modiloader | 15a8b3b9f7b50efb9922d132759d2d3fea482074c5c7acc774d3a6a053a11c89

General

Target

JaffaCakes118_0b327b88f123510e6b50df100ee9f50b.exe
Size

510KB
MD5

0b327b88f123510e6b50df100ee9f50b
SHA1

612c7ed5452daf9db949093dcdf5fdef25132412
SHA256

15a8b3b9f7b50efb9922d132759d2d3fea482074c5c7acc774d3a6a053a11c89
SHA512

01c5fda274bb104c7b774098dfa2e34ff77831067893e0144ba7bf750f84e107f83da4d5091f73b98b4ec54c5d2148299a8c6d49c00710015f3b5d19c4cf703f
SSDEEP

12288:Gg+mzUMDRUTV5nKHihTJd7BkcQc4yb28PnxcpNVVqgWxuxLA:G1/ZTV5n8ir7kcp4x6cpN/WxaLA

Score

10^/10

modiloader defense_evasion discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b53-13.dat	modiloader_stage2
behavioral2/memory/1468-14-0x0000000000400000-0x00000000004BB000-memory.dmp	modiloader_stage2
behavioral2/memory/1468-17-0x0000000000400000-0x00000000004BB000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	JaffaCakes118_0b327b88f123510e6b50df100ee9f50b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
1392	kb.exe
1468	kk.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1776	1468	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0b327b88f123510e6b50df100ee9f50b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	JaffaCakes118_0b327b88f123510e6b50df100ee9f50b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1392	kb.exe
1392	kb.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 3544	2064	JaffaCakes118_0b327b88f123510e6b50df100ee9f50b.exe	83
PID 2064 wrote to memory of 3544	2064	JaffaCakes118_0b327b88f123510e6b50df100ee9f50b.exe	83
PID 2064 wrote to memory of 3544	2064	JaffaCakes118_0b327b88f123510e6b50df100ee9f50b.exe	83
PID 3544 wrote to memory of 536	3544	WScript.exe	84
PID 3544 wrote to memory of 536	3544	WScript.exe	84
PID 3544 wrote to memory of 536	3544	WScript.exe	84
PID 3544 wrote to memory of 3620	3544	WScript.exe	86
PID 3544 wrote to memory of 3620	3544	WScript.exe	86
PID 3544 wrote to memory of 3620	3544	WScript.exe	86
PID 3544 wrote to memory of 2128	3544	WScript.exe	88
PID 3544 wrote to memory of 2128	3544	WScript.exe	88
PID 3544 wrote to memory of 2128	3544	WScript.exe	88
PID 536 wrote to memory of 1392	536	cmd.exe	90
PID 536 wrote to memory of 1392	536	cmd.exe	90
PID 536 wrote to memory of 1392	536	cmd.exe	90
PID 3544 wrote to memory of 5048	3544	WScript.exe	91
PID 3544 wrote to memory of 5048	3544	WScript.exe	91
PID 3544 wrote to memory of 5048	3544	WScript.exe	91
PID 3544 wrote to memory of 3476	3544	WScript.exe	93
PID 3544 wrote to memory of 3476	3544	WScript.exe	93
PID 3544 wrote to memory of 3476	3544	WScript.exe	93
PID 3620 wrote to memory of 1468	3620	cmd.exe	94
PID 3620 wrote to memory of 1468	3620	cmd.exe	94
PID 3620 wrote to memory of 1468	3620	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b327b88f123510e6b50df100ee9f50b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0b327b88f123510e6b50df100ee9f50b.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\s.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3544
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c kb
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\kb.exe
      kb
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c kk.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\kk.exe
      kk.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1468
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 536
        5⤵
        Program crash
        
        PID:1776
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c del kb.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c del k.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5048
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c del s.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1468 -ip 1468
1⤵
PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\kb.exe

Filesize
51KB

MD5
4665d7a9c72f59046c4b1513b19d4e15

SHA1
0bdfedde3ec7a10936ce6202ae3e81b03f1b2b5e

SHA256
31e384fe60859e455eddd5b603b4aec8020724b43d1a0a32218a75f77e281833

SHA512
ef4100b05190fedcbd777669ef2415f39adace40d418d93e19a75959f68553974e9bf3011c07ee37b7346ae059e4e73b0cc795d4305c5f17662769891347d54a

Download Submit
C:\kk.exe

Filesize
680KB

MD5
7772fb976ceb942e8fb8639bc93261ef

SHA1
c29fe0b3c0fe88acb3de01f020b19aa3e0b22f07

SHA256
125438081c49842f4e226e979c38a7da5780d43ad410b064fc3ab8c731400680

SHA512
a6645660657d9ca5768a5a6a4aa423269fba0160169efedac28156101991294688ff9ffc1195c122221fc335afcf36beef8087f90e2f36824c55114d6f1119e1

Download Submit
C:\s.vbs

Filesize
198B

MD5
0106cd0e268e3234cd2b3567b2f30d75

SHA1
01f9134f8ad1693aadff6df1bab7718b875aa15a

SHA256
e84d10954519e536322c9c0dd8e3ae01c9ae05744b18221bb7eadfe8d7b6967d

SHA512
8637f3abb04d8f1cd5ea65d0bf8cefe61ecf7f37c34901f5292a87a612285f03dac713f6d1f268b7c5bb65bf5fe3e6816b12892c4d528133afd22e7ba2eca42e

Download Submit
memory/1468-14-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1468-17-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2064-16-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing