modiloader | 494136e6c04604c4f69dd6af191cbbf555be4cb359e4febe47ff28bde6b17935

General

Target

JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe
Size

481KB
MD5

98425a307e6127b8cfdd89e97464b34c
SHA1

5d2d09033cf0a7e2da947422277b73be6c0feabe
SHA256

494136e6c04604c4f69dd6af191cbbf555be4cb359e4febe47ff28bde6b17935
SHA512

7ffc43004be7c74c23bdb99673ec2ef12dc36257e948206046b23e45094c9734aa132675255c2a082fac581961a77804b2616bd7c588ffe9deaf742faa78a5ed
SSDEEP

12288:80kgguy60j/7cRyfOSZ5w9zsYXDg6CIMALp4DtB7Yh3nS0Bt:800Ljo+ZnilC98eMh3S8t

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 5 IoCs

resource	yara_rule
behavioral2/memory/1844-3-0x0000000000400000-0x0000000000476000-memory.dmp	modiloader_stage2
behavioral2/memory/1844-2-0x0000000000400000-0x0000000000476000-memory.dmp	modiloader_stage2
behavioral2/memory/1844-4-0x0000000000400000-0x0000000000476000-memory.dmp	modiloader_stage2
behavioral2/memory/1844-6-0x0000000000400000-0x0000000000476000-memory.dmp	modiloader_stage2
behavioral2/memory/1844-26-0x0000000000400000-0x0000000000476000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe

Executes dropped EXE 3 IoCs

pid	Process
2952	serveur.exe
3848	serveur.exe
2256	Loader.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1104 set thread context of 1844	1104	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
728	3848	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	serveur.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1104	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 1844	1104	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	88
PID 1104 wrote to memory of 1844	1104	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	88
PID 1104 wrote to memory of 1844	1104	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	88
PID 1104 wrote to memory of 1844	1104	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	88
PID 1104 wrote to memory of 1844	1104	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	88
PID 1104 wrote to memory of 1844	1104	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	88
PID 1104 wrote to memory of 1844	1104	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	88
PID 1104 wrote to memory of 1844	1104	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	88
PID 1104 wrote to memory of 1844	1104	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	88
PID 1104 wrote to memory of 1844	1104	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	88
PID 1104 wrote to memory of 1844	1104	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	88
PID 1104 wrote to memory of 1844	1104	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	88
PID 1104 wrote to memory of 1844	1104	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	88
PID 1844 wrote to memory of 2952	1844	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	89
PID 1844 wrote to memory of 2952	1844	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	89
PID 1844 wrote to memory of 2952	1844	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	89
PID 2952 wrote to memory of 3848	2952	serveur.exe	90
PID 2952 wrote to memory of 3848	2952	serveur.exe	90
PID 2952 wrote to memory of 3848	2952	serveur.exe	90
PID 1844 wrote to memory of 2256	1844	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	91
PID 1844 wrote to memory of 2256	1844	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	91
PID 1844 wrote to memory of 2256	1844	JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe	91

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98425a307e6127b8cfdd89e97464b34c.exe
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Users\Admin\AppData\Local\Temp\serveur.exe
    "C:\Users\Admin\AppData\Local\Temp\serveur.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\serveur.exe
      StubPath
      4⤵
      Executes dropped EXE
      PID:3848
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 460
        5⤵
        Program crash
        
        PID:728
- - C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3848 -ip 3848
1⤵
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C19H28O2.ini

Filesize
119B

MD5
e280bc3bc7817bfdbde10ac7fb900ccf

SHA1
2268c6eee3be2980805af9bf9bde3cc9a5608af5

SHA256
257c6e34c9df36d54c53a16c3b3abf06665d8d517eaa04645c384201ff70e816

SHA512
46f08ebb79814ca96cd2e0ad86b794d70da51522accfe41eb126acd5aa07c24d5020cfe7a5f452e1ef1f1ff78ec4f27a0c801fa52a2712ea31ed85284f12a4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
425KB

MD5
d23870dfc80a0a66c163c983f5c2b9c3

SHA1
45abee8e6d13682e5332edb0533af211c31021ff

SHA256
119b89e2989184f8d1d6c45d45e778fe13e5cb800ed8cb5e974862cbc571233f

SHA512
03dd00c115614da28585dd4957bcdb06cb712e4b57e862c5715f08ac2f0bba8c763d94300c6776b358e93ae082fdb22ec96db2cae721f3243f53a1b388c8e414

Download Submit
C:\Users\Admin\AppData\Local\Temp\serveur.exe

Filesize
10KB

MD5
e385fca84eb38eb437399f25c9650cdc

SHA1
a88f78a46d3e9f0e79b4e8f3f72117f44f430f64

SHA256
2c28bd7c0c235c3164a6e6b4b8d28c10860bdbc192cf99af69881932f82c7a41

SHA512
0e5a1b0c072c329ca428a4edd344ec45d4511a4cb4639d45e8f239b19970b176d4078066b6d9ea2ffe8cc3a02ba1373c6d3b4ac140d7ff7827799d5032add409

Download Submit
memory/1844-3-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1844-2-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1844-4-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1844-6-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1844-26-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2256-28-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2256-41-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2256-42-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2952-22-0x0000000000400000-0x0000000000402800-memory.dmp

Filesize
10KB

Download

Analysis

Sharing