modiloader | 2c9414534e1b8d1c0d3312394392894c8cea82e491d11cb8fb59fec08e0ce9ea

General

Target

0cf8cac384878d1b82535fc878a864f8_JaffaCakes118.exe
Size

783KB
MD5

0cf8cac384878d1b82535fc878a864f8
SHA1

97ae8286455d0bb54dffee11520708604d3b54f3
SHA256

2c9414534e1b8d1c0d3312394392894c8cea82e491d11cb8fb59fec08e0ce9ea
SHA512

4b58ec3940cef41bb1869356f1a678dae05ffd50a6531711bb19655861c5d71d4e4e08f8cd511664619abc8199db862c29ea18a9c165f342f74dc352deaeca35
SSDEEP

24576:8mA5ShGE2cBA+Up6vBd2biAsT1p1Jd/e:8mA55CBrvBISTv1T/e

Score

10^/10

modiloader evasion persistence privilege_escalation trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2220-7-0x0000000000400000-0x00000000004CB000-memory.dmp	modiloader_stage2

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2504	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe	Trojan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe	Trojan.exe

Executes dropped EXE 4 IoCs

pid	Process
2468	facebook liker.exe
2616	server.exe
2644	F8-Autoliker.exe
1552	Trojan.exe

Loads dropped DLL 5 IoCs

pid	Process
2220	0cf8cac384878d1b82535fc878a864f8_JaffaCakes118.exe
2468	facebook liker.exe
2468	facebook liker.exe
2644	F8-Autoliker.exe
2616	server.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c00000001227e-2.dat	upx
behavioral1/memory/2468-10-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2468-29-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2468-29-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2644	F8-Autoliker.exe
2644	F8-Autoliker.exe
1552	Trojan.exe
1552	Trojan.exe
2644	F8-Autoliker.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1552	Trojan.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2468	2220	0cf8cac384878d1b82535fc878a864f8_JaffaCakes118.exe	28
PID 2220 wrote to memory of 2468	2220	0cf8cac384878d1b82535fc878a864f8_JaffaCakes118.exe	28
PID 2220 wrote to memory of 2468	2220	0cf8cac384878d1b82535fc878a864f8_JaffaCakes118.exe	28
PID 2220 wrote to memory of 2468	2220	0cf8cac384878d1b82535fc878a864f8_JaffaCakes118.exe	28
PID 2468 wrote to memory of 2616	2468	facebook liker.exe	29
PID 2468 wrote to memory of 2616	2468	facebook liker.exe	29
PID 2468 wrote to memory of 2616	2468	facebook liker.exe	29
PID 2468 wrote to memory of 2616	2468	facebook liker.exe	29
PID 2468 wrote to memory of 2644	2468	facebook liker.exe	30
PID 2468 wrote to memory of 2644	2468	facebook liker.exe	30
PID 2468 wrote to memory of 2644	2468	facebook liker.exe	30
PID 2468 wrote to memory of 2644	2468	facebook liker.exe	30
PID 2616 wrote to memory of 1552	2616	server.exe	31
PID 2616 wrote to memory of 1552	2616	server.exe	31
PID 2616 wrote to memory of 1552	2616	server.exe	31
PID 2616 wrote to memory of 1552	2616	server.exe	31
PID 1552 wrote to memory of 2504	1552	Trojan.exe	32
PID 1552 wrote to memory of 2504	1552	Trojan.exe	32
PID 1552 wrote to memory of 2504	1552	Trojan.exe	32
PID 1552 wrote to memory of 2504	1552	Trojan.exe	32

C:\Users\Admin\AppData\Local\Temp\0cf8cac384878d1b82535fc878a864f8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0cf8cac384878d1b82535fc878a864f8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\facebook liker.exe
  "C:\Users\Admin\AppData\Local\Temp\facebook liker.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    C:\Users\Admin\AppData\Local\Temp/server.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Users\Admin\AppData\Local\Temp\Trojan.exe
      "C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1552
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2504
- - C:\Users\Admin\AppData\Local\Temp\F8-Autoliker.exe
    C:\Users\Admin\AppData\Local\Temp/F8-Autoliker.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6be8d281-c903-417f-ac38-0e76a15120e5\CliSecureRT64.dll

Filesize
121KB

MD5
3d388077e1f2d3985a84da390da6f39f

SHA1
355f93c5c976c1637364a18318c23b1ca5adfe73

SHA256
5c82e73619a15434120b99b64dbdbd1103e3c842c7e41cebdcb797908731897e

SHA512
8aa6fdd1fa3ff3c2d25fb91342e4587992ded43c612631743ef478705c247d2d3705e10e4aaf8f30edaf6a2edba8277af30267d849993a1faba6d1c89b2e3d13

Download Submit
\Users\Admin\AppData\Local\Temp\F8-Autoliker.exe

Filesize
481KB

MD5
48cb01213e253393b9cf51e61d101cf7

SHA1
8a69343c9cb4fc6942afd012ccccef2fdd85f11b

SHA256
b0cfd9153a851622e8814ed596a6772e1e4c43fa3ab9a6b4e59a45d0ac21a025

SHA512
2976408dea36ecde7b71ca336a224e88de4c0a24c83d55164b576fc2225e16c7a54b8f0c48e5d938d23f2ab82533cd429b3631cd954f2b0d5c19c553102e69f5

Download Submit
\Users\Admin\AppData\Local\Temp\facebook liker.exe

Filesize
676KB

MD5
82ba477adf69320ae3871ed82b7b3042

SHA1
69b64ebfaff2092ffef8030665de591fae45a2ea

SHA256
1263cbed439c6a655f7aad91082b2510dbad3371c1bf0eb7410f6cf36ef491fb

SHA512
5529ff0efa421947fd2a3dc2e9cb114bc0dd712d326b3461c53081b83ff7e54d4d9ddf8a407e648aa76d6e27ef35a1bb53528292421884adf67f477c8701c537

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
123KB

MD5
ea3e84c6d51a17675cb3226761322d8a

SHA1
50e6cb9fb32ad9639029dca789cc1f5f63b34bc1

SHA256
352ca1e8abd3a94bd1e33b59d946e83880db055b2b0a86f5480004773bf04dc6

SHA512
2826da1eee32c503ff408f3bc139b8beccd42104bbf28fcdc05772bd41539eee31bc0f1a707313933e960f56ce88a6286fb437e83f670734aa0739f80390f57d

Download Submit
memory/2220-7-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2220-6-0x0000000002C10000-0x0000000002CD2000-memory.dmp

Filesize
776KB

Download
memory/2468-10-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2468-29-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2644-35-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp

Filesize
9.6MB

Download
memory/2644-31-0x000007FEF5BDE000-0x000007FEF5BDF000-memory.dmp

Filesize
4KB

Download
memory/2644-36-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp

Filesize
9.6MB

Download
memory/2644-41-0x0000000180000000-0x0000000180023000-memory.dmp

Filesize
140KB

Download
memory/2644-40-0x000007FEF48B0000-0x000007FEF4A34000-memory.dmp

Filesize
1.5MB

Download
memory/2644-50-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp

Filesize
9.6MB

Download
memory/2644-51-0x0000000180000000-0x0000000180023000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads