modiloader | e275e10bea80834252aea1b5dba9a817b278b5c4a6d0594b01b1605de0b66f79

General

Target

2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe
Size

719KB
MD5

2edeb2ff18dbc657dfb2e8aa3fd9fbc8
SHA1

821705cee1712031bfea83c1673ec59c83fa6693
SHA256

e275e10bea80834252aea1b5dba9a817b278b5c4a6d0594b01b1605de0b66f79
SHA512

d8899f5f928ddb48396c8351c31a65a8627010ac466b4c47b8e8af7a2a529f26e499a50cebbf84a563e762f4b986543b343835d67ce1b802651bcceaed632733
SSDEEP

12288:Z9s0WkglhZbd1S2XgKsIpCGUy7tkEccMtXVuOdeTqlTKFbso:ZnOhZbd1SbnKayxFKVu72lTKF/

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 6 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\Server.exe	modiloader_stage2
behavioral2/memory/1260-9-0x0000000000400000-0x00000000007BB000-memory.dmp	modiloader_stage2
behavioral2/memory/4660-10-0x0000000000400000-0x00000000007BB000-memory.dmp	modiloader_stage2
behavioral2/memory/4660-13-0x0000000000400000-0x00000000007BB000-memory.dmp	modiloader_stage2
behavioral2/memory/4660-18-0x0000000000400000-0x00000000007BB000-memory.dmp	modiloader_stage2
behavioral2/memory/4660-21-0x0000000000400000-0x00000000007BB000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

Server.exe

pid process

4660 Server.exe

pid	process
4660	Server.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Server.exe = "C:\\Program Files (x86)\\Server.exe"	2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe

Drops file in Program Files directory 3 IoCs

Processes:

2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\Server.exe	2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Server.exe	2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe
File created	C:\Program Files (x86)\Delsx.bat	2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Server.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	4660	Server.exe
Token: SeIncBasePriorityPrivilege	4660	Server.exe
Token: SeIncBasePriorityPrivilege	4660	Server.exe
Token: SeIncBasePriorityPrivilege	4660	Server.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe

description	pid	process	target process
PID 1260 wrote to memory of 4660	1260	2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe	Server.exe
PID 1260 wrote to memory of 4660	1260	2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe	Server.exe
PID 1260 wrote to memory of 4660	1260	2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe	Server.exe
PID 1260 wrote to memory of 1616	1260	2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe	cmd.exe
PID 1260 wrote to memory of 1616	1260	2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe	cmd.exe
PID 1260 wrote to memory of 1616	1260	2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2edeb2ff18dbc657dfb2e8aa3fd9fbc8_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1260

C:\Program Files (x86)\Server.exe
"C:\Program Files (x86)\Server.exe" -k
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Delsx.bat""
2⤵
PID:1616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3868 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Delsx.bat
Filesize
218B

MD5
c180c739e96486267d2a4b547ef358f6

SHA1
962691696b51120ad9118987f2876ec48fa40525

SHA256
ee2b6a347d5aa3af3e18e46a61ccd0565b107e9736560bc21284da4c4e6adfba

SHA512
1a411af0a545dfc36e3a93c7ce637eedd55ba8a85e2053201e359c7b43e631c9aa7e6da081620635b3cf82d06ba58c38af88a81f8d529dc24987d99d8a953a93

Download Submit
C:\Program Files (x86)\Server.exe
Filesize
719KB

MD5
2edeb2ff18dbc657dfb2e8aa3fd9fbc8

SHA1
821705cee1712031bfea83c1673ec59c83fa6693

SHA256
e275e10bea80834252aea1b5dba9a817b278b5c4a6d0594b01b1605de0b66f79

SHA512
d8899f5f928ddb48396c8351c31a65a8627010ac466b4c47b8e8af7a2a529f26e499a50cebbf84a563e762f4b986543b343835d67ce1b802651bcceaed632733

Download Submit
memory/1260-0-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/1260-9-0x0000000000400000-0x00000000007BB000-memory.dmp

Filesize
3.7MB

Download
memory/4660-5-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/4660-10-0x0000000000400000-0x00000000007BB000-memory.dmp

Filesize
3.7MB

Download
memory/4660-12-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/4660-13-0x0000000000400000-0x00000000007BB000-memory.dmp

Filesize
3.7MB

Download
memory/4660-18-0x0000000000400000-0x00000000007BB000-memory.dmp

Filesize
3.7MB

Download
memory/4660-21-0x0000000000400000-0x00000000007BB000-memory.dmp

Filesize
3.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads