modiloader | d486b3777e5ea22d671dc3731b69c3b18c7fa55fe82f712651a73aa02d17ab20

General

Target

02edc45fa5b103992445370695bc52e5_JaffaCakes118.exe
Size

316KB
MD5

02edc45fa5b103992445370695bc52e5
SHA1

32f765f906bf6bbd9fa4466a7602460bb7470d79
SHA256

d486b3777e5ea22d671dc3731b69c3b18c7fa55fe82f712651a73aa02d17ab20
SHA512

799c75a3af5927d0d0565a099c9098a008f7a44e7851b138c14473371a231b1c0db8cc8d57d53e8e3cf74b7fb668ff538e6437ae9cb08cdaa0f469e06c0499e5
SSDEEP

6144:+koDmoaRnyy8X4jVi/71YUW3BQWNN53H+kId+JjAwfZfiL1L3FEltFERGfU4KTtl:LoDsRnB8XCM/6/NpFKiAwBKhj+lYRsOH

Score

10^/10

modiloader defense_evasion trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/912-19-0x0000000000400000-0x00000000005BC000-memory.dmp	modiloader_stage2
behavioral2/memory/912-26-0x0000000000400000-0x00000000005BC000-memory.dmp	modiloader_stage2
behavioral2/memory/912-30-0x0000000000400000-0x00000000005BC000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

ldapi32.exe

pid process

2552 ldapi32.exe

pid	process
2552	ldapi32.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

Processes:

02edc45fa5b103992445370695bc52e5_JaffaCakes118.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	02edc45fa5b103992445370695bc52e5_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	02edc45fa5b103992445370695bc52e5_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	02edc45fa5b103992445370695bc52e5_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	02edc45fa5b103992445370695bc52e5_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	02edc45fa5b103992445370695bc52e5_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	02edc45fa5b103992445370695bc52e5_JaffaCakes118.exe

Loads dropped DLL 4 IoCs

Processes:

02edc45fa5b103992445370695bc52e5_JaffaCakes118.exe

pid	process
912	02edc45fa5b103992445370695bc52e5_JaffaCakes118.exe
912	02edc45fa5b103992445370695bc52e5_JaffaCakes118.exe
912	02edc45fa5b103992445370695bc52e5_JaffaCakes118.exe
912	02edc45fa5b103992445370695bc52e5_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/912-0-0x0000000000400000-0x00000000005BC000-memory.dmp	upx
behavioral2/memory/912-19-0x0000000000400000-0x00000000005BC000-memory.dmp	upx
behavioral2/memory/912-26-0x0000000000400000-0x00000000005BC000-memory.dmp	upx
behavioral2/memory/912-30-0x0000000000400000-0x00000000005BC000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

Processes:

02edc45fa5b103992445370695bc52e5_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ntswrl32.dll	02edc45fa5b103992445370695bc52e5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ntcvx32.dll	02edc45fa5b103992445370695bc52e5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ldapi32.exe	02edc45fa5b103992445370695bc52e5_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ldapi32.exe

description pid process

Token: SeDebugPrivilege 2552 ldapi32.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

02edc45fa5b103992445370695bc52e5_JaffaCakes118.exe

pid process

912 02edc45fa5b103992445370695bc52e5_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2552	ldapi32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

02edc45fa5b103992445370695bc52e5_JaffaCakes118.exe

description	pid	process	target process
PID 912 wrote to memory of 2552	912	02edc45fa5b103992445370695bc52e5_JaffaCakes118.exe	ldapi32.exe
PID 912 wrote to memory of 2552	912	02edc45fa5b103992445370695bc52e5_JaffaCakes118.exe	ldapi32.exe
PID 912 wrote to memory of 2552	912	02edc45fa5b103992445370695bc52e5_JaffaCakes118.exe	ldapi32.exe

C:\Users\Admin\AppData\Local\Temp\02edc45fa5b103992445370695bc52e5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02edc45fa5b103992445370695bc52e5_JaffaCakes118.exe"
1⤵
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\ldapi32.exe
C:\Windows\system32\ldapi32.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2552

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Safe Mode Boot

1

T1562.009

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ldapi32.exe
Filesize
20KB

MD5
92acb5d55bc589ea424d174b31f76686

SHA1
1f9f023b1ae0b1be5c397fe103ac520b371fbd6b

SHA256
3bea383242a4439634618a86993c8e70c43cb8810e5324f3f9c6b9cbe7b3ead4

SHA512
e89ea8bf0b6c2bd11072a5d455e67b2b8470292dfb8382a3bfb5da4a409b86390a62f448e7cdd496f286b1ac4097436efd83e886ae5b45accda6da7dc4d9938e

Download Submit
C:\Windows\SysWOW64\ntswrl32.dll
Filesize
11KB

MD5
638f5a55fb714b6039ae0ace0ee70e44

SHA1
7b47cdf023822722b3b81e936cb16fbecb00babc

SHA256
7d671074387a6885c5a4815165242720be442689e276cf64cc376da49080bb1f

SHA512
68f8fb741566d9e4cb2a420a3fe179db59b29f9ab5f9aee7fd5312e1e7f0991b4d1491b2e557374ca7c4f3aee8948201721408601f68f9f86d36a4df5947e357

Download Submit
memory/912-0-0x0000000000400000-0x00000000005BC000-memory.dmp

Filesize
1.7MB

Download
memory/912-1-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/912-20-0x0000000002600000-0x0000000002609000-memory.dmp

Filesize
36KB

Download
memory/912-19-0x0000000000400000-0x00000000005BC000-memory.dmp

Filesize
1.7MB

Download
memory/912-23-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/912-27-0x0000000002600000-0x0000000002609000-memory.dmp

Filesize
36KB

Download
memory/912-26-0x0000000000400000-0x00000000005BC000-memory.dmp

Filesize
1.7MB

Download
memory/912-30-0x0000000000400000-0x00000000005BC000-memory.dmp

Filesize
1.7MB

Download
memory/2552-13-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads