modiloader | 1ed213f482f36f6c1e6affcea60cf35ede478cf07fa3be991c7d40bb8096b5cf

General

Target

02a9bfb004f1c060d7dc0e147289bbd3_JaffaCakes118.exe
Size

90KB
MD5

02a9bfb004f1c060d7dc0e147289bbd3
SHA1

083e2f5e7f910b550b4e37d60641b581ebcb3227
SHA256

1ed213f482f36f6c1e6affcea60cf35ede478cf07fa3be991c7d40bb8096b5cf
SHA512

cb517d85411dc9fed27961046fb52fb182cd54892afde04e592a370b5e153e08252a0f3d29fe5f02420bdca77680ff12645ef5f2108ef91b09d32af272c3746a
SSDEEP

1536:VcHA5dZuvrKA1r4Jwwi55dlvo89UBYKpJ0pHWG7m9pAsiyRBugBcw4K+YSxaE/:Vcg7UrKqUwflAZYKX6aAsiyfugQ/

Score

10^/10

modiloader trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 16 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2252-11-0x0000000000400000-0x000000000043C000-memory.dmp	modiloader_stage2
behavioral1/memory/2516-14-0x0000000000400000-0x000000000043C000-memory.dmp	modiloader_stage2
behavioral1/memory/2516-15-0x0000000000400000-0x000000000043C000-memory.dmp	modiloader_stage2
behavioral1/memory/2516-16-0x0000000000400000-0x000000000043C000-memory.dmp	modiloader_stage2
behavioral1/memory/2516-17-0x0000000000400000-0x000000000043C000-memory.dmp	modiloader_stage2
behavioral1/memory/2516-18-0x0000000000400000-0x000000000043C000-memory.dmp	modiloader_stage2
behavioral1/memory/2516-19-0x0000000000400000-0x000000000043C000-memory.dmp	modiloader_stage2
behavioral1/memory/2516-20-0x0000000000400000-0x000000000043C000-memory.dmp	modiloader_stage2
behavioral1/memory/2516-21-0x0000000000400000-0x000000000043C000-memory.dmp	modiloader_stage2
behavioral1/memory/2516-22-0x0000000000400000-0x000000000043C000-memory.dmp	modiloader_stage2
behavioral1/memory/2516-23-0x0000000000400000-0x000000000043C000-memory.dmp	modiloader_stage2
behavioral1/memory/2516-24-0x0000000000400000-0x000000000043C000-memory.dmp	modiloader_stage2
behavioral1/memory/2516-25-0x0000000000400000-0x000000000043C000-memory.dmp	modiloader_stage2
behavioral1/memory/2516-26-0x0000000000400000-0x000000000043C000-memory.dmp	modiloader_stage2
behavioral1/memory/2516-27-0x0000000000400000-0x000000000043C000-memory.dmp	modiloader_stage2
behavioral1/memory/2516-28-0x0000000000400000-0x000000000043C000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

Processes:

msmgrs.exe

pid process

2516 msmgrs.exe

pid	process
2516	msmgrs.exe

Drops startup file 2 IoCs

Processes:

msmgrs.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntdll.lnk	msmgrs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntdll.lnk	msmgrs.exe

Executes dropped EXE 1 IoCs

Processes:

msmgrs.exe

pid process

2516 msmgrs.exe
Loads dropped DLL 2 IoCs

Processes:

02a9bfb004f1c060d7dc0e147289bbd3_JaffaCakes118.exe

pid process

2252 02a9bfb004f1c060d7dc0e147289bbd3_JaffaCakes118.exe
2252 02a9bfb004f1c060d7dc0e147289bbd3_JaffaCakes118.exe

pid	process
2516	msmgrs.exe

pid	process
2252	02a9bfb004f1c060d7dc0e147289bbd3_JaffaCakes118.exe
2252	02a9bfb004f1c060d7dc0e147289bbd3_JaffaCakes118.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2252-0-0x0000000000400000-0x000000000043C000-memory.dmp	upx
C:\Windows\SysWOW64\wins\setup\msmgrs.exe	upx
behavioral1/memory/2252-11-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2516-12-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2516-14-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2516-15-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2516-16-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2516-17-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2516-18-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2516-19-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2516-20-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2516-21-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2516-22-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2516-23-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2516-24-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2516-25-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2516-26-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2516-27-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2516-28-0x0000000000400000-0x000000000043C000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

02a9bfb004f1c060d7dc0e147289bbd3_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\wins\setup\msmgrs.exe	02a9bfb004f1c060d7dc0e147289bbd3_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wins\setup\msmgrs.exe	02a9bfb004f1c060d7dc0e147289bbd3_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

02a9bfb004f1c060d7dc0e147289bbd3_JaffaCakes118.exemsmgrs.exe

pid process

2252 02a9bfb004f1c060d7dc0e147289bbd3_JaffaCakes118.exe
2252 02a9bfb004f1c060d7dc0e147289bbd3_JaffaCakes118.exe
2516 msmgrs.exe
2516 msmgrs.exe

pid	process
2252	02a9bfb004f1c060d7dc0e147289bbd3_JaffaCakes118.exe
2252	02a9bfb004f1c060d7dc0e147289bbd3_JaffaCakes118.exe
2516	msmgrs.exe
2516	msmgrs.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

02a9bfb004f1c060d7dc0e147289bbd3_JaffaCakes118.exemsmgrs.execmd.execmd.exe

description	pid	process	target process
PID 2252 wrote to memory of 2516	2252	02a9bfb004f1c060d7dc0e147289bbd3_JaffaCakes118.exe	msmgrs.exe
PID 2252 wrote to memory of 2516	2252	02a9bfb004f1c060d7dc0e147289bbd3_JaffaCakes118.exe	msmgrs.exe
PID 2252 wrote to memory of 2516	2252	02a9bfb004f1c060d7dc0e147289bbd3_JaffaCakes118.exe	msmgrs.exe
PID 2252 wrote to memory of 2516	2252	02a9bfb004f1c060d7dc0e147289bbd3_JaffaCakes118.exe	msmgrs.exe
PID 2516 wrote to memory of 2568	2516	msmgrs.exe	cmd.exe
PID 2516 wrote to memory of 2568	2516	msmgrs.exe	cmd.exe
PID 2516 wrote to memory of 2568	2516	msmgrs.exe	cmd.exe
PID 2516 wrote to memory of 2568	2516	msmgrs.exe	cmd.exe
PID 2516 wrote to memory of 2544	2516	msmgrs.exe	cmd.exe
PID 2516 wrote to memory of 2544	2516	msmgrs.exe	cmd.exe
PID 2516 wrote to memory of 2544	2516	msmgrs.exe	cmd.exe
PID 2516 wrote to memory of 2544	2516	msmgrs.exe	cmd.exe
PID 2568 wrote to memory of 3068	2568	cmd.exe	regsvr32.exe
PID 2568 wrote to memory of 3068	2568	cmd.exe	regsvr32.exe
PID 2568 wrote to memory of 3068	2568	cmd.exe	regsvr32.exe
PID 2568 wrote to memory of 3068	2568	cmd.exe	regsvr32.exe
PID 2568 wrote to memory of 3068	2568	cmd.exe	regsvr32.exe
PID 2568 wrote to memory of 3068	2568	cmd.exe	regsvr32.exe
PID 2568 wrote to memory of 3068	2568	cmd.exe	regsvr32.exe
PID 2544 wrote to memory of 2712	2544	cmd.exe	regsvr32.exe
PID 2544 wrote to memory of 2712	2544	cmd.exe	regsvr32.exe
PID 2544 wrote to memory of 2712	2544	cmd.exe	regsvr32.exe
PID 2544 wrote to memory of 2712	2544	cmd.exe	regsvr32.exe
PID 2544 wrote to memory of 2712	2544	cmd.exe	regsvr32.exe
PID 2544 wrote to memory of 2712	2544	cmd.exe	regsvr32.exe
PID 2544 wrote to memory of 2712	2544	cmd.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\02a9bfb004f1c060d7dc0e147289bbd3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02a9bfb004f1c060d7dc0e147289bbd3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\SysWOW64\wins\setup\msmgrs.exe
"C:\Windows\system32\wins\setup\msmgrs.exe"
2⤵
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\SysWOW64\cmd.exe
cmd.exe + command.com /c regsvr32 /u /s %WINDIR%/"Downloaded Program Files"/JaguarEditControl.dll
3⤵
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /u /s C:\Windows/"Downloaded Program Files"/JaguarEditControl.dll
4⤵
PID:3068

C:\Windows\SysWOW64\cmd.exe
cmd.exe + command.com /c regsvr32 /u /s %WINDIR%/"Downloaded Program Files"/tebedit.ocx
3⤵
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /u /s C:\Windows/"Downloaded Program Files"/tebedit.ocx
4⤵
PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wins\setup\msmgrs.exe

Filesize
90KB

MD5
02a9bfb004f1c060d7dc0e147289bbd3

SHA1
083e2f5e7f910b550b4e37d60641b581ebcb3227

SHA256
1ed213f482f36f6c1e6affcea60cf35ede478cf07fa3be991c7d40bb8096b5cf

SHA512
cb517d85411dc9fed27961046fb52fb182cd54892afde04e592a370b5e153e08252a0f3d29fe5f02420bdca77680ff12645ef5f2108ef91b09d32af272c3746a

Download Submit
memory/2252-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2252-11-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2516-18-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2516-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2516-15-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2516-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2516-17-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2516-12-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2516-19-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2516-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2516-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2516-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2516-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2516-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2516-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2516-26-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2516-27-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2516-28-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads