modiloader | 6eae9c990dd5922fa274347955a186e7a3c596730163ccf48a95b0de8f590a00

General

Target

3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe
Size

577KB
MD5

3cfc15aa83002db936bea5571d8ac8d3
SHA1

561d453b108b0b5f51e3259a81c12d59228680e8
SHA256

6eae9c990dd5922fa274347955a186e7a3c596730163ccf48a95b0de8f590a00
SHA512

9e838181170bbd1a1e6ef0de8b1d0ff76be59090e01fc68c0d205ae364b79d5c068cf6a8253d0a4f33c55e1f06973519cfbc3480df9bbdabd89d5c6a8e90a0c0
SSDEEP

12288:LeohY7kszv6ynzRtxvlX3UHZEylVVGYMvtTvxkgoz:LYTvnbcmyLV34rP8

Score

10^/10

modiloader trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 2620 mshta.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2620	mshta.exe

ModiLoader Second Stage 12 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4692-3-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral2/memory/4692-8-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral2/memory/4692-7-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral2/memory/4692-22-0x0000000001090000-0x0000000001164000-memory.dmp	modiloader_stage2
behavioral2/memory/4692-21-0x0000000001090000-0x0000000001164000-memory.dmp	modiloader_stage2
behavioral2/memory/4692-51-0x0000000001090000-0x0000000001164000-memory.dmp	modiloader_stage2
behavioral2/memory/4692-52-0x0000000001090000-0x0000000001164000-memory.dmp	modiloader_stage2
behavioral2/memory/4692-43-0x0000000001090000-0x0000000001164000-memory.dmp	modiloader_stage2
behavioral2/memory/4692-20-0x0000000001090000-0x0000000001164000-memory.dmp	modiloader_stage2
behavioral2/memory/4692-19-0x0000000001090000-0x0000000001164000-memory.dmp	modiloader_stage2
behavioral2/memory/4692-18-0x0000000001090000-0x0000000001164000-memory.dmp	modiloader_stage2
behavioral2/memory/4692-76-0x0000000001090000-0x0000000001164000-memory.dmp	modiloader_stage2

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmp46FA.tmp	acprotect

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation mshta.exe
Loads dropped DLL 1 IoCs

Processes:

3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe

pid process

4692 3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	mshta.exe

pid	process
4692	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmp46FA.tmp	upx
behavioral2/memory/4692-50-0x0000000072A70000-0x0000000072A9E000-memory.dmp	upx
behavioral2/memory/4692-73-0x0000000072A70000-0x0000000072A9E000-memory.dmp	upx
behavioral2/memory/4692-83-0x0000000072A70000-0x0000000072A9E000-memory.dmp	upx
behavioral2/memory/4692-89-0x0000000072A70000-0x0000000072A9E000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe

description	pid	process	target process
PID 3028 set thread context of 4692	3028	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exepowershell.exe

pid process

3028 3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe
4668 powershell.exe
4668 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3028 3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe
Token: SeDebugPrivilege 4668 powershell.exe

pid	process
3028	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe
4668	powershell.exe
4668	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3028	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe
Token: SeDebugPrivilege	4668	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exemshta.exe

description	pid	process	target process
PID 3028 wrote to memory of 4692	3028	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe
PID 3028 wrote to memory of 4692	3028	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe
PID 3028 wrote to memory of 4692	3028	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe
PID 3028 wrote to memory of 4692	3028	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe
PID 3028 wrote to memory of 4692	3028	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe
PID 3028 wrote to memory of 4692	3028	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe
PID 3028 wrote to memory of 4692	3028	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe
PID 3028 wrote to memory of 4692	3028	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe
PID 3028 wrote to memory of 4692	3028	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe
PID 3028 wrote to memory of 4772	3028	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe	backgroundTaskHost.exe
PID 3028 wrote to memory of 3740	3028	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe	DllHost.exe
PID 3028 wrote to memory of 784	3028	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe	svchost.exe
PID 3028 wrote to memory of 2752	3028	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe	sysmon.exe
PID 3028 wrote to memory of 1372	3028	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe	svchost.exe
PID 3028 wrote to memory of 1764	3028	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe	svchost.exe
PID 3028 wrote to memory of 1168	3028	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe	svchost.exe
PID 3028 wrote to memory of 2152	3028	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe	spoolsv.exe
PID 3028 wrote to memory of 2740	3028	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe	svchost.exe
PID 3028 wrote to memory of 3328	3028	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe	svchost.exe
PID 3028 wrote to memory of 960	3028	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe	svchost.exe
PID 3028 wrote to memory of 1352	3028	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe	OfficeClickToRun.exe
PID 3028 wrote to memory of 1744	3028	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe	svchost.exe
PID 3028 wrote to memory of 4692	3028	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe	3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe
PID 1736 wrote to memory of 4668	1736	mshta.exe	powershell.exe
PID 1736 wrote to memory of 4668	1736	mshta.exe	powershell.exe
PID 1736 wrote to memory of 4668	1736	mshta.exe	powershell.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:784
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3740
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:4772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1372

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1764

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2740

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3328

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3cfc15aa83002db936bea5571d8ac8d3_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  PID:4692

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" javascript:pX6ddas4MI="E2JcE";m5x=new%20ActiveXObject("WScript.Shell");Wfj8u9irxQ="HOj";hwr49i=m5x.RegRead("HKLM\\software\\Wow6432Node\\v4J2ufXg9\\3obk5bixGC");ygrRh1xf="Tj7GGQux6g";eval(hwr49i);C5F8sUYj="t";
1⤵
- Process spawned unexpected child process
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:anasp
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\432fggqdd.txt

Filesize
4B

MD5
dba1cdfcf6359389d170caadb3223ad2

SHA1
07e95121f318dc32d21947cc8e08a03b63ce155e

SHA256
a883209b00f5f9265f76f6516a997218f4a9dd32f5faa073ed8df3c38572d05c

SHA512
70a53e5930fb6983f704b376f509f81c385d2b4833a95eeae40fb832a1330e1684cadc721f58a281aae8fba025a0663abb49296aaeb84229cb5c6b0342cdd9a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fggqdd.txt

Filesize
84B

MD5
737f1ca084a1b4c1e174688875f16fea

SHA1
9b7d9624918e1d23a90e80db2faf72baaf83842e

SHA256
9f0a4c16dbc7ce1059294493bacd17dd7f46d43dcc7e1d048ab897b30ab7e767

SHA512
63b234ac96613c1a0c761d67163667d2f5b33f52d1dec6fcc378c3e0e0a3776c45d95e42e9b4a5e3fefe8effa9a6bd3c7db1dd868acf8bb77678a99d05532d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_50c0oiyt.naf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp46FA.tmp

Filesize
66KB

MD5
aaa698721f488b181bc0f0afc5da126a

SHA1
76536a73f16ffd643ea24f8725cebfff9d49852f

SHA256
e71ba7ce01d10e60a4feac7fc5e04f34756ba621c7d88583d0f96bd3b2655647

SHA512
67d8b05678fbdc1678515c341fa8c1e26f3d1b15f2cc390bb9b1a26589a346fd57697dd3366e72d46ab265570929f1be89b8aec81112a2a98194c5886c89261d

Download Submit
memory/3028-0-0x0000000075222000-0x0000000075223000-memory.dmp

Filesize
4KB

Download
memory/3028-1-0x0000000075220000-0x00000000757D1000-memory.dmp

Filesize
5.7MB

Download
memory/3028-49-0x0000000075220000-0x00000000757D1000-memory.dmp

Filesize
5.7MB

Download
memory/3028-2-0x0000000075220000-0x00000000757D1000-memory.dmp

Filesize
5.7MB

Download
memory/4668-68-0x00000000057C0000-0x0000000005B14000-memory.dmp

Filesize
3.3MB

Download
memory/4668-70-0x0000000005CE0000-0x0000000005D2C000-memory.dmp

Filesize
304KB

Download
memory/4668-72-0x0000000006D60000-0x0000000006D7A000-memory.dmp

Filesize
104KB

Download
memory/4668-71-0x00000000073B0000-0x0000000007A2A000-memory.dmp

Filesize
6.5MB

Download
memory/4668-69-0x0000000005C90000-0x0000000005CAE000-memory.dmp

Filesize
120KB

Download
memory/4668-54-0x00000000048C0000-0x00000000048F6000-memory.dmp

Filesize
216KB

Download
memory/4668-57-0x00000000056E0000-0x0000000005746000-memory.dmp

Filesize
408KB

Download
memory/4668-58-0x0000000005750000-0x00000000057B6000-memory.dmp

Filesize
408KB

Download
memory/4668-56-0x0000000004EE0000-0x0000000004F02000-memory.dmp

Filesize
136KB

Download
memory/4668-55-0x0000000004F80000-0x00000000055A8000-memory.dmp

Filesize
6.2MB

Download
memory/4692-51-0x0000000001090000-0x0000000001164000-memory.dmp

Filesize
848KB

Download
memory/4692-19-0x0000000001090000-0x0000000001164000-memory.dmp

Filesize
848KB

Download
memory/4692-7-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4692-20-0x0000000001090000-0x0000000001164000-memory.dmp

Filesize
848KB

Download
memory/4692-89-0x0000000072A70000-0x0000000072A9E000-memory.dmp

Filesize
184KB

Download
memory/4692-50-0x0000000072A70000-0x0000000072A9E000-memory.dmp

Filesize
184KB

Download
memory/4692-8-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4692-52-0x0000000001090000-0x0000000001164000-memory.dmp

Filesize
848KB

Download
memory/4692-43-0x0000000001090000-0x0000000001164000-memory.dmp

Filesize
848KB

Download
memory/4692-3-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4692-22-0x0000000001090000-0x0000000001164000-memory.dmp

Filesize
848KB

Download
memory/4692-21-0x0000000001090000-0x0000000001164000-memory.dmp

Filesize
848KB

Download
memory/4692-73-0x0000000072A70000-0x0000000072A9E000-memory.dmp

Filesize
184KB

Download
memory/4692-76-0x0000000001090000-0x0000000001164000-memory.dmp

Filesize
848KB

Download
memory/4692-83-0x0000000072A70000-0x0000000072A9E000-memory.dmp

Filesize
184KB

Download
memory/4692-18-0x0000000001090000-0x0000000001164000-memory.dmp

Filesize
848KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads