modiloader | 611ac703f76163fe8a72bbafb23b09fc1a9a8a72f1a4f6a4e87f2da19c3bac4a

General

Target

fcdfc8ab0f761a7a5231b41bcbcb9d7c_JaffaCakes118.exe
Size

1.9MB
MD5

fcdfc8ab0f761a7a5231b41bcbcb9d7c
SHA1

bd1b6536f1bc169d5c9d8b7c57951d649690fc0d
SHA256

611ac703f76163fe8a72bbafb23b09fc1a9a8a72f1a4f6a4e87f2da19c3bac4a
SHA512

294a441681f568240b4fa56da653ce0e128506c98ef49381b2555b201734910191e8a94a593255e19a080f858366cd0388df937f829c3bfabb6d9709b7f3d554
SSDEEP

24576:DcaZGI6sREDijpdRdhIVk0/Co1QYv8DT3Sb/Yg8MpBwQICWTiG4WNiGpUnvxTy3b:Qat6sR1/hIVtC4QYv81MF2OnvxEQtzs

Score

10^/10

modiloader discovery evasion trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ghsalncr.exe

ModiLoader Second Stage 9 IoCs

resource	yara_rule
behavioral1/memory/1968-8-0x0000000000010000-0x00000000003B1000-memory.dmp	modiloader_stage2
behavioral1/memory/1968-11-0x0000000000010000-0x00000000003B1000-memory.dmp	modiloader_stage2
behavioral1/memory/1968-10-0x0000000000011000-0x0000000000016000-memory.dmp	modiloader_stage2
behavioral1/memory/1968-7-0x0000000000010000-0x00000000003B1000-memory.dmp	modiloader_stage2
behavioral1/memory/1968-9-0x0000000000010000-0x00000000003B1000-memory.dmp	modiloader_stage2
behavioral1/memory/1968-24-0x0000000000010000-0x00000000003B1000-memory.dmp	modiloader_stage2
behavioral1/memory/1548-29-0x0000000000010000-0x00000000003B1000-memory.dmp	modiloader_stage2
behavioral1/memory/1548-36-0x0000000000010000-0x00000000003B1000-memory.dmp	modiloader_stage2
behavioral1/memory/1968-39-0x0000000000010000-0x00000000003B1000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
2520	ghsalncr.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	ghsalncr.exe

Loads dropped DLL 2 IoCs

pid	Process
1968	fcdfc8ab0f761a7a5231b41bcbcb9d7c_JaffaCakes118.exe
1968	fcdfc8ab0f761a7a5231b41bcbcb9d7c_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2520	ghsalncr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ghsalncr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apocalyps32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcdfc8ab0f761a7a5231b41bcbcb9d7c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2520	ghsalncr.exe

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
1968	fcdfc8ab0f761a7a5231b41bcbcb9d7c_JaffaCakes118.exe
1548	apocalyps32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2520	1968	fcdfc8ab0f761a7a5231b41bcbcb9d7c_JaffaCakes118.exe	30
PID 1968 wrote to memory of 2520	1968	fcdfc8ab0f761a7a5231b41bcbcb9d7c_JaffaCakes118.exe	30
PID 1968 wrote to memory of 2520	1968	fcdfc8ab0f761a7a5231b41bcbcb9d7c_JaffaCakes118.exe	30
PID 1968 wrote to memory of 2520	1968	fcdfc8ab0f761a7a5231b41bcbcb9d7c_JaffaCakes118.exe	30
PID 1968 wrote to memory of 1548	1968	fcdfc8ab0f761a7a5231b41bcbcb9d7c_JaffaCakes118.exe	31
PID 1968 wrote to memory of 1548	1968	fcdfc8ab0f761a7a5231b41bcbcb9d7c_JaffaCakes118.exe	31
PID 1968 wrote to memory of 1548	1968	fcdfc8ab0f761a7a5231b41bcbcb9d7c_JaffaCakes118.exe	31
PID 1968 wrote to memory of 1548	1968	fcdfc8ab0f761a7a5231b41bcbcb9d7c_JaffaCakes118.exe	31
PID 1548 wrote to memory of 2424	1548	apocalyps32.exe	32
PID 1548 wrote to memory of 2424	1548	apocalyps32.exe	32
PID 1548 wrote to memory of 2424	1548	apocalyps32.exe	32
PID 1548 wrote to memory of 2424	1548	apocalyps32.exe	32

C:\Users\Admin\AppData\Local\Temp\fcdfc8ab0f761a7a5231b41bcbcb9d7c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fcdfc8ab0f761a7a5231b41bcbcb9d7c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\Temp\ghsalncr.exe
  "C:\Users\Admin\AppData\Local\Temp\ghsalncr.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2520
- C:\Windows\apocalyps32.exe
  -bs
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Program Files\Internet Explorer\iexplore.exe
    -bs
    3⤵
    PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ghsalncr.exe

Filesize
1.5MB

MD5
80a52d11144c22271255740cc9bc3174

SHA1
e4d384234b5f55be66aa9c06607a6435aa69130a

SHA256
72d468dd390680fbc50128a70a8ea9839c4a543bcf3d6af6a97237c08c7e1eb1

SHA512
ccd906a87d8a8d38879a8173358bad100693ef233a8234434ec09d638804f73f74d35a390de16e63d9c0f5e360d1be8d460f5784535c73517875e2e47a20ab8f

Download Submit
memory/1548-36-0x0000000000010000-0x00000000003B1000-memory.dmp

Filesize
3.6MB

Download
memory/1548-28-0x00000000005D0000-0x000000000060E000-memory.dmp

Filesize
248KB

Download
memory/1548-29-0x0000000000010000-0x00000000003B1000-memory.dmp

Filesize
3.6MB

Download
memory/1548-30-0x00000000005D0000-0x000000000060E000-memory.dmp

Filesize
248KB

Download
memory/1548-31-0x00000000006A0000-0x00000000006A2000-memory.dmp

Filesize
8KB

Download
memory/1548-32-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/1548-34-0x00000000005D0000-0x000000000060E000-memory.dmp

Filesize
248KB

Download
memory/1548-33-0x00000000006D0000-0x00000000006D2000-memory.dmp

Filesize
8KB

Download
memory/1968-6-0x0000000000670000-0x00000000006AE000-memory.dmp

Filesize
248KB

Download
memory/1968-8-0x0000000000010000-0x00000000003B1000-memory.dmp

Filesize
3.6MB

Download
memory/1968-3-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/1968-5-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/1968-39-0x0000000000010000-0x00000000003B1000-memory.dmp

Filesize
3.6MB

Download
memory/1968-1-0x0000000000010000-0x00000000003B1000-memory.dmp

Filesize
3.6MB

Download
memory/1968-4-0x00000000005E0000-0x00000000005E2000-memory.dmp

Filesize
8KB

Download
memory/1968-24-0x0000000000010000-0x00000000003B1000-memory.dmp

Filesize
3.6MB

Download
memory/1968-23-0x0000000000670000-0x00000000006AE000-memory.dmp

Filesize
248KB

Download
memory/1968-21-0x0000000000670000-0x00000000006AE000-memory.dmp

Filesize
248KB

Download
memory/1968-9-0x0000000000010000-0x00000000003B1000-memory.dmp

Filesize
3.6MB

Download
memory/1968-0-0x0000000000670000-0x00000000006AE000-memory.dmp

Filesize
248KB

Download
memory/1968-2-0x0000000000010000-0x00000000003B1000-memory.dmp

Filesize
3.6MB

Download
memory/1968-7-0x0000000000010000-0x00000000003B1000-memory.dmp

Filesize
3.6MB

Download
memory/1968-10-0x0000000000011000-0x0000000000016000-memory.dmp

Filesize
20KB

Download
memory/1968-11-0x0000000000010000-0x00000000003B1000-memory.dmp

Filesize
3.6MB

Download
memory/2520-25-0x0000000000400000-0x00000000007B2000-memory.dmp

Filesize
3.7MB

Download
memory/2520-26-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2520-37-0x0000000000400000-0x00000000007B2000-memory.dmp

Filesize
3.7MB

Download
memory/2520-38-0x0000000000400000-0x00000000007B2000-memory.dmp

Filesize
3.7MB

Download
memory/2520-27-0x00000000007C0000-0x00000000008B8000-memory.dmp

Filesize
992KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads