modiloader | 2c9414534e1b8d1c0d3312394392894c8cea82e491d11cb8fb59fec08e0ce9ea

General

Target

0cf8cac384878d1b82535fc878a864f8_JaffaCakes118.exe
Size

783KB
MD5

0cf8cac384878d1b82535fc878a864f8
SHA1

97ae8286455d0bb54dffee11520708604d3b54f3
SHA256

2c9414534e1b8d1c0d3312394392894c8cea82e491d11cb8fb59fec08e0ce9ea
SHA512

4b58ec3940cef41bb1869356f1a678dae05ffd50a6531711bb19655861c5d71d4e4e08f8cd511664619abc8199db862c29ea18a9c165f342f74dc352deaeca35
SSDEEP

24576:8mA5ShGE2cBA+Up6vBd2biAsT1p1Jd/e:8mA55CBrvBISTv1T/e

Score

10^/10

modiloader evasion persistence privilege_escalation trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/4780-10-0x0000000000400000-0x00000000004CB000-memory.dmp	modiloader_stage2

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3616	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	0cf8cac384878d1b82535fc878a864f8_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	server.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe	Trojan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe	Trojan.exe

Executes dropped EXE 4 IoCs

pid	Process
3584	facebook liker.exe
2444	server.exe
700	F8-Autoliker.exe
2776	Trojan.exe

Loads dropped DLL 1 IoCs

pid	Process
700	F8-Autoliker.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00060000000232a6-4.dat	upx
behavioral2/memory/3584-12-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/3584-30-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3584-30-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
700	F8-Autoliker.exe
700	F8-Autoliker.exe
2776	Trojan.exe
2776	Trojan.exe
2776	Trojan.exe
2776	Trojan.exe
2776	Trojan.exe
2776	Trojan.exe
2776	Trojan.exe
2776	Trojan.exe
2776	Trojan.exe
2776	Trojan.exe
2776	Trojan.exe
700	F8-Autoliker.exe
700	F8-Autoliker.exe
2776	Trojan.exe
2776	Trojan.exe
2776	Trojan.exe
2776	Trojan.exe
2776	Trojan.exe
2776	Trojan.exe
2776	Trojan.exe
2776	Trojan.exe
2776	Trojan.exe
2776	Trojan.exe
2776	Trojan.exe
2776	Trojan.exe
2776	Trojan.exe
2776	Trojan.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	Trojan.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 3584	4780	0cf8cac384878d1b82535fc878a864f8_JaffaCakes118.exe	81
PID 4780 wrote to memory of 3584	4780	0cf8cac384878d1b82535fc878a864f8_JaffaCakes118.exe	81
PID 4780 wrote to memory of 3584	4780	0cf8cac384878d1b82535fc878a864f8_JaffaCakes118.exe	81
PID 3584 wrote to memory of 2444	3584	facebook liker.exe	82
PID 3584 wrote to memory of 2444	3584	facebook liker.exe	82
PID 3584 wrote to memory of 2444	3584	facebook liker.exe	82
PID 3584 wrote to memory of 700	3584	facebook liker.exe	83
PID 3584 wrote to memory of 700	3584	facebook liker.exe	83
PID 2444 wrote to memory of 2776	2444	server.exe	84
PID 2444 wrote to memory of 2776	2444	server.exe	84
PID 2444 wrote to memory of 2776	2444	server.exe	84
PID 2776 wrote to memory of 3616	2776	Trojan.exe	85
PID 2776 wrote to memory of 3616	2776	Trojan.exe	85
PID 2776 wrote to memory of 3616	2776	Trojan.exe	85

C:\Users\Admin\AppData\Local\Temp\0cf8cac384878d1b82535fc878a864f8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0cf8cac384878d1b82535fc878a864f8_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Users\Admin\AppData\Local\Temp\facebook liker.exe
  "C:\Users\Admin\AppData\Local\Temp\facebook liker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    C:\Users\Admin\AppData\Local\Temp/server.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Users\Admin\AppData\Local\Temp\Trojan.exe
      "C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3616
- - C:\Users\Admin\AppData\Local\Temp\F8-Autoliker.exe
    C:\Users\Admin\AppData\Local\Temp/F8-Autoliker.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6be8d281-c903-417f-ac38-0e76a15120e5\CliSecureRT64.dll

Filesize
121KB

MD5
3d388077e1f2d3985a84da390da6f39f

SHA1
355f93c5c976c1637364a18318c23b1ca5adfe73

SHA256
5c82e73619a15434120b99b64dbdbd1103e3c842c7e41cebdcb797908731897e

SHA512
8aa6fdd1fa3ff3c2d25fb91342e4587992ded43c612631743ef478705c247d2d3705e10e4aaf8f30edaf6a2edba8277af30267d849993a1faba6d1c89b2e3d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8-Autoliker.exe

Filesize
481KB

MD5
48cb01213e253393b9cf51e61d101cf7

SHA1
8a69343c9cb4fc6942afd012ccccef2fdd85f11b

SHA256
b0cfd9153a851622e8814ed596a6772e1e4c43fa3ab9a6b4e59a45d0ac21a025

SHA512
2976408dea36ecde7b71ca336a224e88de4c0a24c83d55164b576fc2225e16c7a54b8f0c48e5d938d23f2ab82533cd429b3631cd954f2b0d5c19c553102e69f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\facebook liker.exe

Filesize
676KB

MD5
82ba477adf69320ae3871ed82b7b3042

SHA1
69b64ebfaff2092ffef8030665de591fae45a2ea

SHA256
1263cbed439c6a655f7aad91082b2510dbad3371c1bf0eb7410f6cf36ef491fb

SHA512
5529ff0efa421947fd2a3dc2e9cb114bc0dd712d326b3461c53081b83ff7e54d4d9ddf8a407e648aa76d6e27ef35a1bb53528292421884adf67f477c8701c537

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
123KB

MD5
ea3e84c6d51a17675cb3226761322d8a

SHA1
50e6cb9fb32ad9639029dca789cc1f5f63b34bc1

SHA256
352ca1e8abd3a94bd1e33b59d946e83880db055b2b0a86f5480004773bf04dc6

SHA512
2826da1eee32c503ff408f3bc139b8beccd42104bbf28fcdc05772bd41539eee31bc0f1a707313933e960f56ce88a6286fb437e83f670734aa0739f80390f57d

Download Submit
memory/700-55-0x00007FF824880000-0x00007FF824A03000-memory.dmp

Filesize
1.5MB

Download
memory/700-45-0x00007FF815960000-0x00007FF816301000-memory.dmp

Filesize
9.6MB

Download
memory/700-60-0x00007FF815960000-0x00007FF816301000-memory.dmp

Filesize
9.6MB

Download
memory/700-56-0x0000000180000000-0x0000000180023000-memory.dmp

Filesize
140KB

Download
memory/700-61-0x0000000180000000-0x0000000180023000-memory.dmp

Filesize
140KB

Download
memory/700-35-0x00007FF815C15000-0x00007FF815C16000-memory.dmp

Filesize
4KB

Download
memory/700-41-0x00007FF815960000-0x00007FF816301000-memory.dmp

Filesize
9.6MB

Download
memory/700-47-0x000000001B950000-0x000000001B9EC000-memory.dmp

Filesize
624KB

Download
memory/700-46-0x000000001B5A0000-0x000000001B8AE000-memory.dmp

Filesize
3.1MB

Download
memory/700-48-0x000000001BEC0000-0x000000001C38E000-memory.dmp

Filesize
4.8MB

Download
memory/2444-57-0x0000000074B70000-0x0000000075121000-memory.dmp

Filesize
5.7MB

Download
memory/2444-34-0x0000000074B70000-0x0000000075121000-memory.dmp

Filesize
5.7MB

Download
memory/2444-32-0x0000000074B70000-0x0000000075121000-memory.dmp

Filesize
5.7MB

Download
memory/2444-31-0x0000000074B72000-0x0000000074B73000-memory.dmp

Filesize
4KB

Download
memory/3584-30-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3584-12-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4780-10-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads