modiloader | e12084427ac0f690ee1957be6a0958ed35e3a56475ac9817516ccf62a3be818e

General

Target

aebff5f2141241562a93c416b082ae5e_JaffaCakes118.exe
Size

715KB
MD5

aebff5f2141241562a93c416b082ae5e
SHA1

4bf325d6f6d824ccaa7f211f6788353b3ad4f2cb
SHA256

e12084427ac0f690ee1957be6a0958ed35e3a56475ac9817516ccf62a3be818e
SHA512

9d4f030a85f0ec68c31c43fe727e396aba0c90cfa07e7afaaf1124cb15d11b38a3164b282208ce598aec5465aaafc5dbac213f6dd07df1ca35d2c482eae9b017
SSDEEP

12288:SgZNodYlG4DiCOJqxpMZzw/8jM8nKgXPTHZqNwVMA33HcJhjDFOcZVjEkW53tVPr:BZ6dYlG4DigWzwcMQKyjIrAHH2h3FXTG

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/memory/1772-14-0x0000000000400000-0x000000000042A000-memory.dmp	modiloader_stage2
behavioral1/files/0x0008000000016307-15.dat	modiloader_stage2
behavioral1/memory/1772-28-0x0000000000400000-0x000000000042A000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
1772	popkart.exe
2864	跑跑死神挂VIP版.exe

Loads dropped DLL 6 IoCs

pid	Process
2088	aebff5f2141241562a93c416b082ae5e_JaffaCakes118.exe
2088	aebff5f2141241562a93c416b082ae5e_JaffaCakes118.exe
1772	popkart.exe
2088	aebff5f2141241562a93c416b082ae5e_JaffaCakes118.exe
2088	aebff5f2141241562a93c416b082ae5e_JaffaCakes118.exe
2864	跑跑死神挂VIP版.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.dll	popkart.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aebff5f2141241562a93c416b082ae5e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	跑跑死神挂VIP版.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1772	popkart.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 1772	2088	aebff5f2141241562a93c416b082ae5e_JaffaCakes118.exe	30
PID 2088 wrote to memory of 1772	2088	aebff5f2141241562a93c416b082ae5e_JaffaCakes118.exe	30
PID 2088 wrote to memory of 1772	2088	aebff5f2141241562a93c416b082ae5e_JaffaCakes118.exe	30
PID 2088 wrote to memory of 1772	2088	aebff5f2141241562a93c416b082ae5e_JaffaCakes118.exe	30
PID 2088 wrote to memory of 2864	2088	aebff5f2141241562a93c416b082ae5e_JaffaCakes118.exe	31
PID 2088 wrote to memory of 2864	2088	aebff5f2141241562a93c416b082ae5e_JaffaCakes118.exe	31
PID 2088 wrote to memory of 2864	2088	aebff5f2141241562a93c416b082ae5e_JaffaCakes118.exe	31
PID 2088 wrote to memory of 2864	2088	aebff5f2141241562a93c416b082ae5e_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\aebff5f2141241562a93c416b082ae5e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aebff5f2141241562a93c416b082ae5e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\popkart.exe
  "C:\Users\Admin\AppData\Local\Temp\popkart.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:1772
- C:\Users\Admin\AppData\Local\Temp\跑跑死神挂VIP版.exe
  "C:\Users\Admin\AppData\Local\Temp\跑跑死神挂VIP版.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files\Common Files\Microsoft Shared\MSInfo\SysInfo.dll

Filesize
57KB

MD5
ecb880e576273a0bfc0b5c210c9dc626

SHA1
a2f7aa20ba7e035b1a96cb5c2876131083abeb71

SHA256
2b46ed24a8ef480d94dee8ac0c9f93266f6a40371bd0e91c368846771ae02656

SHA512
77238139af28ec44c792eff7c8d1fc016811944355b317224165ae0f45783322d560489709043b627e4c9b7a643cbb3207b9e4e65cd0c78c9527fbb7dc0e7a19

Download Submit
\Users\Admin\AppData\Local\Temp\popkart.exe

Filesize
29KB

MD5
ba0ff1c0c3fd898ea4a84744d4369e61

SHA1
911bf618f0dc47735da3a6071576205b13998088

SHA256
14e804ea60a51352814173f745c44b1bf3dfcd2a2217d1d9f0342d590515d2a5

SHA512
24e14dd84433b8560732615d8dee014134d659663756a0e476d3597a4ce608be621aa2f3eecdb4627a5b3c7ef2ef373567a3ebbcc7c665b762f147a1218cf0c9

Download Submit
\Users\Admin\AppData\Local\Temp\跑跑死神挂VIP版.exe

Filesize
655KB

MD5
f970871d6fb6fac7e814264e17bd6143

SHA1
d8e69b36bc9664613f6dabdf99650571a60aba8a

SHA256
bab9ff166b0173dc07acca0b76016857a4961cf41b606742a434737be2157d35

SHA512
6cb3cfb9d23301348b81b8b347a13418dde9b2a5e555beb1b90eabfbdd652e5962bade845bd3d5d2310ef1a60d4cf0fa509f7a26e7904429619f25d0f8fb718f

Download Submit
memory/1772-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1772-28-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2088-4-0x0000000002B70000-0x0000000002B9A000-memory.dmp

Filesize
168KB

Download
memory/2088-19-0x0000000002B70000-0x0000000002B91000-memory.dmp

Filesize
132KB

Download
memory/2864-27-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing