2868	auto2.exe	86
PID 2868 wrote to memory of 408	2868	auto2.exe	86
PID 2868 wrote to memory of 408	2868	auto2.exe	86
PID 2868 wrote to memory of 408	2868	auto2.exe	86
PID 408 wrote to memory of 3192	408	auto2.exe	88
PID 408 wrote to memory of 3192	408	auto2.exe	88
PID 408 wrote to memory of 3192	408	auto2.exe	88
PID 408 wrote to memory of 1472	408	auto2.exe	89
PID 408 wrote to memory of 1472	408	auto2.exe	89
PID 408 wrote to memory of 1472	408	auto2.exe	89

C:\Users\Admin\AppData\Local\Temp\e189768c394785e0604c98b9dad150d9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e189768c394785e0604c98b9dad150d9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Local\Temp\auto2.exe
  "C:\Users\Admin\AppData\Local\Temp\auto2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Users\Admin\AppData\Local\Temp\auto2.exe
    C:\Users\Admin\AppData\Local\Temp\auto2.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Users\Admin\AppData\Local\Temp\AutoClick Rosa!.exe
      "C:\Users\Admin\AppData\Local\Temp\AutoClick Rosa!.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3192
  - - C:\Users\Admin\AppData\Local\Temp\auto.exe
      "C:\Users\Admin\AppData\Local\Temp\auto.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AutoClick Rosa!.exe

Filesize
65KB

MD5
09025bc1e7c88c1062e045d5c07e6c56

SHA1
7a464d43fff97f144317ee72a72319c0786f4c5c

SHA256
551a9db30d691fa19ef3a3a334c6a5297945229556b4bdfce47ff911c5aa29c4

SHA512
9ff91c6f0779893515b9b12a465bda5d176e43d654b12a832e23adb07bbce2e430ae55381928be9befe349da45d2911d70bb3a1f3ac4b94cece3d27276ccd408

Download Submit
C:\Users\Admin\AppData\Local\Temp\auto.exe

Filesize
74KB

MD5
3a3f6bfa98d790d788bb36357cbbc7d8

SHA1
025649c314e9fa30c1b8a44a582a77b6175b680b

SHA256
259d623c4d5a3e03a88737d5d70eb75284c676b90fbaf48a03042b661b58aaff

SHA512
857042f4dbe326b6d31e80076fb48d58f900c570103ac5ea368d7c9b77fa93deef49956553d005a02a4222cb74dbcfec04e759460277710bf39f8eb0e1654e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\auto2.exe

Filesize
257KB

MD5
6360dc57fe3ab5f4cac5e3911cf7975a

SHA1
f1a5afc891b7bd72a0fea85c2a22e27d3dddf537

SHA256
c6ed427e4058260833f10e94cf99c09e5d26590813903ee4ac97031b3ca79ccc

SHA512
d6a57fe5fc04a7597fa6915736c0ddd67a87b705a0868dc4c5e2e5265dede32302f662df6d52ff002179b415761afe2332ed2a4d70576108ad82e137c3076dfc

Download Submit
C:\Windows\SysWOW64\aplib.dll

Filesize
12KB

MD5
35d174edd3c0bcfa9a32dce19e1abeb9

SHA1
c22638e64f8a5f34809811a2c286ae2f115028f8

SHA256
34194aa58d0eb70b513ea6a876a4f35ba6cc2f19c4fb6d408dd05580dcc74b04

SHA512
f807df3655e6dd0cea2412ae82aa7b3babe3862fa9eee5d38673ee30b26a528b9618e1a25d3a58ef1ff14be36a666fabd32968b5f4dc481539d2372b526c1ead

Download Submit
memory/408-52-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/408-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/408-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/408-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/408-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2868-20-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2868-19-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2868-26-0x0000000020000000-0x0000000020047000-memory.dmp

Filesize
284KB

Download
memory/2868-21-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/3192-53-0x0000000073552000-0x0000000073553000-memory.dmp

Filesize
4KB

Download
memory/3192-54-0x0000000073550000-0x0000000073B01000-memory.dmp

Filesize
5.7MB

Download
memory/3192-55-0x0000000073550000-0x0000000073B01000-memory.dmp

Filesize
5.7MB

Download
memory/3192-56-0x0000000073552000-0x0000000073553000-memory.dmp

Filesize
4KB

Download
memory/3192-57-0x0000000073550000-0x0000000073B01000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing