modiloader | 19406ad720fb45336138b85ee6c86fcdd27890ac3ffc814228a2bbe1d1d79d11

General

Target

00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe
Size

725KB
MD5

00847a86f1a44be5289bb40835a2691a
SHA1

2187da3685b422c84704dadec0329041c21be0d7
SHA256

19406ad720fb45336138b85ee6c86fcdd27890ac3ffc814228a2bbe1d1d79d11
SHA512

96bd9d87ad0f8929cf55d6d420ccfaf3a15446f83c3aec68cb50ee864bb98be95257013f7e0b531e9a6076af9d97b90adceca70703e992f523d7c6995bf3f050
SSDEEP

12288:ItS5RTQ7aT7YilhjzAF4gv6tLbAfyI0xkaa+5jqJeAT9gH:4c22T7BRS46kbAfyWMjqMATCH

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4948-2-0x0000000000C50000-0x0000000000D0C000-memory.dmp	modiloader_stage2
behavioral2/memory/4776-3-0x0000000000400000-0x00000000004BC000-memory.dmp	modiloader_stage2

Suspicious use of SetThreadContext 1 IoCs

Processes:

00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe

description pid process target process

PID 4776 set thread context of 4948 4776 00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe IEXPLORE.EXE
Drops file in Windows directory 1 IoCs

Processes:

00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe

description ioc process

File created C:\Windows\FieleWay.txt 00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe

description	pid	process	target process
PID 4776 set thread context of 4948	4776	00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe	IEXPLORE.EXE

description	ioc	process
File created	C:\Windows\FieleWay.txt	00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31113869"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2300067240"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B4A2C52D-2E80-11EF-86EC-F2F05A85BDCE} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31113869"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425596553"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2301629933"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2301629933"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2300067240"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31113869"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31113869"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

4948 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

4948 IEXPLORE.EXE
4948 IEXPLORE.EXE
2996 IEXPLORE.EXE
2996 IEXPLORE.EXE
2996 IEXPLORE.EXE
2996 IEXPLORE.EXE

pid	process
4948	IEXPLORE.EXE

pid	process
4948	IEXPLORE.EXE
4948	IEXPLORE.EXE
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exeIEXPLORE.EXE

description	pid	process	target process
PID 4776 wrote to memory of 4948	4776	00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe	IEXPLORE.EXE
PID 4776 wrote to memory of 4948	4776	00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe	IEXPLORE.EXE
PID 4776 wrote to memory of 4948	4776	00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe	IEXPLORE.EXE
PID 4948 wrote to memory of 2996	4948	IEXPLORE.EXE	IEXPLORE.EXE
PID 4948 wrote to memory of 2996	4948	IEXPLORE.EXE	IEXPLORE.EXE
PID 4948 wrote to memory of 2996	4948	IEXPLORE.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4776

C:\program files\internet explorer\IEXPLORE.EXE
"C:\program files\internet explorer\IEXPLORE.EXE"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4948

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4948 CREDAT:17410 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2996

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
a20dcdd581a69f44e7dcbeeab5084fb4

SHA1
61e152b89ab8a04af1843bbfee557d193924ec51

SHA256
009768e52ded8da33ac7d96d521e882eef9765278997f2ce47311f637696d9c7

SHA512
77de84bf9c5480e704991bc16d8f555dc10891e3a5a7044fe2b133cc49d20ebb78c68bbdd4c9a4acd8e7424bce28a00bd3651f3b852a2a726f3f879a741cc7ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
404B

MD5
0e519fa6c861ca3f581448ccf547fc36

SHA1
a148f4c7f3f0c5ab2b89a4cb0a711a7d42f19984

SHA256
5bdae3b80bda43457dfb56846b3245c9e135e6c634530fc9f5fd9c0e842895dc

SHA512
a4b7910e9ac99be865054fabf3fe8f3e24f26d4b3454f12656b84b408470dc32e91d3e1b0256853e6a05a332d481bee1e888d3412ac9c7617ed05504867c164a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verE36B.tmp
Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GU2A83AM\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
memory/4776-0-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/4776-3-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4948-2-0x0000000000C50000-0x0000000000D0C000-memory.dmp

Filesize
752KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads