modiloader | 11c7a9f9e267b56a3de35b5f5566bc445e3e843200a8d9c04f291709d83df270

General

Target

e78f3c27ee7a2f6f8591a10f7119f8d9_JaffaCakes118.exe
Size

652KB
MD5

e78f3c27ee7a2f6f8591a10f7119f8d9
SHA1

503491a78ddadb380662ba09dd9e36a6a537fb1d
SHA256

11c7a9f9e267b56a3de35b5f5566bc445e3e843200a8d9c04f291709d83df270
SHA512

e5c86764a8ea48b1014f3d724181fa0ca069ca4c866b1cb962438b2f1e621c78929b5eaae898b7ab8e6896e9bfb0015ed8cc88842f139f7e88ec7fb24d896451
SSDEEP

12288:yh4royScE8XokY8g4DnmNpT5yYFNSgUUVeuqOD7+CC0l5Csi8jHEgau:yKrd74gV7mNpT5RFNSxse3a7+N0XLieP

Score

10^/10

modiloader aspackv2 discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2808-48-0x0000000000400000-0x00000000005B3000-memory.dmp	modiloader_stage2

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0007000000016d58-5.dat	aspack_v212_v242

Executes dropped EXE 3 IoCs

pid	Process
3008	QQÍ£³µ~1.EXE
2300	20.EXE
2808	1vmp.exe

Loads dropped DLL 6 IoCs

pid	Process
1480	e78f3c27ee7a2f6f8591a10f7119f8d9_JaffaCakes118.exe
1480	e78f3c27ee7a2f6f8591a10f7119f8d9_JaffaCakes118.exe
1480	e78f3c27ee7a2f6f8591a10f7119f8d9_JaffaCakes118.exe
1480	e78f3c27ee7a2f6f8591a10f7119f8d9_JaffaCakes118.exe
2300	20.EXE
2300	20.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	20.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e78f3c27ee7a2f6f8591a10f7119f8d9_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupWay.txt	1vmp.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e78f3c27ee7a2f6f8591a10f7119f8d9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QQÍ£³µ~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1vmp.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3008	QQÍ£³µ~1.EXE
3008	QQÍ£³µ~1.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 3008	1480	e78f3c27ee7a2f6f8591a10f7119f8d9_JaffaCakes118.exe	30
PID 1480 wrote to memory of 3008	1480	e78f3c27ee7a2f6f8591a10f7119f8d9_JaffaCakes118.exe	30
PID 1480 wrote to memory of 3008	1480	e78f3c27ee7a2f6f8591a10f7119f8d9_JaffaCakes118.exe	30
PID 1480 wrote to memory of 3008	1480	e78f3c27ee7a2f6f8591a10f7119f8d9_JaffaCakes118.exe	30
PID 1480 wrote to memory of 2300	1480	e78f3c27ee7a2f6f8591a10f7119f8d9_JaffaCakes118.exe	32
PID 1480 wrote to memory of 2300	1480	e78f3c27ee7a2f6f8591a10f7119f8d9_JaffaCakes118.exe	32
PID 1480 wrote to memory of 2300	1480	e78f3c27ee7a2f6f8591a10f7119f8d9_JaffaCakes118.exe	32
PID 1480 wrote to memory of 2300	1480	e78f3c27ee7a2f6f8591a10f7119f8d9_JaffaCakes118.exe	32
PID 2300 wrote to memory of 2808	2300	20.EXE	33
PID 2300 wrote to memory of 2808	2300	20.EXE	33
PID 2300 wrote to memory of 2808	2300	20.EXE	33
PID 2300 wrote to memory of 2808	2300	20.EXE	33
PID 2808 wrote to memory of 2612	2808	1vmp.exe	34
PID 2808 wrote to memory of 2612	2808	1vmp.exe	34
PID 2808 wrote to memory of 2612	2808	1vmp.exe	34
PID 2808 wrote to memory of 2612	2808	1vmp.exe	34

C:\Users\Admin\AppData\Local\Temp\e78f3c27ee7a2f6f8591a10f7119f8d9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e78f3c27ee7a2f6f8591a10f7119f8d9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QQÍ£³µ~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QQÍ£³µ~1.EXE
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3008
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\20.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\20.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1vmp.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1vmp.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\program files\internet explorer\IEXPLORE.EXE
      "C:\program files\internet explorer\IEXPLORE.EXE"
      4⤵
      PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\20.EXE

Filesize
373KB

MD5
b2ff548bb0613b3a9ab7243852de9e38

SHA1
0534f360e8f14e4beb564a03e7a3aab25a313e0b

SHA256
703254eb3496adefdf8473159df6ee4aec6b933be596bd68b47ebb27e94fa105

SHA512
603920e35d02c5ea865c60db007347e4c564fcb5dfe238c73e9c6bcbc9074a747d89470e9646d04f404ac755c62f35be43899eb02326444388459821a33e4b2f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\QQÍ£³µ~1.EXE

Filesize
254KB

MD5
0d66e997c1b214bd9c8967fa78e830e5

SHA1
f000f3eaaf1eeb5b60128b7d705d92ade9e6cad2

SHA256
f88fef386445a9f1694f3e53a77a9afc3ec50cc3c7a08fa9f46ac05938710dce

SHA512
ead03b498f196d3379409160a18a242cc434859a602ada7b25cbe6c13eaeda5ab4835b8f73cae3ab600438c89dfceadf328234e49891a2a7f1c190087ed898fa

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1vmp.exe

Filesize
305KB

MD5
324e3139f416ab9dad7f3038e4518fd9

SHA1
c196524247c29c23fd11cce7ec5611a8dff3e3c0

SHA256
85b2cb1d3de8193de37c00894b4b776e49f52e51f3dde019209860e36e9f96b9

SHA512
4c964add20b9f7230cfb352f224e032843cca0c68966aadbeda928c606e23b4e1caa915c21ca05d59a647a290061f33e8f2894f53db3727611a36d540b3be2e0

Download Submit
memory/1480-11-0x0000000000EC0000-0x0000000000FF6000-memory.dmp

Filesize
1.2MB

Download
memory/1480-54-0x0000000001000000-0x00000000010A7000-memory.dmp

Filesize
668KB

Download
memory/1480-21-0x00000000003A0000-0x0000000000401000-memory.dmp

Filesize
388KB

Download
memory/1480-0-0x0000000001000000-0x00000000010A7000-memory.dmp

Filesize
668KB

Download
memory/1480-12-0x0000000000EC0000-0x0000000000FF6000-memory.dmp

Filesize
1.2MB

Download
memory/2300-49-0x0000000001000000-0x0000000001061000-memory.dmp

Filesize
388KB

Download
memory/2300-27-0x0000000001000000-0x0000000001061000-memory.dmp

Filesize
388KB

Download
memory/2300-36-0x0000000002470000-0x0000000002623000-memory.dmp

Filesize
1.7MB

Download
memory/2300-44-0x0000000002470000-0x0000000002623000-memory.dmp

Filesize
1.7MB

Download
memory/2300-37-0x0000000002470000-0x0000000002623000-memory.dmp

Filesize
1.7MB

Download
memory/2808-46-0x0000000000416000-0x0000000000417000-memory.dmp

Filesize
4KB

Download
memory/2808-41-0x0000000000400000-0x00000000005B3000-memory.dmp

Filesize
1.7MB

Download
memory/2808-40-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2808-45-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2808-39-0x0000000000400000-0x00000000005B3000-memory.dmp

Filesize
1.7MB

Download
memory/2808-48-0x0000000000400000-0x00000000005B3000-memory.dmp

Filesize
1.7MB

Download
memory/3008-18-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/3008-17-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads