modiloader | a87e0bcdd4799e3fe4e194dc01e5526cf2b7a249ff2e4406aa353c0c0dea0bf3

General

Target

JaffaCakes118_0e3a331bd3cd562bf4473d42eb9a5707.exe
Size

599KB
MD5

0e3a331bd3cd562bf4473d42eb9a5707
SHA1

22e58180a8f93130efa4b71c6ae042711d2012b5
SHA256

a87e0bcdd4799e3fe4e194dc01e5526cf2b7a249ff2e4406aa353c0c0dea0bf3
SHA512

4d2a4ca9ad686780e257025f8a1d206f0aae701b3c709d543fb43438a0d98eee80ce1be90b337bc026079b16718d186f286add8bbbece69e180281052bcd86cf
SSDEEP

12288:EhEVFbsPUnGAFeB1lOy6m7Ha96V4F3Z4mxx0e1zbUFEx7J:EeUPUGAwB18m7Q6V4QmX0e9bqEH

Score

10^/10

modiloader aspackv2 discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral2/memory/3832-11-0x0000000003350000-0x0000000003450000-memory.dmp	modiloader_stage2
behavioral2/memory/3832-26-0x0000000000400000-0x0000000000513000-memory.dmp	modiloader_stage2
behavioral2/memory/5028-29-0x0000000000400000-0x0000000000513000-memory.dmp	modiloader_stage2

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0009000000023ca4-19.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
5028	smss.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\_smss.exe	smss.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\smss.exe	JaffaCakes118_0e3a331bd3cd562bf4473d42eb9a5707.exe
File opened for modification	C:\Windows\smss.exe	JaffaCakes118_0e3a331bd3cd562bf4473d42eb9a5707.exe
File created	C:\Windows\ReDelBat.bat	JaffaCakes118_0e3a331bd3cd562bf4473d42eb9a5707.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2720	5028	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0e3a331bd3cd562bf4473d42eb9a5707.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3832 wrote to memory of 5028	3832	JaffaCakes118_0e3a331bd3cd562bf4473d42eb9a5707.exe	83
PID 3832 wrote to memory of 5028	3832	JaffaCakes118_0e3a331bd3cd562bf4473d42eb9a5707.exe	83
PID 3832 wrote to memory of 5028	3832	JaffaCakes118_0e3a331bd3cd562bf4473d42eb9a5707.exe	83
PID 5028 wrote to memory of 708	5028	smss.exe	84
PID 5028 wrote to memory of 708	5028	smss.exe	84
PID 3832 wrote to memory of 4680	3832	JaffaCakes118_0e3a331bd3cd562bf4473d42eb9a5707.exe	88
PID 3832 wrote to memory of 4680	3832	JaffaCakes118_0e3a331bd3cd562bf4473d42eb9a5707.exe	88
PID 3832 wrote to memory of 4680	3832	JaffaCakes118_0e3a331bd3cd562bf4473d42eb9a5707.exe	88

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e3a331bd3cd562bf4473d42eb9a5707.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e3a331bd3cd562bf4473d42eb9a5707.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Windows\smss.exe
  C:\Windows\smss.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\program files\internet explorer\IexplOrE.ExE
    "C:\program files\internet explorer\IexplOrE.ExE"
    3⤵
    PID:708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 696
    3⤵
    - Program crash
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\ReDelBat.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5028 -ip 5028
1⤵
PID:3496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ReDelBat.bat

Filesize
212B

MD5
153d9ee3ef1420fa68e2eb19639aada6

SHA1
08d98e597a593fa780faf36dc3a8d7d60a4f8b3c

SHA256
09e56f33a6459d27778144e43ad6fb9013f51eaa11a7a4d319932e46d2d47ad2

SHA512
e5fe5e1012ce34fbaf8f4e9dc474e7adc0870b557c74b6a07ac57088631f5664cafb1e84e1f670326af7865d7c0d35adb98de6cb3600642ec53664d3bb125497

Download Submit
C:\Windows\smss.exe

Filesize
599KB

MD5
0e3a331bd3cd562bf4473d42eb9a5707

SHA1
22e58180a8f93130efa4b71c6ae042711d2012b5

SHA256
a87e0bcdd4799e3fe4e194dc01e5526cf2b7a249ff2e4406aa353c0c0dea0bf3

SHA512
4d2a4ca9ad686780e257025f8a1d206f0aae701b3c709d543fb43438a0d98eee80ce1be90b337bc026079b16718d186f286add8bbbece69e180281052bcd86cf

Download Submit
memory/3832-3-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/3832-15-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/3832-9-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/3832-8-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/3832-7-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/3832-6-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/3832-5-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/3832-4-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/3832-0-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/3832-10-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/3832-14-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/3832-13-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/3832-12-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/3832-11-0x0000000003350000-0x0000000003450000-memory.dmp

Filesize
1024KB

Download
memory/3832-2-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/3832-26-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/3832-27-0x00000000021C0000-0x0000000002214000-memory.dmp

Filesize
336KB

Download
memory/3832-1-0x00000000021C0000-0x0000000002214000-memory.dmp

Filesize
336KB

Download
memory/5028-29-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing