modiloader | ef39ddd79c5b9f22df70d6c782396da33f14cf6d1b9cc4de1fa58b39a26d1ebe

General

Target

3fe92962081da9d708ca7cff7b7b0397_JaffaCakes118.exe
Size

516KB
MD5

3fe92962081da9d708ca7cff7b7b0397
SHA1

996dc5e2dcc4fe91b0c8d78358ef5a9c8535aa1c
SHA256

ef39ddd79c5b9f22df70d6c782396da33f14cf6d1b9cc4de1fa58b39a26d1ebe
SHA512

03ea9e75e117d429911e9e4ad276f4e654c50bb18e3ffbe6f82a4bedc5df520651007db7d975edf2523a5a2514e79de06b67c4bbc4e743878ba818e5cb2e2ef5
SSDEEP

12288:nL7p0EULtPHTT6olPioaZNjLZF/ut8sgU7EHme8PzJEjMm:nL7pjUxX6Ck/fZctEUgmeIzJEY

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 5 IoCs

resource	yara_rule
behavioral2/memory/3016-26-0x0000000002150000-0x000000000216F000-memory.dmp	modiloader_stage2
behavioral2/memory/1880-32-0x00000000045B0000-0x00000000045CF000-memory.dmp	modiloader_stage2
behavioral2/memory/1880-31-0x00000000045B0000-0x00000000045CF000-memory.dmp	modiloader_stage2
behavioral2/memory/3016-34-0x0000000002150000-0x000000000216F000-memory.dmp	modiloader_stage2
behavioral2/memory/1880-60-0x00000000045B0000-0x00000000045CF000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3fe92962081da9d708ca7cff7b7b0397_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
1880	ÐÂ¿î¼ÓËÙÆ÷.exe
3016	2.exe

Loads dropped DLL 4 IoCs

pid	Process
3016	2.exe
3016	2.exe
1880	ÐÂ¿î¼ÓËÙÆ÷.exe
1880	ÐÂ¿î¼ÓËÙÆ÷.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\aspeeder\WinIo.sys	ÐÂ¿î¼ÓËÙÆ÷.exe
File opened for modification	C:\Program Files (x86)\aspeeder\JSHJ.dll	ÐÂ¿î¼ÓËÙÆ÷.exe
File created	C:\Program Files (x86)\aspeeder\ReadMe.txt	ÐÂ¿î¼ÓËÙÆ÷.exe
File created	C:\Program Files (x86)\aspeeder\FAQ.txt	ÐÂ¿î¼ÓËÙÆ÷.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\atmQQ2.dll	2.exe
File opened for modification	C:\Program Files (x86)\aspeeder\aspeeder.exe	ÐÂ¿î¼ÓËÙÆ÷.exe
File opened for modification	C:\Program Files (x86)\aspeeder\WinIo.vxd	ÐÂ¿î¼ÓËÙÆ÷.exe
File opened for modification	C:\Program Files (x86)\aspeeder\ReadMe.txt	ÐÂ¿î¼ÓËÙÆ÷.exe
File opened for modification	C:\Program Files (x86)\aspeeder\FAQ.txt	ÐÂ¿î¼ÓËÙÆ÷.exe
File opened for modification	C:\Program Files (x86)\aspeeder\License.txt	ÐÂ¿î¼ÓËÙÆ÷.exe
File created	C:\Program Files (x86)\aspeeder\WinIo.sys	ÐÂ¿î¼ÓËÙÆ÷.exe
File opened for modification	C:\Program Files (x86)\aspeeder\WinIo.dll	ÐÂ¿î¼ÓËÙÆ÷.exe
File created	C:\Program Files (x86)\aspeeder\WinIo.dll	ÐÂ¿î¼ÓËÙÆ÷.exe
File created	C:\Program Files (x86)\aspeeder\JSHJ.dll	ÐÂ¿î¼ÓËÙÆ÷.exe
File created	C:\Program Files (x86)\aspeeder\License.txt	ÐÂ¿î¼ÓËÙÆ÷.exe
File created	C:\Program Files (x86)\aspeeder\uninstall.exe	ÐÂ¿î¼ÓËÙÆ÷.exe
File created	C:\Program Files (x86)\aspeeder\aspeeder.exe	ÐÂ¿î¼ÓËÙÆ÷.exe
File created	C:\Program Files (x86)\aspeeder\WinIo.vxd	ÐÂ¿î¼ÓËÙÆ÷.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3fe92962081da9d708ca7cff7b7b0397_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ÐÂ¿î¼ÓËÙÆ÷.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3016	2.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 1880	5004	3fe92962081da9d708ca7cff7b7b0397_JaffaCakes118.exe	87
PID 5004 wrote to memory of 1880	5004	3fe92962081da9d708ca7cff7b7b0397_JaffaCakes118.exe	87
PID 5004 wrote to memory of 1880	5004	3fe92962081da9d708ca7cff7b7b0397_JaffaCakes118.exe	87
PID 5004 wrote to memory of 3016	5004	3fe92962081da9d708ca7cff7b7b0397_JaffaCakes118.exe	88
PID 5004 wrote to memory of 3016	5004	3fe92962081da9d708ca7cff7b7b0397_JaffaCakes118.exe	88
PID 5004 wrote to memory of 3016	5004	3fe92962081da9d708ca7cff7b7b0397_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\3fe92962081da9d708ca7cff7b7b0397_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3fe92962081da9d708ca7cff7b7b0397_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Users\Admin\AppData\Local\Temp\ÐÂ¿î¼ÓËÙÆ÷.exe
  "C:\Users\Admin\AppData\Local\Temp\ÐÂ¿î¼ÓËÙÆ÷.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:1880
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\aspeeder\aspeeder.exe

Filesize
353KB

MD5
9f184392d5bfae8c01cb980cff21d4e9

SHA1
c3a5dbe9cc2179710c2ccdc282a9213bf771f1ab

SHA256
a8fce5cc5acbb85852d3207369fcc331b34824055cad435c06973d1bfeddad33

SHA512
f5f95e906556a84f022f1e5d3ee56c0fa9f56778dbfa4b45c62e24b77b3d08530480b0146d91f1d4102cc7c63da758aeb97241e7f8d400e748516222dc8fc0fa

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\atmQQ2.dll

Filesize
25KB

MD5
b556c1ecbf66dd5da363e15b2e9f6a9a

SHA1
53d57009e9bd44f138852d62e110e5c3adfc6731

SHA256
56534371b59b12b42248193b5434e277d5e45c13b6df816c023fa78627e17a15

SHA512
01f10638a2b76b04adb1791b9c01f3b338d52426c71ab83fba06821217f7dba53b636a19a927612508c8a483fd063884b72df814e65b49fefd8309d5d4dee895

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
36KB

MD5
efe8c10e084cebe94d3842961e262342

SHA1
78d23843c5ed7e28985ab01e33f01e3199af4c8e

SHA256
f7d31ad0f57361efe6cdbf3e3044aa1e5dd5eccee498806a3b2cecde8d1d4697

SHA512
b4390586461ac598be92c233c01f5b94ce214ee66766d3125104bfaa286945f84610af23f4e9b60dfb47d090d5a4569a10d540b8ddbd227932bf40b21715195d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÐÂ¿î¼ÓËÙÆ÷.exe

Filesize
430KB

MD5
33303856d356c36e2d62201dfde44bbf

SHA1
165ba9739daaad5e2d0af4de0bf9d2420e6f33e3

SHA256
9c388f36169b58adda76792d050eda6877b4bd6d7fe6b698db5a5f9570250c6e

SHA512
36c6f93e76ef314de1509ae696d114287c9faa641b6d67ddf8514364cfb0c56f64ae26e9a9299097d3198c0121b0b42505d1b57e902cf90169949310178bd986

Download Submit
memory/1880-60-0x00000000045B0000-0x00000000045CF000-memory.dmp

Filesize
124KB

Download
memory/1880-36-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/1880-31-0x00000000045B0000-0x00000000045CF000-memory.dmp

Filesize
124KB

Download
memory/1880-32-0x00000000045B0000-0x00000000045CF000-memory.dmp

Filesize
124KB

Download
memory/3016-27-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3016-26-0x0000000002150000-0x000000000216F000-memory.dmp

Filesize
124KB

Download
memory/3016-24-0x0000000002150000-0x000000000216F000-memory.dmp

Filesize
124KB

Download
memory/3016-33-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3016-34-0x0000000002150000-0x000000000216F000-memory.dmp

Filesize
124KB

Download
memory/3016-35-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3016-23-0x0000000002150000-0x000000000216F000-memory.dmp

Filesize
124KB

Download
memory/3016-15-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/5004-16-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing