modiloader | 4b89a52186085a9be48466e83892f41134739688f1575ef28cb2a01a98dc071a

General

Target

JaffaCakes118_2fc84ea98f7f52999dc86b8c0fe39794.exe
Size

650KB
MD5

2fc84ea98f7f52999dc86b8c0fe39794
SHA1

13d203f95c29fafceed414bc7cd9dd3f822f824f
SHA256

4b89a52186085a9be48466e83892f41134739688f1575ef28cb2a01a98dc071a
SHA512

fa3f2ccb20dacf6674f1699c0c055594c83cb5c95cff667a3ddc7e0a94f4381c957a73c2dc34cac940c5a45bdcbda1d2044cfd5234f1373e1e3f522ad88b9cd0
SSDEEP

12288:GpXNBbDvAOb7e7yJLqDWQcTxrXbuutkv/FV9bOI4:QbDn7e2JLPQctDbztkvNbOI4

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe ZReload.scr"	csrss.exe

Modiloader family
modiloader

ModiLoader Second Stage 4 IoCs

resource	yara_rule
behavioral1/memory/296-9-0x0000000013140000-0x00000000131E8000-memory.dmp	modiloader_stage2
behavioral1/memory/2752-10-0x0000000013140000-0x00000000131E8000-memory.dmp	modiloader_stage2
behavioral1/files/0x000800000001706d-31.dat	modiloader_stage2
behavioral1/memory/2752-35-0x0000000013140000-0x00000000131E8000-memory.dmp	modiloader_stage2

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\services.exe	csrss.exe

Executes dropped EXE 2 IoCs

pid	Process
2752	csrss.exe
2680	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2752	csrss.exe
2752	csrss.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rlog.dllx	csrss.exe
File opened for modification	C:\Windows\SysWOW64\ZReload.scr	csrss.exe
File created	C:\Windows\SysWOW64\ZReload.scrx	csrss.exe
File created	C:\Windows\SysWOW64\Zreload.scr	csrss.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\csrss.exe	cmd.exe
File opened for modification	C:\Windows\csrss.exe	cmd.exe
File opened for modification	C:\Windows\csrss.exe	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2fc84ea98f7f52999dc86b8c0fe39794.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 296 wrote to memory of 2692	296	JaffaCakes118_2fc84ea98f7f52999dc86b8c0fe39794.exe	30
PID 296 wrote to memory of 2692	296	JaffaCakes118_2fc84ea98f7f52999dc86b8c0fe39794.exe	30
PID 296 wrote to memory of 2692	296	JaffaCakes118_2fc84ea98f7f52999dc86b8c0fe39794.exe	30
PID 296 wrote to memory of 2692	296	JaffaCakes118_2fc84ea98f7f52999dc86b8c0fe39794.exe	30
PID 296 wrote to memory of 2752	296	JaffaCakes118_2fc84ea98f7f52999dc86b8c0fe39794.exe	32
PID 296 wrote to memory of 2752	296	JaffaCakes118_2fc84ea98f7f52999dc86b8c0fe39794.exe	32
PID 296 wrote to memory of 2752	296	JaffaCakes118_2fc84ea98f7f52999dc86b8c0fe39794.exe	32
PID 296 wrote to memory of 2752	296	JaffaCakes118_2fc84ea98f7f52999dc86b8c0fe39794.exe	32
PID 2752 wrote to memory of 2680	2752	csrss.exe	33
PID 2752 wrote to memory of 2680	2752	csrss.exe	33
PID 2752 wrote to memory of 2680	2752	csrss.exe	33
PID 2752 wrote to memory of 2680	2752	csrss.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fc84ea98f7f52999dc86b8c0fe39794.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fc84ea98f7f52999dc86b8c0fe39794.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fc84ea98f7f52999dc86b8c0fe39794.exe" "C:\Windows\csrss.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2692
- C:\Windows\csrss.exe
  "C:\Windows\csrss.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\drivers\services.exe
    C:\Windows\system32\drivers\services.exe
    3⤵
    - Executes dropped EXE
    PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Zreload.scr

Filesize
18KB

MD5
8cfb6b02ab6a839656eae2d2af218d39

SHA1
6f95718d8575871255dde12a801ec9638945f84e

SHA256
794a54e567f644324ee897e7dfd6efe003e21741377ba4d2c57bd4e8afc1b866

SHA512
cbfc0068a8f22540bb20f1fc9bd300019dc65b295edbe92bc93c9f9641c8f8e99e047dc0e5e28acb3a82b9ef093fe729f3a97d8fe3d24e63792336af068edd04

Download Submit
C:\Windows\csrss.exe

Filesize
650KB

MD5
2fc84ea98f7f52999dc86b8c0fe39794

SHA1
13d203f95c29fafceed414bc7cd9dd3f822f824f

SHA256
4b89a52186085a9be48466e83892f41134739688f1575ef28cb2a01a98dc071a

SHA512
fa3f2ccb20dacf6674f1699c0c055594c83cb5c95cff667a3ddc7e0a94f4381c957a73c2dc34cac940c5a45bdcbda1d2044cfd5234f1373e1e3f522ad88b9cd0

Download Submit
\Windows\SysWOW64\drivers\services.exe

Filesize
25KB

MD5
17756e0726830df0897875a03d3a5067

SHA1
af7783012872089b9a4a9c78daa3eefff12f5e04

SHA256
445a24c80b4a85b7efcedd6f75062f317f1c8c6a97cd51dfc3d861909e2e79d3

SHA512
2230b77de5d9142254514268c6c23f933bf78a90e15f75de1041828db54616fbb0fcf66b5f3d7bf06a0a5c3474fc040ff25ff582c89de076e17fa16b441b135e

Download Submit
memory/296-1-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/296-9-0x0000000013140000-0x00000000131E8000-memory.dmp

Filesize
672KB

Download
memory/296-8-0x0000000003580000-0x0000000003628000-memory.dmp

Filesize
672KB

Download
memory/296-5-0x0000000003580000-0x0000000003628000-memory.dmp

Filesize
672KB

Download
memory/296-0-0x0000000013140000-0x00000000131E8000-memory.dmp

Filesize
672KB

Download
memory/2680-23-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2752-10-0x0000000013140000-0x00000000131E8000-memory.dmp

Filesize
672KB

Download
memory/2752-11-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2752-35-0x0000000013140000-0x00000000131E8000-memory.dmp

Filesize
672KB

Download
memory/2752-38-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads