modiloader | b6194ae5a8f402884e219079d1466bd4ee928639f9fde2897d0a204b4d175352

General

Target

e89560249207a5689cddde4064c7e864_JaffaCakes118.exe
Size

3.6MB
MD5

e89560249207a5689cddde4064c7e864
SHA1

03a7139fd398b13110ac280875274b1bf736f1e1
SHA256

b6194ae5a8f402884e219079d1466bd4ee928639f9fde2897d0a204b4d175352
SHA512

7299274fc6b93f17134d0d90cd66518f46c70e3dc6b677da0cd2ab229cdbc889a65e2924f58277d1801276489be386433c9ee07a84772d99cd7cf610beb83c88
SSDEEP

98304:+RPcUW2LtV4WUAC/GrzE91Gj+kf67EZbD2VG81d:+cUW8iWUAIE/j+u6Y5wvd

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cbd-9.dat	modiloader_stage2
behavioral2/memory/4204-12-0x0000000000400000-0x00000000004BC000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	e89560249207a5689cddde4064c7e864_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
4204	1.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupWay.txt	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e89560249207a5689cddde4064c7e864_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	e89560249207a5689cddde4064c7e864_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2440	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2440	vlc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2288	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2288	AUDIODG.EXE
Token: 33	2440	vlc.exe
Token: SeIncBasePriorityPrivilege	2440	vlc.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2440	vlc.exe
2440	vlc.exe
2440	vlc.exe
2440	vlc.exe
2440	vlc.exe
2440	vlc.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2440	vlc.exe
2440	vlc.exe
2440	vlc.exe
2440	vlc.exe
2440	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2440	vlc.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 1336	4468	e89560249207a5689cddde4064c7e864_JaffaCakes118.exe	83
PID 4468 wrote to memory of 1336	4468	e89560249207a5689cddde4064c7e864_JaffaCakes118.exe	83
PID 4468 wrote to memory of 1336	4468	e89560249207a5689cddde4064c7e864_JaffaCakes118.exe	83
PID 1336 wrote to memory of 2440	1336	WScript.exe	84
PID 1336 wrote to memory of 2440	1336	WScript.exe	84
PID 1336 wrote to memory of 4204	1336	WScript.exe	85
PID 1336 wrote to memory of 4204	1336	WScript.exe	85
PID 1336 wrote to memory of 4204	1336	WScript.exe	85
PID 4204 wrote to memory of 2036	4204	1.exe	86
PID 4204 wrote to memory of 2036	4204	1.exe	86

C:\Users\Admin\AppData\Local\Temp\e89560249207a5689cddde4064c7e864_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e89560249207a5689cddde4064c7e864_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.wma"
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2440
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe" /start
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4204
  - - C:\program files\internet explorer\IEXPLORE.EXE
      "C:\program files\internet explorer\IEXPLORE.EXE"
      4⤵
      PID:2036

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4cc 0x244
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe

Filesize
676KB

MD5
d4b9f90b5e2664308f32ca54329c907e

SHA1
237d42ddc532d58ead03651d7f6c8755e9599c16

SHA256
23d659868fb6fa151b3ef1202304c93a1ede4a9f27c178943fc78e8c9173c431

SHA512
ca8887849935fc5f98d20f4ae7ab6fba1cd9d2b157174c82a1915d1a6a05fa67bb20ac6ab73bc1e194009b2a5163fa2e7caa5f5fe70f76ccc0e373bb6eee05cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.vbe

Filesize
94B

MD5
9105ec99418f309deb93ec69e9108330

SHA1
53c1da2eee934f7bddc155ab857b39723744bf35

SHA256
2a61dc4cb8374fd88247c069ea2ece4b8b6cad9237f8a1fd6e68879584ac3f5a

SHA512
23d461163637efead41c8f59321c7f66a360ba2d85c74cab4b2ceeaba81bd6c051a960087948e0fb88ac812512a2e019c7a7bcb879c2902e0d3d558fb2356a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.wma

Filesize
3.3MB

MD5
240b327bdcb93918ab6eb34b0b6e6cc1

SHA1
8fe0d141414e9779e3b89f23835951888ef4fafd

SHA256
1d3a8c99184ae2cb66ab80bb57da26b3cc4c9c2f091869c67a61d3e226bc9673

SHA512
c877a7dbc3b48358f8b9bdce5b13c584bc5a223bba5b36e77f6b60b85e29e74d717a012281db357e3b05c9dda2eb8392bad21fb1ea50a453b7583e0af6373779

Download Submit
memory/2440-25-0x00007FFAD0170000-0x00007FFAD0187000-memory.dmp

Filesize
92KB

Download
memory/2440-23-0x00007FFAD30F0000-0x00007FFAD3107000-memory.dmp

Filesize
92KB

Download
memory/2440-20-0x00007FFACF400000-0x00007FFACF434000-memory.dmp

Filesize
208KB

Download
memory/2440-19-0x00007FF6A9CC0000-0x00007FF6A9DB8000-memory.dmp

Filesize
992KB

Download
memory/2440-28-0x00007FFACF350000-0x00007FFACF361000-memory.dmp

Filesize
68KB

Download
memory/2440-27-0x00007FFACF370000-0x00007FFACF38D000-memory.dmp

Filesize
116KB

Download
memory/2440-21-0x00007FFAC00B0000-0x00007FFAC0366000-memory.dmp

Filesize
2.7MB

Download
memory/2440-29-0x00007FFABFEA0000-0x00007FFAC00AB000-memory.dmp

Filesize
2.0MB

Download
memory/2440-26-0x00007FFACF3E0000-0x00007FFACF3F1000-memory.dmp

Filesize
68KB

Download
memory/2440-66-0x00007FFABEDF0000-0x00007FFABFEA0000-memory.dmp

Filesize
16.7MB

Download
memory/2440-24-0x00007FFAD04A0000-0x00007FFAD04B1000-memory.dmp

Filesize
68KB

Download
memory/2440-48-0x00007FFABEDF0000-0x00007FFABFEA0000-memory.dmp

Filesize
16.7MB

Download
memory/2440-22-0x00007FFAD5480000-0x00007FFAD5498000-memory.dmp

Filesize
96KB

Download
memory/2440-36-0x00007FFACCDD0000-0x00007FFACCDE1000-memory.dmp

Filesize
68KB

Download
memory/2440-35-0x00007FFACDE70000-0x00007FFACDE81000-memory.dmp

Filesize
68KB

Download
memory/2440-34-0x00007FFACE030000-0x00007FFACE041000-memory.dmp

Filesize
68KB

Download
memory/2440-33-0x00007FFACE5A0000-0x00007FFACE5B8000-memory.dmp

Filesize
96KB

Download
memory/2440-32-0x00007FFACF320000-0x00007FFACF341000-memory.dmp

Filesize
132KB

Download
memory/2440-31-0x00007FFACDE90000-0x00007FFACDED1000-memory.dmp

Filesize
260KB

Download
memory/2440-30-0x00007FFABEDF0000-0x00007FFABFEA0000-memory.dmp

Filesize
16.7MB

Download
memory/4204-12-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4468-18-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing