modiloader | 9bb561f167b215e61d7ccb82eb32a1b4b6d5a559722c3f04f22f5c575ab09ff2

General

Target

9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe
Size

406KB
MD5

9fe78f1f9f227b4d5f94300dd3ab1e84
SHA1

4b105d8f863866c091b0b93522c0f6b618d2a9f2
SHA256

9bb561f167b215e61d7ccb82eb32a1b4b6d5a559722c3f04f22f5c575ab09ff2
SHA512

38dfa5ae0b073cd6e46d29cbd3b1a141ee07d4fcb680d659b7df4e6c71cef146f38758c5675f3622525836e8cfc7a79ad2e4e683ab56a4ea8a633b6c328dd612
SSDEEP

6144:RQRkXzdNg2pmLdwlingfCJ2iIE6ToHCom0YwwR3EzxOBPpoeoCW7:eWpNgc0Bg/ZhTTLwcE8HW7

Score

10^/10

modiloader persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1916-21-0x0000000000240000-0x000000000024E000-memory.dmp	modiloader_stage2
behavioral1/memory/1968-29-0x0000000000280000-0x000000000028E000-memory.dmp	modiloader_stage2
behavioral1/memory/1780-31-0x0000000001FA0000-0x0000000001FAE000-memory.dmp	modiloader_stage2
behavioral1/memory/1916-32-0x0000000000400000-0x0000000000412000-memory.dmp	modiloader_stage2
behavioral1/memory/1916-44-0x0000000000240000-0x000000000024E000-memory.dmp	modiloader_stage2

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Program Files\Common Files\Microsoft Shared\MSInfo\InfoMs.hk	acprotect

Executes dropped EXE 2 IoCs

Processes:

521dnfAsist.exemydnf.exe

pid process

1780 521dnfAsist.exe
1968 mydnf.exe

pid	process
1780	521dnfAsist.exe
1968	mydnf.exe

Loads dropped DLL 7 IoCs

Processes:

9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exemydnf.exe521dnfAsist.exe

pid	process
1916	9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe
1916	9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe
1916	9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe
1916	9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe
1916	9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe
1968	mydnf.exe
1780	521dnfAsist.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Program Files\Common Files\Microsoft Shared\MSInfo\InfoMs.hk	upx
behavioral1/memory/1916-21-0x0000000000240000-0x000000000024E000-memory.dmp	upx
behavioral1/memory/1968-29-0x0000000000280000-0x000000000028E000-memory.dmp	upx
behavioral1/memory/1780-31-0x0000000001FA0000-0x0000000001FAE000-memory.dmp	upx
behavioral1/memory/1916-44-0x0000000000240000-0x000000000024E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

mydnf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DasDNF = "C:\\Windows\\system32\\DasDNF.exe"	mydnf.exe

Drops file in System32 directory 2 IoCs

Processes:

mydnf.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\DasDNF.exe mydnf.exe
File created C:\Windows\SysWOW64\DasDNF.exe mydnf.exe
Drops file in Program Files directory 1 IoCs

Processes:

9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe

description ioc process

File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\InfoMs.hk 9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\DasDNF.exe	mydnf.exe
File created	C:\Windows\SysWOW64\DasDNF.exe	mydnf.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\InfoMs.hk	9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

521dnfAsist.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	521dnfAsist.exe

Modifies registry class 1 IoCs

Processes:

mydnf.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\DasDNF.exe" mydnf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\DasDNF.exe"	mydnf.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

mydnf.exe

pid	process
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe
1968	mydnf.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe521dnfAsist.exemydnf.exe

pid process

1916 9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe
1780 521dnfAsist.exe
1780 521dnfAsist.exe
1968 mydnf.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe

description	pid	process	target process
PID 1916 wrote to memory of 1780	1916	9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe	521dnfAsist.exe
PID 1916 wrote to memory of 1780	1916	9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe	521dnfAsist.exe
PID 1916 wrote to memory of 1780	1916	9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe	521dnfAsist.exe
PID 1916 wrote to memory of 1780	1916	9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe	521dnfAsist.exe
PID 1916 wrote to memory of 1968	1916	9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe	mydnf.exe
PID 1916 wrote to memory of 1968	1916	9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe	mydnf.exe
PID 1916 wrote to memory of 1968	1916	9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe	mydnf.exe
PID 1916 wrote to memory of 1968	1916	9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe	mydnf.exe

C:\Users\Admin\AppData\Local\Temp\9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9fe78f1f9f227b4d5f94300dd3ab1e84_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916

C:\Users\Admin\AppData\Local\Temp\521dnfAsist.exe
"C:\Users\Admin\AppData\Local\Temp\521dnfAsist.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1780

C:\Users\Admin\AppData\Local\Temp\mydnf.exe
"C:\Users\Admin\AppData\Local\Temp\mydnf.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files\Common Files\Microsoft Shared\MSInfo\InfoMs.hk
Filesize
12KB

MD5
86dacf8a30f76f2abc61c7a5d466b37f

SHA1
937a47e385440b6f54904921dfd41e4e81e112ca

SHA256
bc626ccdbf16a48d1592505f7122684cab08ab8748b6d21988f0a0af81de9888

SHA512
38f7d6fe7a14f4164ecdf3aa4d24226b3a8aa83062df8c0eac5c213bc3c7b9598ee4eedfcd1d2f3a031f05923edb8e6fcc338d71fe28e37f9e6e5f407fbd949d

Download Submit
\Users\Admin\AppData\Local\Temp\521dnfAsist.exe
Filesize
348KB

MD5
0f8b25646b0a0f19db13f3f0c4f547d8

SHA1
fba6b858c78a209c9ce2dc7b0f686e432b9c5cf3

SHA256
0279f688b34890b53595025a988dc40d91fc108fd0fa44cd0730238ca6ab37c0

SHA512
1e479df57a0abfb65eddd1ce567ee1df053a48d764654cb306bc51e73557b285dba37a15ccc10072489ee9c2fc1ee673389634ce90dd040f2ad783a757b5a5a0

Download Submit
\Users\Admin\AppData\Local\Temp\mydnf.exe
Filesize
15KB

MD5
a24a6207dcf634e4389165a3f24af433

SHA1
3ad80297b6097bf386591884488493237cf3002b

SHA256
fe9f40037b611e5c60711068b0115a463618ca90a33a8cfe13657dd95f77c1ca

SHA512
45c4d277d7ee824cc0b9c49ad556e7991a0385f462e9989835e8f8bf2664bd149065463ecb8d24d692eb62bba92e31061f6de924f1f99102f060251a2fa94b67

Download Submit
memory/1780-31-0x0000000001FA0000-0x0000000001FAE000-memory.dmp

Filesize
56KB

Download
memory/1916-21-0x0000000000240000-0x000000000024E000-memory.dmp

Filesize
56KB

Download
memory/1916-32-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1916-44-0x0000000000240000-0x000000000024E000-memory.dmp

Filesize
56KB

Download
memory/1968-29-0x0000000000280000-0x000000000028E000-memory.dmp

Filesize
56KB

Download
memory/1968-33-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads