modiloader | e676ac2792c569934db51f5d78d8abdfed2482af2685ec03247a96ffe29e7d53

General

Target

e0fb4b7b2c571360fccea0d2032f38f3_JaffaCakes118.exe
Size

450KB
MD5

e0fb4b7b2c571360fccea0d2032f38f3
SHA1

3f6c55bcbd3614d77b2d6278d91dfc6a2646d090
SHA256

e676ac2792c569934db51f5d78d8abdfed2482af2685ec03247a96ffe29e7d53
SHA512

6d52202a03676feff9c0270b3c226c4f50d923973691e95254f03436272780165a0528bbe010de14225acd8fbc4fe85c70b62926a9eb1affbc557a7439b45dd1
SSDEEP

6144:wcIwEvC7J8Cv+dA6v31O8lBukf6tf7k9RvtPQPdCqZXl0GCHfGKsnpPpeg5Nxxiz:wFmdKhfkmQkf6tf7klcCWwHu/Ag5w2O

Score

10^/10

modiloader discovery trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2148-14-0x0000000000400000-0x0000000000477920-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
2336	ãÑÇÌÚÉ ÊÇÑíÎ 3 ãÊæÓØ Ý 1.exe

Loads dropped DLL 2 IoCs

pid	Process
2148	e0fb4b7b2c571360fccea0d2032f38f3_JaffaCakes118.exe
2148	e0fb4b7b2c571360fccea0d2032f38f3_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000e000000013a51-2.dat	upx
behavioral1/memory/2148-10-0x0000000002F50000-0x0000000003227000-memory.dmp	upx
behavioral1/memory/2336-12-0x0000000000400000-0x00000000006D7000-memory.dmp	upx
behavioral1/memory/2336-26-0x0000000000400000-0x00000000006D7000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ãÑÇÌÚÉ ÊÇÑíÎ 3 ãÊæÓØ Ý 1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0fb4b7b2c571360fccea0d2032f38f3_JaffaCakes118.exe

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2412	WINWORD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2336	ãÑÇÌÚÉ ÊÇÑíÎ 3 ãÊæÓØ Ý 1.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2412	WINWORD.EXE
2412	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2336	2148	e0fb4b7b2c571360fccea0d2032f38f3_JaffaCakes118.exe	31
PID 2148 wrote to memory of 2336	2148	e0fb4b7b2c571360fccea0d2032f38f3_JaffaCakes118.exe	31
PID 2148 wrote to memory of 2336	2148	e0fb4b7b2c571360fccea0d2032f38f3_JaffaCakes118.exe	31
PID 2148 wrote to memory of 2336	2148	e0fb4b7b2c571360fccea0d2032f38f3_JaffaCakes118.exe	31
PID 2148 wrote to memory of 2412	2148	e0fb4b7b2c571360fccea0d2032f38f3_JaffaCakes118.exe	32
PID 2148 wrote to memory of 2412	2148	e0fb4b7b2c571360fccea0d2032f38f3_JaffaCakes118.exe	32
PID 2148 wrote to memory of 2412	2148	e0fb4b7b2c571360fccea0d2032f38f3_JaffaCakes118.exe	32
PID 2148 wrote to memory of 2412	2148	e0fb4b7b2c571360fccea0d2032f38f3_JaffaCakes118.exe	32
PID 2412 wrote to memory of 2920	2412	WINWORD.EXE	34
PID 2412 wrote to memory of 2920	2412	WINWORD.EXE	34
PID 2412 wrote to memory of 2920	2412	WINWORD.EXE	34
PID 2412 wrote to memory of 2920	2412	WINWORD.EXE	34

C:\Users\Admin\AppData\Local\Temp\e0fb4b7b2c571360fccea0d2032f38f3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e0fb4b7b2c571360fccea0d2032f38f3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\ãÑÇÌÚÉ ÊÇÑíÎ 3 ãÊæÓØ Ý 1.exe
  "C:\Users\Admin\AppData\Local\Temp\ãÑÇÌÚÉ ÊÇÑíÎ 3 ãÊæÓØ Ý 1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2336
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ãÑÇÌÚÉ ÊÇÑíÎ 3 ãÊæÓØ Ý 1.docx"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ãÑÇÌÚÉ ÊÇÑíÎ 3 ãÊæÓØ Ý 1.docx

Filesize
35KB

MD5
405087a9fc996fdd5e0a233d4f5dd5f0

SHA1
6760a31c1f4377a3173b2237962a45e4331d7e90

SHA256
396082032fdf4670f08d50c9a162e75570e795f84b06ff7c2b82ec83bbf50481

SHA512
cb5f6e2a8b1542c16666e391aa285512827c6fe95a1331088a2728d822f0840fcc97a35fa983efd51538d6e2a5344b4552cf5856c1a0bb43a57e73a12fb1ee63

Download Submit
\Users\Admin\AppData\Local\Temp\ãÑÇÌÚÉ ÊÇÑíÎ 3 ãÊæÓØ Ý 1.exe

Filesize
404KB

MD5
7de5109d2dda77b835da451916de05b4

SHA1
8997fc9940e7dbee675ed2764b12d0ef41d0d168

SHA256
2302ba8bceee2eed2f7908074e13119e160c95940e2aa8d7d04be9c7fa5bc086

SHA512
93d381f1778d3f988ab206e56cd3413f57ac65e6284450f440a0dac7a97cea07cfc422ee00f65cb355fc689717bb0fc3e7a8ec1af21298030dbca8728597a319

Download Submit
memory/2148-10-0x0000000002F50000-0x0000000003227000-memory.dmp

Filesize
2.8MB

Download
memory/2148-13-0x0000000002F50000-0x0000000003227000-memory.dmp

Filesize
2.8MB

Download
memory/2148-14-0x0000000000400000-0x0000000000477920-memory.dmp

Filesize
478KB

Download
memory/2336-12-0x0000000000400000-0x00000000006D7000-memory.dmp

Filesize
2.8MB

Download
memory/2336-17-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/2336-15-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2336-26-0x0000000000400000-0x00000000006D7000-memory.dmp

Filesize
2.8MB

Download
memory/2412-16-0x000000002F8E1000-0x000000002F8E2000-memory.dmp

Filesize
4KB

Download
memory/2412-19-0x000000007120D000-0x0000000071218000-memory.dmp

Filesize
44KB

Download
memory/2412-18-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2412-28-0x000000007120D000-0x0000000071218000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing