modiloader | 0a3d7d9e4304fa00bbc86b726746fe9a407e7b4cdb9095af973aab03c09751b0

General

Target

f8fd642ebe5bb3ecc11018f1eba5ca01_JaffaCakes118.exe
Size

2.6MB
MD5

f8fd642ebe5bb3ecc11018f1eba5ca01
SHA1

02f086b50269182c3174ad0bbf42a046221b27c7
SHA256

0a3d7d9e4304fa00bbc86b726746fe9a407e7b4cdb9095af973aab03c09751b0
SHA512

28f9910c062547f35dd49e51652ce0c4d075b5d17a6fa8c297f1196c63c5f5fc558eec36876612c5db48111b8cff7b2fbcdb45e19f8828da831810fa529c19e3
SSDEEP

49152:Jc//////jTcUlfVBom03FRmWUTrVYFBNrtimynpn6XrSLTAroTomFHSXFHkeeVM3:Jc//////s2fVSmjRHOBNZimsp6bSboyo

Score

10^/10

modiloader discovery trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/files/0x00080000000120fe-9.dat	modiloader_stage2
behavioral1/memory/612-22-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000019c57-16.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
612	Sx_server.exe

Loads dropped DLL 2 IoCs

pid	Process
1340	cmd.exe
2976	f8fd642ebe5bb3ecc11018f1eba5ca01_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2308 set thread context of 2976	2308	f8fd642ebe5bb3ecc11018f1eba5ca01_JaffaCakes118.exe	32

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2976-19-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/files/0x0007000000019c57-16.dat	upx
behavioral1/memory/2976-32-0x0000000010000000-0x000000001003D000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\2010.txt	Sx_server.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8fd642ebe5bb3ecc11018f1eba5ca01_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sx_server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8fd642ebe5bb3ecc11018f1eba5ca01_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2976	f8fd642ebe5bb3ecc11018f1eba5ca01_JaffaCakes118.exe
2976	f8fd642ebe5bb3ecc11018f1eba5ca01_JaffaCakes118.exe
2976	f8fd642ebe5bb3ecc11018f1eba5ca01_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 1340	2308	f8fd642ebe5bb3ecc11018f1eba5ca01_JaffaCakes118.exe	30
PID 2308 wrote to memory of 1340	2308	f8fd642ebe5bb3ecc11018f1eba5ca01_JaffaCakes118.exe	30
PID 2308 wrote to memory of 1340	2308	f8fd642ebe5bb3ecc11018f1eba5ca01_JaffaCakes118.exe	30
PID 2308 wrote to memory of 1340	2308	f8fd642ebe5bb3ecc11018f1eba5ca01_JaffaCakes118.exe	30
PID 2308 wrote to memory of 2976	2308	f8fd642ebe5bb3ecc11018f1eba5ca01_JaffaCakes118.exe	32
PID 2308 wrote to memory of 2976	2308	f8fd642ebe5bb3ecc11018f1eba5ca01_JaffaCakes118.exe	32
PID 2308 wrote to memory of 2976	2308	f8fd642ebe5bb3ecc11018f1eba5ca01_JaffaCakes118.exe	32
PID 2308 wrote to memory of 2976	2308	f8fd642ebe5bb3ecc11018f1eba5ca01_JaffaCakes118.exe	32
PID 2308 wrote to memory of 2976	2308	f8fd642ebe5bb3ecc11018f1eba5ca01_JaffaCakes118.exe	32
PID 2308 wrote to memory of 2976	2308	f8fd642ebe5bb3ecc11018f1eba5ca01_JaffaCakes118.exe	32
PID 1340 wrote to memory of 612	1340	cmd.exe	33
PID 1340 wrote to memory of 612	1340	cmd.exe	33
PID 1340 wrote to memory of 612	1340	cmd.exe	33
PID 1340 wrote to memory of 612	1340	cmd.exe	33
PID 612 wrote to memory of 2212	612	Sx_server.exe	34
PID 612 wrote to memory of 2212	612	Sx_server.exe	34
PID 612 wrote to memory of 2212	612	Sx_server.exe	34
PID 612 wrote to memory of 2212	612	Sx_server.exe	34

C:\Users\Admin\AppData\Local\Temp\f8fd642ebe5bb3ecc11018f1eba5ca01_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f8fd642ebe5bb3ecc11018f1eba5ca01_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\Sx_server.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Users\Admin\AppData\Local\Temp\Sx_server.exe
    C:\Users\Admin\AppData\Local\Temp\Sx_server.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:612
  - - C:\program files\internet explorer\IEXPLORE.EXE
      "C:\program files\internet explorer\IEXPLORE.EXE"
      4⤵
      PID:2212
- C:\Users\Admin\AppData\Local\Temp\f8fd642ebe5bb3ecc11018f1eba5ca01_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f8fd642ebe5bb3ecc11018f1eba5ca01_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\SkinH_EL.dll

Filesize
86KB

MD5
147127382e001f495d1842ee7a9e7912

SHA1
92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b

SHA256
edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc

SHA512
97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

Download Submit
\Users\Admin\AppData\Local\Temp\Sx_server.exe

Filesize
683KB

MD5
dd74abfec987347eead93c487c321b69

SHA1
5e00a4cce63c4c00127c19f394f702225b82ba26

SHA256
b881d8035bd80c51ffb122d3afd610e7d86df7e006be6e8ce8796d4d26d2236f

SHA512
b5ed7b0117fdfb1ce545b1a557edcfc89d1804d40460f1fcb775dcfe969ef1810a80de75b1130b32f66f5d59543a95d6d97e53666ee339c37647644646c29965

Download Submit
memory/612-22-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2308-7-0x0000000000400000-0x00000000006A0000-memory.dmp

Filesize
2.6MB

Download
memory/2976-19-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2976-23-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2976-3-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2976-13-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2976-20-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2976-12-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2976-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2976-5-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2976-25-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2976-26-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2976-24-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2976-27-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2976-8-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2976-28-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2976-29-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2976-32-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing