modiloader | bc64ad45f156496dab5f38b4d6810dd3276ccb43a639e979fa2a71f370f78aad

General

Target

433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe
Size

931KB
MD5

433dd4dce13e86688a3af13686c84d1c
SHA1

69ceb568484e6436b50b067f041f383acab22870
SHA256

bc64ad45f156496dab5f38b4d6810dd3276ccb43a639e979fa2a71f370f78aad
SHA512

45f933fd991bfedaab8b1fd19d41e22432f328abb5606aa04dc9cff43bf088fc1a674c156be95bd0aa452334b96e6ab6cd1105431abd27e6d03bbaa42aef47d7
SSDEEP

24576:LQgPByJzhAfD7MjzlR7W/BdT5r4fPn9OvRSWz4r:LQgZ0z0MjHC/Bdu39OvAWz+

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader First Stage 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2700-25-0x0000000000400000-0x0000000000459000-memory.dmp	modiloader_stage1
behavioral1/memory/2700-26-0x0000000000400000-0x0000000000459000-memory.dmp	modiloader_stage1

Drops startup file 1 IoCs

Processes:

lsass.com

description ioc process

File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cghost.url lsass.com
Executes dropped EXE 2 IoCs

Processes:

lsass.comlsass.com

pid process

1208 lsass.com
2652 lsass.com
Loads dropped DLL 2 IoCs

Processes:

cmd.exelsass.com

pid process

2204 cmd.exe
1208 lsass.com

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cghost.url	lsass.com

pid	process
1208	lsass.com
2652	lsass.com

pid	process
2204	cmd.exe
1208	lsass.com

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

lsass.com

description pid process target process

PID 2652 set thread context of 2700 2652 lsass.com ipconfig.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

2700 ipconfig.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2680 PING.EXE
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

lsass.com

pid process

2652 lsass.com
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

lsass.comlsass.com

pid process

1208 lsass.com
1208 lsass.com
1208 lsass.com
2652 lsass.com
2652 lsass.com
2652 lsass.com
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

lsass.comlsass.com

pid process

1208 lsass.com
1208 lsass.com
1208 lsass.com
2652 lsass.com
2652 lsass.com
2652 lsass.com

description	pid	process	target process
PID 2652 set thread context of 2700	2652	lsass.com	ipconfig.exe

pid	process
2700	ipconfig.exe

pid	process
2680	PING.EXE

pid	process
2652	lsass.com

pid	process
1208	lsass.com
1208	lsass.com
1208	lsass.com
2652	lsass.com
2652	lsass.com
2652	lsass.com

pid	process
1208	lsass.com
1208	lsass.com
1208	lsass.com
2652	lsass.com
2652	lsass.com
2652	lsass.com

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.execmd.exelsass.comlsass.com

description	pid	process	target process
PID 2988 wrote to memory of 2204	2988	433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe	cmd.exe
PID 2988 wrote to memory of 2204	2988	433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe	cmd.exe
PID 2988 wrote to memory of 2204	2988	433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe	cmd.exe
PID 2988 wrote to memory of 2204	2988	433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe	cmd.exe
PID 2204 wrote to memory of 2808	2204	cmd.exe	certutil.exe
PID 2204 wrote to memory of 2808	2204	cmd.exe	certutil.exe
PID 2204 wrote to memory of 2808	2204	cmd.exe	certutil.exe
PID 2204 wrote to memory of 2808	2204	cmd.exe	certutil.exe
PID 2204 wrote to memory of 1208	2204	cmd.exe	lsass.com
PID 2204 wrote to memory of 1208	2204	cmd.exe	lsass.com
PID 2204 wrote to memory of 1208	2204	cmd.exe	lsass.com
PID 2204 wrote to memory of 1208	2204	cmd.exe	lsass.com
PID 1208 wrote to memory of 2652	1208	lsass.com	lsass.com
PID 1208 wrote to memory of 2652	1208	lsass.com	lsass.com
PID 1208 wrote to memory of 2652	1208	lsass.com	lsass.com
PID 1208 wrote to memory of 2652	1208	lsass.com	lsass.com
PID 2204 wrote to memory of 2680	2204	cmd.exe	PING.EXE
PID 2204 wrote to memory of 2680	2204	cmd.exe	PING.EXE
PID 2204 wrote to memory of 2680	2204	cmd.exe	PING.EXE
PID 2204 wrote to memory of 2680	2204	cmd.exe	PING.EXE
PID 2652 wrote to memory of 2700	2652	lsass.com	ipconfig.exe
PID 2652 wrote to memory of 2700	2652	lsass.com	ipconfig.exe
PID 2652 wrote to memory of 2700	2652	lsass.com	ipconfig.exe
PID 2652 wrote to memory of 2700	2652	lsass.com	ipconfig.exe
PID 2652 wrote to memory of 2700	2652	lsass.com	ipconfig.exe

C:\Users\Admin\AppData\Local\Temp\433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2988

C:\Windows\SysWOW64\cmd.exe
cmd /c <nul set /p ="M" > lsass.com & type ffXi.com >> lsass.com & del ffXi.com & certutil -decode adCt.com R & lsass.com R & ping 127.0.0.1 -n 20
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\certutil.exe
certutil -decode adCt.com R
3⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lsass.com
lsass.com R
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lsass.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lsass.com R
4⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
5⤵
- Gathers network information
PID:2700

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 20
3⤵
- Runs ping.exe
PID:2680

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\R
Filesize
250KB

MD5
53a116d2b8ab11b92b293b4ad18cc523

SHA1
a4726d5f751271a8ef9f50c343249b3e97f91cc8

SHA256
f49fd869ebc412d9bd65b96330652ff1aea58d287a06f6b5c8a02ba442fd4d22

SHA512
e8f3eac4532041823b0362d84d591ce815aa55090d44ed18ac567ba17559b051e5b0c6d66ce6b0af2b22c11d90289cf96855ca51abcb4c5d5297fd7ce656e6fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\adCt.com
Filesize
344KB

MD5
608d98351812a3c2c73b94a6f5bef048

SHA1
edbdd9e0608abc2abf531bb42423a68a22349bd8

SHA256
4a17468fec26c6b95fd7d2365eae99cbc875ac5d0b34cbeff373b2ca15238884

SHA512
e24874e67f15d04ab8594591c92236d93a2f2212002ca3354ca8fbeedd90b524737f8603837c1858d19505b1b85edd8809cd1d6a3f263043740aecf042b34a40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bzYfp.com
Filesize
332KB

MD5
340f2664d7956a753d8ea2fa5c0044ff

SHA1
0134773b0534c94f62edea2302d0efe020addc25

SHA256
956eba9bc654807eaaf15438024f0485d62fa35fcaabfe1bcc8fbf6668275c63

SHA512
3e9dae031e34a33aed97a1b331748a2bdf99862e13f94057aa8d32986e0db9748592300ca3639fe3f36fd439768510b7ea587775faa89991ff79eeda2e6e2997

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ffXi.com
Filesize
872KB

MD5
d86ab2aeeac2553c7857ece4492eda5d

SHA1
0828db56b556f3f0486a9de9d2c728216035e8e6

SHA256
8861365fb619dbb90da0027db93d041681c30deb93071ec588121a8f8ba08436

SHA512
8c0154d80fb47ea5225816e95db0126d02950f0ec7909a68205ee67a0d1c4dbff971933ee5ba0307c24658ce52400e144cde720e514acf3024fbdb2505345cfe

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\lsass.com
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/2700-25-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2700-26-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads