modiloader | 8817202fda09d9bd88681a85f470400b1a9cc63d147653b230f09ce94c11e2a4

General

Target

4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
Size

397KB
MD5

4545fc10b27ce3bb20b5cf9a41cac84e
SHA1

fdd3010c7fa4c126dc88b4fff1c2f0f807eecae4
SHA256

8817202fda09d9bd88681a85f470400b1a9cc63d147653b230f09ce94c11e2a4
SHA512

04c017e983d4740b8aac48e58df0d92356c2efee400a42c312456563b4e236d78b5d242a9e9692d2e343561c69b71fed2b5540b041bda27e8bc5ae7e487f0887
SSDEEP

6144:cLy84u9nSO2GjZkD10BIY3rb1YfBdfpoZ3u/Ht52w6JSeiFPXVhP:I+u9nx2GjMY3XKfd/H/9PPP

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2716-1-0x0000000000400000-0x000000000046A000-memory.dmp	modiloader_stage2

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe"	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe

pid	process
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
2716	4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe

pid process

2716 4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

explorer.exe

description pid process

Token: SeShutdownPrivilege 3004 explorer.exe

description	pid	process
Token: SeShutdownPrivilege	3004	explorer.exe

C:\Users\Admin\AppData\Local\Temp\4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4545fc10b27ce3bb20b5cf9a41cac84e_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2716

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2716-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2716-1-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads