modiloader | aecec29b477c1a6f99aa8c512cc3179ef577ce814f74dc87005407bdd1602601

General

Target

JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe
Size

719KB
MD5

99b275b5cc5a6bb8d492490c6979bae9
SHA1

ab7301c148263996feaeff276bf9825be0d39659
SHA256

aecec29b477c1a6f99aa8c512cc3179ef577ce814f74dc87005407bdd1602601
SHA512

79022795c97a82b5737b63c169d33afeb3abf4b1b674b27a2b8b720468e1e736089987a8b2e6ddf2708a2b67d5ba2e74e10e440d98e8b6fe6422ef82f9b90469
SSDEEP

12288:UJv4sbmf230mGKBE6ONz7oCqqu5FP03W3LzO9cg8SjSIMaolh+mS:U1SlmGd6R3qu5FPAiLzARdSIMaN

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/memory/2864-51-0x0000000000400000-0x000000000059D000-memory.dmp	modiloader_stage2
behavioral2/memory/2864-53-0x0000000000400000-0x000000000059D000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	456.exe

Executes dropped EXE 3 IoCs

pid	Process
1420	456.exe
2864	¸´¼þ Sx_server.exe
4636	NOTEPAD.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\program files\common files\microsoft shared\msinfo\¸´¼þ Sx_server.jpg	456.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\2010.txt	¸´¼þ Sx_server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	456.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	¸´¼þ Sx_server.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 1420	1316	JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe	83
PID 1316 wrote to memory of 1420	1316	JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe	83
PID 1316 wrote to memory of 1420	1316	JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe	83
PID 1420 wrote to memory of 2864	1420	456.exe	84
PID 1420 wrote to memory of 2864	1420	456.exe	84
PID 1420 wrote to memory of 2864	1420	456.exe	84
PID 1316 wrote to memory of 4636	1316	JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe	85
PID 1316 wrote to memory of 4636	1316	JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe	85
PID 1316 wrote to memory of 4636	1316	JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe	85
PID 2864 wrote to memory of 3988	2864	¸´¼þ Sx_server.exe	86
PID 2864 wrote to memory of 3988	2864	¸´¼þ Sx_server.exe	86

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_99b275b5cc5a6bb8d492490c6979bae9.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\456.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\456.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\program files\common files\microsoft shared\msinfo\¸´¼þ Sx_server.exe
    "C:\program files\common files\microsoft shared\msinfo\¸´¼þ Sx_server.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\program files\internet explorer\IEXPLORE.EXE
      "C:\program files\internet explorer\IEXPLORE.EXE"
      4⤵
      PID:3988
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NOTEPAD.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NOTEPAD.EXE
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\MSInfo\¸´¼þ Sx_server.exe

Filesize
289KB

MD5
a8574aaf3427d0c468da1100fd1526ff

SHA1
012fefa0bb040c2528ef7266d535f2fe5cbf7707

SHA256
81bf66543e6ff717c9f26f0cf8740722f17ac175d1da3abe85a7dcab389459e8

SHA512
039e1ac5b8c324fba4be5a80128a0764336e790969c2b7ae22e308a12aed47e20c4a647c53cef2b353a3cf952c8e9dfb4c7a8edf16d00980caf8bcf34459bb22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\456.exe

Filesize
634KB

MD5
73f2c3940d71ea34923e274b6935abfc

SHA1
0e79d8e82ccfeef2898b144188035cfde26616d4

SHA256
06f3c70980a2c6553c046c526fa18f282adeaa660eeedd16b85c7cbd4e888fea

SHA512
5b8ee88495cd14268923c0f4f64778c0ec0c9d435ec124e791fab21b59c9a98cdd78d47508a7b3ac3e5b4c071b4e894eff716cae8d9da1c594276bf430d04efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NOTEPAD.EXE

Filesize
65KB

MD5
c9f225f98574759e377bce6d87958c9c

SHA1
3a23ac5865ea5ac89d87b4219646a1cee5820ac1

SHA256
7834f55bcff4d30d7b778bceea618cfd23cf4f184f7db6b74d1b49bbcf6c0560

SHA512
d9ffd8ba019cde8e7d71b6c208f2b949e271527373458fee48e461e49ff096d32361d372a48aaa84b153847dd75c79a99e23f8fa450c888aae180bb3e2dc4c1b

Download Submit
memory/1420-27-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/1420-25-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/1420-14-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/1420-13-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/1420-12-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/1420-11-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/1420-10-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/1420-9-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/1420-34-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1420-33-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1420-32-0x00000000031D0000-0x00000000031D4000-memory.dmp

Filesize
16KB

Download
memory/1420-31-0x00000000031E0000-0x00000000031E2000-memory.dmp

Filesize
8KB

Download
memory/1420-30-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/1420-29-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/1420-28-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/1420-16-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/1420-15-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/1420-24-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/1420-26-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/1420-23-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/1420-22-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/1420-21-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/1420-20-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/1420-19-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/1420-18-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/1420-17-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1420-8-0x00000000005E0000-0x0000000000634000-memory.dmp

Filesize
336KB

Download
memory/1420-7-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1420-46-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1420-47-0x00000000005E0000-0x0000000000634000-memory.dmp

Filesize
336KB

Download
memory/2864-44-0x0000000000400000-0x000000000059D000-memory.dmp

Filesize
1.6MB

Download
memory/2864-51-0x0000000000400000-0x000000000059D000-memory.dmp

Filesize
1.6MB

Download
memory/2864-53-0x0000000000400000-0x000000000059D000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads