modiloader | 54b3263177b2930d78101eea7e8c59f27e78beb7c1c2430c6f1f40ec31bb6651

General

Target

5b07717f509f5d1541b064136134310e_JaffaCakes118.exe
Size

173KB
MD5

5b07717f509f5d1541b064136134310e
SHA1

2ba6e797f1b72b5d0517f0e87cc4b2df58f9ad7b
SHA256

54b3263177b2930d78101eea7e8c59f27e78beb7c1c2430c6f1f40ec31bb6651
SHA512

825a97fcbacee9da28fa18e072cbfcc987059c0549f08c23bcb747c06e3b09110eb5295833a74121498074630f8cdd029d074f4138a4f9c65ce60bab78f396cd
SSDEEP

3072:l9okd0/TZRnkXcSCajvDQDy7NgbjyEcBjsYwSd3Kgt8dTBfH8EW2:l3gZOXxPkDy7NgMwSd3NqdTB/8x2

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

apocalyps32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "userinit.exe,C:\\Windows\\apocalyps32.exe"	apocalyps32.exe

ModiLoader Second Stage 16 IoCs

Processes:

resource	yara_rule
C:\Windows\apocalyps32.exe	modiloader_stage2
behavioral1/memory/2944-6-0x0000000030000000-0x0000000030031000-memory.dmp	modiloader_stage2
behavioral1/memory/2972-20-0x0000000030000000-0x0000000030031000-memory.dmp	modiloader_stage2
behavioral1/memory/2972-21-0x0000000030000000-0x0000000030031000-memory.dmp	modiloader_stage2
behavioral1/memory/2972-22-0x0000000030000000-0x0000000030031000-memory.dmp	modiloader_stage2
behavioral1/memory/2972-23-0x0000000030000000-0x0000000030031000-memory.dmp	modiloader_stage2
behavioral1/memory/2972-24-0x0000000030000000-0x0000000030031000-memory.dmp	modiloader_stage2
behavioral1/memory/2972-25-0x0000000030000000-0x0000000030031000-memory.dmp	modiloader_stage2
behavioral1/memory/2972-26-0x0000000030000000-0x0000000030031000-memory.dmp	modiloader_stage2
behavioral1/memory/2972-27-0x0000000030000000-0x0000000030031000-memory.dmp	modiloader_stage2
behavioral1/memory/2972-28-0x0000000030000000-0x0000000030031000-memory.dmp	modiloader_stage2
behavioral1/memory/2972-29-0x0000000030000000-0x0000000030031000-memory.dmp	modiloader_stage2
behavioral1/memory/2972-30-0x0000000030000000-0x0000000030031000-memory.dmp	modiloader_stage2
behavioral1/memory/2972-31-0x0000000030000000-0x0000000030031000-memory.dmp	modiloader_stage2
behavioral1/memory/2972-32-0x0000000030000000-0x0000000030031000-memory.dmp	modiloader_stage2
behavioral1/memory/2972-33-0x0000000030000000-0x0000000030031000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

apocalyps32.exe

pid process

2972 apocalyps32.exe

pid	process
2972	apocalyps32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

apocalyps32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\apocalyps32 = "C:\\Windows\\apocalyps32.exe"	apocalyps32.exe

Drops file in Windows directory 2 IoCs

Processes:

5b07717f509f5d1541b064136134310e_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\apocalyps32.exe	5b07717f509f5d1541b064136134310e_JaffaCakes118.exe
File opened for modification	C:\Windows\apocalyps32.exe	5b07717f509f5d1541b064136134310e_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

apocalyps32.exe

pid process

2972 apocalyps32.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

apocalyps32.exe

pid process

2972 apocalyps32.exe

pid	process
2972	apocalyps32.exe

pid	process
2972	apocalyps32.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

5b07717f509f5d1541b064136134310e_JaffaCakes118.exeapocalyps32.exe

description	pid	process	target process
PID 2944 wrote to memory of 2972	2944	5b07717f509f5d1541b064136134310e_JaffaCakes118.exe	apocalyps32.exe
PID 2944 wrote to memory of 2972	2944	5b07717f509f5d1541b064136134310e_JaffaCakes118.exe	apocalyps32.exe
PID 2944 wrote to memory of 2972	2944	5b07717f509f5d1541b064136134310e_JaffaCakes118.exe	apocalyps32.exe
PID 2944 wrote to memory of 2972	2944	5b07717f509f5d1541b064136134310e_JaffaCakes118.exe	apocalyps32.exe
PID 2972 wrote to memory of 1216	2972	apocalyps32.exe	Explorer.EXE
PID 2972 wrote to memory of 1216	2972	apocalyps32.exe	Explorer.EXE
PID 2972 wrote to memory of 1216	2972	apocalyps32.exe	Explorer.EXE
PID 2972 wrote to memory of 1216	2972	apocalyps32.exe	Explorer.EXE
PID 2972 wrote to memory of 1216	2972	apocalyps32.exe	Explorer.EXE
PID 2972 wrote to memory of 1216	2972	apocalyps32.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\5b07717f509f5d1541b064136134310e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5b07717f509f5d1541b064136134310e_JaffaCakes118.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\apocalyps32.exe
-bs
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\apocalyps32.exe
Filesize
173KB

MD5
5b07717f509f5d1541b064136134310e

SHA1
2ba6e797f1b72b5d0517f0e87cc4b2df58f9ad7b

SHA256
54b3263177b2930d78101eea7e8c59f27e78beb7c1c2430c6f1f40ec31bb6651

SHA512
825a97fcbacee9da28fa18e072cbfcc987059c0549f08c23bcb747c06e3b09110eb5295833a74121498074630f8cdd029d074f4138a4f9c65ce60bab78f396cd

Download Submit
memory/1216-7-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2944-6-0x0000000030000000-0x0000000030031000-memory.dmp

Filesize
196KB

Download
memory/2972-20-0x0000000030000000-0x0000000030031000-memory.dmp

Filesize
196KB

Download
memory/2972-21-0x0000000030000000-0x0000000030031000-memory.dmp

Filesize
196KB

Download
memory/2972-22-0x0000000030000000-0x0000000030031000-memory.dmp

Filesize
196KB

Download
memory/2972-23-0x0000000030000000-0x0000000030031000-memory.dmp

Filesize
196KB

Download
memory/2972-24-0x0000000030000000-0x0000000030031000-memory.dmp

Filesize
196KB

Download
memory/2972-25-0x0000000030000000-0x0000000030031000-memory.dmp

Filesize
196KB

Download
memory/2972-26-0x0000000030000000-0x0000000030031000-memory.dmp

Filesize
196KB

Download
memory/2972-27-0x0000000030000000-0x0000000030031000-memory.dmp

Filesize
196KB

Download
memory/2972-28-0x0000000030000000-0x0000000030031000-memory.dmp

Filesize
196KB

Download
memory/2972-29-0x0000000030000000-0x0000000030031000-memory.dmp

Filesize
196KB

Download
memory/2972-30-0x0000000030000000-0x0000000030031000-memory.dmp

Filesize
196KB

Download
memory/2972-31-0x0000000030000000-0x0000000030031000-memory.dmp

Filesize
196KB

Download
memory/2972-32-0x0000000030000000-0x0000000030031000-memory.dmp

Filesize
196KB

Download
memory/2972-33-0x0000000030000000-0x0000000030031000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads