modiloader | 4d22f64874665c233a0ff8092f98a8320908058a45fbd535b042c3c31fd3c993

General

Target

fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe
Size

1.6MB
MD5

fa3ba3247af3ef3d0f814a62a3e62497
SHA1

b7f72fc763c2190995348112d2c81100edd667b5
SHA256

4d22f64874665c233a0ff8092f98a8320908058a45fbd535b042c3c31fd3c993
SHA512

90b322f47bde6ad80d4701d239fcae2d22ba5f430cc4c98a5294f0e4bc899ab5d34b000d2acf124a04e3654e1b0e962e1941d7418f478a921ddece72841f94ad
SSDEEP

49152:F/+nwLepp/O2r1+AFhHBGF5nX2nCTNcOCFinZ:owLK5O2oArhnCT6inZ

Score

10^/10

modiloader discovery evasion themida trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 6 IoCs

resource	yara_rule
behavioral1/memory/264-6-0x0000000000400000-0x0000000000769000-memory.dmp	modiloader_stage2
behavioral1/memory/264-7-0x0000000000400000-0x0000000000769000-memory.dmp	modiloader_stage2
behavioral1/memory/264-14-0x0000000005960000-0x0000000005CC9000-memory.dmp	modiloader_stage2
behavioral1/memory/2236-39-0x0000000000400000-0x0000000000769000-memory.dmp	modiloader_stage2
behavioral1/memory/264-40-0x0000000000400000-0x0000000000769000-memory.dmp	modiloader_stage2
behavioral1/memory/2236-29-0x0000000000400000-0x0000000000769000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
2592	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2236	Erverery.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	Erverery.exe

Loads dropped DLL 2 IoCs

pid	Process
264	fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe
264	fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/264-0-0x0000000000400000-0x0000000000769000-memory.dmp	themida
behavioral1/memory/264-6-0x0000000000400000-0x0000000000769000-memory.dmp	themida
behavioral1/memory/264-7-0x0000000000400000-0x0000000000769000-memory.dmp	themida
behavioral1/files/0x000c00000001225b-8.dat	themida
behavioral1/memory/2236-17-0x0000000000400000-0x0000000000769000-memory.dmp	themida
behavioral1/memory/2236-18-0x0000000000400000-0x0000000000769000-memory.dmp	themida
behavioral1/memory/2236-19-0x0000000000400000-0x0000000000769000-memory.dmp	themida
behavioral1/memory/2604-27-0x0000000000400000-0x0000000000769000-memory.dmp	themida
behavioral1/memory/2236-39-0x0000000000400000-0x0000000000769000-memory.dmp	themida
behavioral1/memory/264-40-0x0000000000400000-0x0000000000769000-memory.dmp	themida
behavioral1/memory/2236-29-0x0000000000400000-0x0000000000769000-memory.dmp	themida

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_Erverery.exe	Erverery.exe
File opened for modification	C:\Windows\SysWOW64\_Erverery.exe	Erverery.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2236 set thread context of 2604	2236	Erverery.exe	32

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Erverery.exe	fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Erverery.exe	fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat	fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Erverery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
264	fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe
2236	Erverery.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 264 wrote to memory of 2236	264	fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe	31
PID 264 wrote to memory of 2236	264	fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe	31
PID 264 wrote to memory of 2236	264	fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe	31
PID 264 wrote to memory of 2236	264	fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe	31
PID 2236 wrote to memory of 2604	2236	Erverery.exe	32
PID 2236 wrote to memory of 2604	2236	Erverery.exe	32
PID 2236 wrote to memory of 2604	2236	Erverery.exe	32
PID 2236 wrote to memory of 2604	2236	Erverery.exe	32
PID 2236 wrote to memory of 2604	2236	Erverery.exe	32
PID 2236 wrote to memory of 2604	2236	Erverery.exe	32
PID 2236 wrote to memory of 2624	2236	Erverery.exe	33
PID 2236 wrote to memory of 2624	2236	Erverery.exe	33
PID 2236 wrote to memory of 2624	2236	Erverery.exe	33
PID 2236 wrote to memory of 2624	2236	Erverery.exe	33
PID 264 wrote to memory of 2592	264	fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe	34
PID 264 wrote to memory of 2592	264	fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe	34
PID 264 wrote to memory of 2592	264	fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe	34
PID 264 wrote to memory of 2592	264	fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:264
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\Erverery.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\Erverery.exe"
  2⤵
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\system32\calc.exe"
    3⤵
    PID:2604
- - C:\program files\internet explorer\IEXPLORE.EXE
    "C:\program files\internet explorer\IEXPLORE.EXE"
    3⤵
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat""
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\Delet.bat

Filesize
212B

MD5
eb3dcc95ea73f74e56d62b991473a0ce

SHA1
ab96ca7b9d50dfd4974860f840ffcedcb2bebf7f

SHA256
f95030c430a28693fe39527241b6ff9795c5b0777eee77247fac585a241d69a6

SHA512
9c6ed298dd1980f71e1246cc0d0d0e9258c76ec88a6eb09ab709e62ca0eecffa1339109dff45c90af4f4042075ca5fd88a7052803461050f827a650f4079f9f2

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\Erverery.exe

Filesize
1.6MB

MD5
fa3ba3247af3ef3d0f814a62a3e62497

SHA1
b7f72fc763c2190995348112d2c81100edd667b5

SHA256
4d22f64874665c233a0ff8092f98a8320908058a45fbd535b042c3c31fd3c993

SHA512
90b322f47bde6ad80d4701d239fcae2d22ba5f430cc4c98a5294f0e4bc899ab5d34b000d2acf124a04e3654e1b0e962e1941d7418f478a921ddece72841f94ad

Download Submit
memory/264-16-0x0000000005960000-0x0000000005CC9000-memory.dmp

Filesize
3.4MB

Download
memory/264-2-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/264-7-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/264-3-0x0000000000401000-0x0000000000452000-memory.dmp

Filesize
324KB

Download
memory/264-1-0x0000000000770000-0x0000000000869000-memory.dmp

Filesize
996KB

Download
memory/264-14-0x0000000005960000-0x0000000005CC9000-memory.dmp

Filesize
3.4MB

Download
memory/264-0-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/264-6-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/264-40-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/2236-17-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/2236-39-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/2236-19-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/2236-18-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/2236-29-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/2604-27-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/2604-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads