modiloader | aeb34d7641fa1c34c1ca5c9e8bbb4210eb53c3bca02b06cee8bda3d67cb77ff4

General

Target

ef95b971af515ee6ebc8b100883d441c_JaffaCakes118.exe
Size

79KB
MD5

ef95b971af515ee6ebc8b100883d441c
SHA1

5e6e51cb03a706eb6e606819d716a42730f4ad12
SHA256

aeb34d7641fa1c34c1ca5c9e8bbb4210eb53c3bca02b06cee8bda3d67cb77ff4
SHA512

313b82b4d8b627edd3c83dfd79095eef92fe572870ca99a7b8218176e244f564e50df13319b894cca5fb936f142d8396109a4e05fcdefa1ab74b323b0e85af46
SSDEEP

1536:1oQQcI3QxNXG07aecqOQbB3fQc8Pfymg0yxpByxjuE:1oOIQXG0cyVQtPfymg0soxyE

Score

10^/10

modiloader aspackv2 discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 4 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023caf-7.dat	modiloader_stage2
behavioral2/memory/3480-17-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral2/memory/412-19-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral2/memory/244-25-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0008000000023caa-2.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	e57d61c2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	ef95b971af515ee6ebc8b100883d441c_JaffaCakes118.exe

Executes dropped EXE 5 IoCs

pid	Process
3248	e57d5fd1.exe
3480	e57d61c2.exe
244	QQExternal.exe
412	e57d61c2.exe
1568	e57d5fd1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QQExternal = "C:\\Users\\Admin\\AppData\\Roaming\\QQExternal.exe"	QQExternal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QQExternal = "C:\\Users\\Admin\\AppData\\Roaming\\QQExternal.exe"	e57d61c2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1748	3248	WerFault.exe	85
1684	1568	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QQExternal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e57d61c2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e57d5fd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef95b971af515ee6ebc8b100883d441c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e57d5fd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e57d61c2.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 3248	3172	ef95b971af515ee6ebc8b100883d441c_JaffaCakes118.exe	85
PID 3172 wrote to memory of 3248	3172	ef95b971af515ee6ebc8b100883d441c_JaffaCakes118.exe	85
PID 3172 wrote to memory of 3248	3172	ef95b971af515ee6ebc8b100883d441c_JaffaCakes118.exe	85
PID 3172 wrote to memory of 3480	3172	ef95b971af515ee6ebc8b100883d441c_JaffaCakes118.exe	86
PID 3172 wrote to memory of 3480	3172	ef95b971af515ee6ebc8b100883d441c_JaffaCakes118.exe	86
PID 3172 wrote to memory of 3480	3172	ef95b971af515ee6ebc8b100883d441c_JaffaCakes118.exe	86
PID 3480 wrote to memory of 244	3480	e57d61c2.exe	90
PID 3480 wrote to memory of 244	3480	e57d61c2.exe	90
PID 3480 wrote to memory of 244	3480	e57d61c2.exe	90
PID 3172 wrote to memory of 412	3172	ef95b971af515ee6ebc8b100883d441c_JaffaCakes118.exe	91
PID 3172 wrote to memory of 412	3172	ef95b971af515ee6ebc8b100883d441c_JaffaCakes118.exe	91
PID 3172 wrote to memory of 412	3172	ef95b971af515ee6ebc8b100883d441c_JaffaCakes118.exe	91
PID 3172 wrote to memory of 1568	3172	ef95b971af515ee6ebc8b100883d441c_JaffaCakes118.exe	92
PID 3172 wrote to memory of 1568	3172	ef95b971af515ee6ebc8b100883d441c_JaffaCakes118.exe	92
PID 3172 wrote to memory of 1568	3172	ef95b971af515ee6ebc8b100883d441c_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\ef95b971af515ee6ebc8b100883d441c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ef95b971af515ee6ebc8b100883d441c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Users\Admin\AppData\Local\Temp\e57d5fd\e57d5fd1.exe
  C:\Users\Admin\AppData\Local\Temp\e57d5fd\e57d5fd1.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 384
    3⤵
    - Program crash
    PID:1748
- C:\Users\Admin\AppData\Local\Temp\e57d61c\e57d61c2.exe
  C:\Users\Admin\AppData\Local\Temp\e57d61c\e57d61c2.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Users\Admin\AppData\Roaming\QQExternal.exe
    "C:\Users\Admin\AppData\Roaming\QQExternal.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:244
- C:\Users\Admin\AppData\Local\Temp\e57d61c\e57d61c2.exe
  "C:\Users\Admin\AppData\Local\Temp\e57d61c\e57d61c2.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:412
- C:\Users\Admin\AppData\Local\Temp\e57d5fd\e57d5fd1.exe
  "C:\Users\Admin\AppData\Local\Temp\e57d5fd\e57d5fd1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1568
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 200
    3⤵
    - Program crash
    PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3248 -ip 3248
1⤵
PID:952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1568 -ip 1568
1⤵
PID:3144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e57d5fd\e57d5fd1.exe

Filesize
24KB

MD5
37c3bf1f5dae57e8f8dbe97d33de5fc9

SHA1
57a7fd631b17c33fcfb31afe60c6d7f71744f6da

SHA256
ff3259ff41131aefbc2db152bd8cc7aba730013b86665283e1e411743da8f235

SHA512
3b4a2c3eee38b8d557a6bd67edac0e7b1a0870761c143e3c5e66500a5cacdea08c36777fbcf24925c3c3caf033facb473fe1fed0d8124c9c5947549ea31bcacd

Download Submit
C:\Users\Admin\AppData\Local\Temp\e57d61c\e57d61c2.exe

Filesize
36KB

MD5
7f36ed5bff711a328ce4f74c7ddd7708

SHA1
f84ba38ef0009cc31137ae579cdb903a059f5b78

SHA256
0299ea67b68a52892a540fbc0a708bd8676c8237d8af9d8735242b658c1cf658

SHA512
95a67a741e7d0b2b627481c35788c1c2f1f9835564e24cd0e17005c13b635d77ebc339885433038572a89dd9d42e864bb8ce5a04727874831cd06728b418b4d9

Download Submit
memory/244-25-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/412-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1568-24-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3248-3-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3248-21-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3480-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads