modiloader | 2aa702ad5ec863508dbdae9eeb27552031bc72d522cf29684d1ff972d2a3eb09

General

Target

cc901f826af1ac38365de4c4eeb545d5_JaffaCakes118.exe
Size

265KB
MD5

cc901f826af1ac38365de4c4eeb545d5
SHA1

edccc2e480708c69e2c475b3d2e18b5a9e1cb340
SHA256

2aa702ad5ec863508dbdae9eeb27552031bc72d522cf29684d1ff972d2a3eb09
SHA512

3d4ca47a2ade27f1089b9ec0edcfd7fde9a450e7502d4204b64e90a1f1c7cb11ecf51938e4ee768aa988f2f96830356b3db6ca6a2e0af8c4263a203e050fdbb3
SSDEEP

6144:8vKpppOTRfjSl9LmXnzHgzVdmr0csOvRRq+v16neNysj7yzf/A:F0RfjS/yem4cso82EzfI

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2116-8-0x0000000000400000-0x0000000000449000-memory.dmp	modiloader_stage2

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00070000000186f7-12.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2404	äÓÎ ãä C.exe

Loads dropped DLL 3 IoCs

pid	Process
2116	cc901f826af1ac38365de4c4eeb545d5_JaffaCakes118.exe
2116	cc901f826af1ac38365de4c4eeb545d5_JaffaCakes118.exe
2404	äÓÎ ãä C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc901f826af1ac38365de4c4eeb545d5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	äÓÎ ãä C.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2404	äÓÎ ãä C.exe
2404	äÓÎ ãä C.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2404	äÓÎ ãä C.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2404	2116	cc901f826af1ac38365de4c4eeb545d5_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2404	2116	cc901f826af1ac38365de4c4eeb545d5_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2404	2116	cc901f826af1ac38365de4c4eeb545d5_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2404	2116	cc901f826af1ac38365de4c4eeb545d5_JaffaCakes118.exe	30
PID 2404 wrote to memory of 1220	2404	äÓÎ ãä C.exe	21
PID 2404 wrote to memory of 1220	2404	äÓÎ ãä C.exe	21
PID 2404 wrote to memory of 1220	2404	äÓÎ ãä C.exe	21
PID 2404 wrote to memory of 1220	2404	äÓÎ ãä C.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220
- C:\Users\Admin\AppData\Local\Temp\cc901f826af1ac38365de4c4eeb545d5_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\cc901f826af1ac38365de4c4eeb545d5_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\AppData\Local\Temp\äÓÎ ãä C.exe
    "C:\Users\Admin\AppData\Local\Temp\äÓÎ ãä C.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\kqlA16D.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Users\Admin\AppData\Local\Temp\äÓÎ ãä C.exe

Filesize
253KB

MD5
5f850d830c15eec6f874dcc7377a4347

SHA1
dcb52969ee218d457a96f2827e410eeceab04aee

SHA256
159a41ac2a2d7f61205c6e1d0a11569770aa7dcfbe6c2936d0579c2f63937cde

SHA512
83c174cf3faaaf713753e29332aae1a670c28bba0d209557f5310c1d8d4a7e959f97c689f72321ec4c1293c3484e90593d736ed3be4a000ff1c873f89bacfef1

Download Submit
memory/1220-18-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1220-21-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/2116-8-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2404-15-0x0000000000400000-0x00000000004093A0-memory.dmp

Filesize
36KB

Download
memory/2404-14-0x00000000002F0000-0x0000000000363000-memory.dmp

Filesize
460KB

Download
memory/2404-16-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2404-30-0x00000000002F0000-0x0000000000363000-memory.dmp

Filesize
460KB

Download
memory/2404-31-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing