modiloader | 6079ed711139394a38ffe43963f077ea892992786ca62536d7ab6be25fb20b92

General

Target

020f16b063839725abb42290a939694e_JaffaCakes118.exe
Size

80KB
MD5

020f16b063839725abb42290a939694e
SHA1

0c985d986403caeba4923ea0f18b449ca468558e
SHA256

6079ed711139394a38ffe43963f077ea892992786ca62536d7ab6be25fb20b92
SHA512

8eb6501cc6889a409bed197739cebb8d21df9ef997913978a10487d793f4306bda295ef52f123181ea41ede4866875c4d3758b7aa3df2b23cd9994c70417b9e6
SSDEEP

1536:2wRwOV9CjyB5YOJ23+jzI4t3w28HkJXqQiYonfnPK9Tx9nouy8:3Rw8vB5Yrujz93wrwXxi/PITbout

Score

10^/10

modiloader trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 15 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3112-11-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral2/memory/2912-13-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral2/memory/2912-14-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral2/memory/2912-15-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral2/memory/2912-16-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral2/memory/2912-17-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral2/memory/2912-18-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral2/memory/2912-19-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral2/memory/2912-20-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral2/memory/2912-21-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral2/memory/2912-22-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral2/memory/2912-23-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral2/memory/2912-24-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral2/memory/2912-25-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2
behavioral2/memory/2912-26-0x0000000000400000-0x0000000000439000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

020f16b063839725abb42290a939694e_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	020f16b063839725abb42290a939694e_JaffaCakes118.exe

Deletes itself 1 IoCs

Processes:

msmgrs.exe

pid process

2912 msmgrs.exe

pid	process
2912	msmgrs.exe

Drops startup file 2 IoCs

Processes:

msmgrs.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntdll.lnk	msmgrs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntdll.lnk	msmgrs.exe

Executes dropped EXE 1 IoCs

Processes:

msmgrs.exe

pid process

2912 msmgrs.exe

pid	process
2912	msmgrs.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3112-0-0x0000000000400000-0x0000000000439000-memory.dmp	upx
C:\Windows\SysWOW64\wins\setup\msmgrs.exe	upx
behavioral2/memory/3112-11-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/memory/2912-8-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/memory/2912-13-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/memory/2912-14-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/memory/2912-15-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/memory/2912-16-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/memory/2912-17-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/memory/2912-18-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/memory/2912-19-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/memory/2912-20-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/memory/2912-21-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/memory/2912-22-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/memory/2912-23-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/memory/2912-24-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/memory/2912-25-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/memory/2912-26-0x0000000000400000-0x0000000000439000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

020f16b063839725abb42290a939694e_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\wins\setup\msmgrs.exe	020f16b063839725abb42290a939694e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wins\setup\msmgrs.exe	020f16b063839725abb42290a939694e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

020f16b063839725abb42290a939694e_JaffaCakes118.exemsmgrs.exe

pid process

3112 020f16b063839725abb42290a939694e_JaffaCakes118.exe
3112 020f16b063839725abb42290a939694e_JaffaCakes118.exe
2912 msmgrs.exe
2912 msmgrs.exe

pid	process
3112	020f16b063839725abb42290a939694e_JaffaCakes118.exe
3112	020f16b063839725abb42290a939694e_JaffaCakes118.exe
2912	msmgrs.exe
2912	msmgrs.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

020f16b063839725abb42290a939694e_JaffaCakes118.exemsmgrs.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3112 wrote to memory of 2912	3112	020f16b063839725abb42290a939694e_JaffaCakes118.exe	msmgrs.exe
PID 3112 wrote to memory of 2912	3112	020f16b063839725abb42290a939694e_JaffaCakes118.exe	msmgrs.exe
PID 3112 wrote to memory of 2912	3112	020f16b063839725abb42290a939694e_JaffaCakes118.exe	msmgrs.exe
PID 2912 wrote to memory of 4600	2912	msmgrs.exe	cmd.exe
PID 2912 wrote to memory of 4600	2912	msmgrs.exe	cmd.exe
PID 2912 wrote to memory of 4600	2912	msmgrs.exe	cmd.exe
PID 2912 wrote to memory of 3100	2912	msmgrs.exe	cmd.exe
PID 2912 wrote to memory of 3100	2912	msmgrs.exe	cmd.exe
PID 2912 wrote to memory of 3100	2912	msmgrs.exe	cmd.exe
PID 2912 wrote to memory of 3604	2912	msmgrs.exe	cmd.exe
PID 2912 wrote to memory of 3604	2912	msmgrs.exe	cmd.exe
PID 2912 wrote to memory of 3604	2912	msmgrs.exe	cmd.exe
PID 4600 wrote to memory of 5088	4600	cmd.exe	regsvr32.exe
PID 4600 wrote to memory of 5088	4600	cmd.exe	regsvr32.exe
PID 4600 wrote to memory of 5088	4600	cmd.exe	regsvr32.exe
PID 3100 wrote to memory of 2772	3100	cmd.exe	regsvr32.exe
PID 3100 wrote to memory of 2772	3100	cmd.exe	regsvr32.exe
PID 3100 wrote to memory of 2772	3100	cmd.exe	regsvr32.exe
PID 3604 wrote to memory of 3396	3604	cmd.exe	regsvr32.exe
PID 3604 wrote to memory of 3396	3604	cmd.exe	regsvr32.exe
PID 3604 wrote to memory of 3396	3604	cmd.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\020f16b063839725abb42290a939694e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\020f16b063839725abb42290a939694e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3112

C:\Windows\SysWOW64\wins\setup\msmgrs.exe
"C:\Windows\system32\wins\setup\msmgrs.exe"
2⤵
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\SysWOW64\cmd.exe
cmd.exe + command.com /c regsvr32 /u /s %WINDIR%/"Downloaded Program Files"/JaguarEditControl.dll
3⤵
- Suspicious use of WriteProcessMemory
PID:4600

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /u /s C:\Windows/"Downloaded Program Files"/JaguarEditControl.dll
4⤵
PID:5088

C:\Windows\SysWOW64\cmd.exe
cmd.exe + command.com /c regsvr32 /u /s %WINDIR%/"Downloaded Program Files"/tebedit.ocx
3⤵
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /u /s C:\Windows/"Downloaded Program Files"/tebedit.ocx
4⤵
PID:2772

C:\Windows\SysWOW64\cmd.exe
cmd.exe + command.com /c regsvr32 /u /s %WINDIR%/"Downloaded Program Files"/JaguarEdit4ISB.dll
3⤵
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /u /s C:\Windows/"Downloaded Program Files"/JaguarEdit4ISB.dll
4⤵
PID:3396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4372,i,17949988676391029604,13756926835471203788,262144 --variations-seed-version --mojo-platform-channel-handle=1420 /prefetch:8
1⤵
PID:2068

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wins\setup\msmgrs.exe
Filesize
80KB

MD5
020f16b063839725abb42290a939694e

SHA1
0c985d986403caeba4923ea0f18b449ca468558e

SHA256
6079ed711139394a38ffe43963f077ea892992786ca62536d7ab6be25fb20b92

SHA512
8eb6501cc6889a409bed197739cebb8d21df9ef997913978a10487d793f4306bda295ef52f123181ea41ede4866875c4d3758b7aa3df2b23cd9994c70417b9e6

Download Submit
memory/2912-17-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2912-14-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2912-18-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2912-13-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2912-19-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2912-15-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2912-16-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2912-20-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2912-8-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2912-26-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2912-25-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2912-21-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2912-22-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2912-23-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2912-24-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3112-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3112-11-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads