modiloader | 2df20f4c1df335e0d97e92a6c2b5e9d5f927ec55fc2c31490f7f025d0ebb2936

General

Target

f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe
Size

748KB
MD5

f202bf634484e0cb9c3b9f92170e4a9c
SHA1

a3369e0d10839cd0709f8f86ebacc24574a85dcb
SHA256

2df20f4c1df335e0d97e92a6c2b5e9d5f927ec55fc2c31490f7f025d0ebb2936
SHA512

105e560172f0a6e7b9219d21ae879137f8a244fcaf6340e5adba1f9f2bda94893e0e15a5cbb5c51125e81e62d346a56a98ee5765201c90ee2022f5036e3ae98a
SSDEEP

12288:a4uS9dPsdgcpSoFv9gH9/sCaKSc9D1gtje5UkxX4PROZ32h1Jkk7w3y909:aPE2SYvWHxHf59xgtje5resGjJD7w3yW

Score

10^/10

modiloader credential_access discovery persistence spyware stealer trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/memory/3588-37-0x0000000000400000-0x0000000000475000-memory.dmp	modiloader_stage2
behavioral2/memory/2284-62-0x0000000000400000-0x0000000000475000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DRIVER~3.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DRIVER~3.EXE

Executes dropped EXE 4 IoCs

pid	Process
3588	DRIVER~3.EXE
3420	3d driving shool.exe
2284	DRIVER~3.EXE
4356	3d driving shool.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DRIVER~3.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d driving shool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DRIVER~3.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d driving shool.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 3588	4280	f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe	83
PID 4280 wrote to memory of 3588	4280	f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe	83
PID 4280 wrote to memory of 3588	4280	f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe	83
PID 3588 wrote to memory of 3420	3588	DRIVER~3.EXE	84
PID 3588 wrote to memory of 3420	3588	DRIVER~3.EXE	84
PID 3588 wrote to memory of 3420	3588	DRIVER~3.EXE	84
PID 4280 wrote to memory of 2284	4280	f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe	85
PID 4280 wrote to memory of 2284	4280	f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe	85
PID 4280 wrote to memory of 2284	4280	f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe	85
PID 2284 wrote to memory of 4356	2284	DRIVER~3.EXE	86
PID 2284 wrote to memory of 4356	2284	DRIVER~3.EXE	86
PID 2284 wrote to memory of 4356	2284	DRIVER~3.EXE	86

C:\Users\Admin\AppData\Local\Temp\f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f202bf634484e0cb9c3b9f92170e4a9c_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~3.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~3.EXE
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\Users\Admin\AppData\Local\Temp\3d driving shool.exe
    "C:\Users\Admin\AppData\Local\Temp\3d driving shool.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3420
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~3.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~3.EXE
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Users\Admin\AppData\Local\Temp\3d driving shool.exe
    "C:\Users\Admin\AppData\Local\Temp\3d driving shool.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

4

T1552

Credentials In Files

4

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jI82l\PCGWIN32.LI5

Filesize
2KB

MD5
8422680a0da597259d0d929df725506d

SHA1
f4af26d54c67c5091ff4421c4af86cbe39fc293d

SHA256
866d457ec8e81af434fc165307e2593b75140bb2b603aecc7c3cc1d7e6478f8d

SHA512
c24e4c824a9d0a14863ec74b2a9f010e042b38e45d85ec2f8f0b763f80ab57551f68c59e54a148766d7b442f731606bd430501f3e14c5ff47f74f1fbcbbeddec

Download Submit
C:\ProgramData\jI82l\PCGWIN32.LI5

Filesize
2KB

MD5
88a20f952d8a5c248455c9e9cc31e693

SHA1
0cd7a9175398972f57e01c0f4f9585682eb09748

SHA256
1daff283a5e35f7631759ff7aa390a0139ac026176f90ead77224b29987e645e

SHA512
7295d2de32725b61978783774be99e152b244ef0b90c39dc359729482cf7c2a31cdcecbd92948fd20faf6f409752aefa1c7d9b612cab650e60dd01a410decd10

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d driving shool.exe

Filesize
344KB

MD5
6b1c9bfd99322686785ed3497ae2cddf

SHA1
d241fc5587906e9e39b120421a279dc3c4a0eaf7

SHA256
22b6389450c35087d9f97859d92fa5e295e12d839ef53968926c87b87e83bf3e

SHA512
94e848c13945b546c9d69c5e9fe974ec4786c137696f09c92d7abed41e18056e004437ebee0d535252601f28a2694aa3f6abf9f60fdea8209a0cc6e0c290b5e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~3.EXE

Filesize
439KB

MD5
2956f9061ab953f5c93ce971105dbb07

SHA1
0bf3a109296e1a237c7afa0d0ec1c4317cc59fc9

SHA256
15d45098faccc785facaa2381a4f8bf489e46bcc6661850722bd318d872645af

SHA512
fb5e2ed1a6a9e2e80869979f4c8054a713c52f3d65814ea17a37eb7c7e33beea690c04a7fe45c10060483748fc9b3976da5fdf6d1ba818b29470551bb785d25d

Download Submit
C:\Users\Admin\AppData\Roaming\chrtmp

Filesize
114KB

MD5
9a3be5cb8635e4df5189c9aaa9c1b3c0

SHA1
9a7ce80c8b4362b7c10294bb1551a6172e656f47

SHA256
958f70959a70caf02c0063fe80f12c4d4d3f822a9fd640a6685c345d98708c26

SHA512
5c538513eba7ebaf7028b924d992b4c32ca323ad44f7a31e21970ed6852ea8b54cf71b2f811e8bf97f2744ee151e001ea52ba43b61cd032cc5a4c886292aac65

Download Submit
memory/2284-62-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2284-43-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3588-22-0x0000000000409000-0x0000000000475000-memory.dmp

Filesize
432KB

Download
memory/3588-37-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3588-38-0x0000000000409000-0x0000000000475000-memory.dmp

Filesize
432KB

Download
memory/3588-39-0x00000000005D0000-0x00000000005E6000-memory.dmp

Filesize
88KB

Download
memory/3588-16-0x00000000005D0000-0x00000000005E6000-memory.dmp

Filesize
88KB

Download
memory/3588-15-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3588-21-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4280-7-0x0000000001000000-0x00000000010BB000-memory.dmp

Filesize
748KB

Download
memory/4280-5-0x0000000001000000-0x00000000010BB000-memory.dmp

Filesize
748KB

Download
memory/4280-17-0x0000000077A22000-0x0000000077A23000-memory.dmp

Filesize
4KB

Download
memory/4280-12-0x0000000001000000-0x00000000010BB000-memory.dmp

Filesize
748KB

Download
memory/4280-11-0x0000000001000000-0x00000000010BB000-memory.dmp

Filesize
748KB

Download
memory/4280-10-0x0000000001000000-0x00000000010BB000-memory.dmp

Filesize
748KB

Download
memory/4280-0-0x0000000001001000-0x0000000001003000-memory.dmp

Filesize
8KB

Download
memory/4280-18-0x0000000001001000-0x00000000010A5000-memory.dmp

Filesize
656KB

Download
memory/4280-6-0x0000000001000000-0x00000000010BB000-memory.dmp

Filesize
748KB

Download
memory/4280-2-0x0000000001000000-0x00000000010BB000-memory.dmp

Filesize
748KB

Download
memory/4280-4-0x0000000001000000-0x00000000010BB000-memory.dmp

Filesize
748KB

Download
memory/4280-3-0x0000000001000000-0x00000000010BB000-memory.dmp

Filesize
748KB

Download
memory/4280-1-0x0000000001000000-0x00000000010BB000-memory.dmp

Filesize
748KB

Download
memory/4280-69-0x0000000001000000-0x00000000010BB000-memory.dmp

Filesize
748KB

Download
memory/4280-70-0x0000000001001000-0x00000000010A5000-memory.dmp

Filesize
656KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads