modiloader | e0f44f5eb70f44bf48197b0729458de958d0ee9f7f6cc3ecc9fa460354fdda82

General

Target

27a333e9aeb8c68751461090d080791d_JaffaCakes118.exe
Size

689KB
MD5

27a333e9aeb8c68751461090d080791d
SHA1

f27c77ae544f03f83fc0d09b18cc42e852dc061b
SHA256

e0f44f5eb70f44bf48197b0729458de958d0ee9f7f6cc3ecc9fa460354fdda82
SHA512

6f0451a23682e4da8565bc93c74fabab92d87f63c200eed79b0d827be280f796237855e76a781de0345330ee9873dbc5af9fe65187faacf70f481057108c2caf
SSDEEP

12288:/upxBi7xX74QXxtYunc6VnCGOjtk4nEs+uFMEeoX0wK+kt1T2MYb:/qxBqxX74QBtYnCROjtkqEs+bWLfb

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/1112-16-0x0000000000400000-0x0000000000512000-memory.dmp	modiloader_stage2
behavioral1/memory/1112-18-0x0000000000400000-0x0000000000512000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
1112	444.exe

Loads dropped DLL 3 IoCs

pid	Process
2420	27a333e9aeb8c68751461090d080791d_JaffaCakes118.exe
2420	27a333e9aeb8c68751461090d080791d_JaffaCakes118.exe
1112	444.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	27a333e9aeb8c68751461090d080791d_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt	444.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3068	1112	WerFault.exe	28

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 1112	2420	27a333e9aeb8c68751461090d080791d_JaffaCakes118.exe	28
PID 2420 wrote to memory of 1112	2420	27a333e9aeb8c68751461090d080791d_JaffaCakes118.exe	28
PID 2420 wrote to memory of 1112	2420	27a333e9aeb8c68751461090d080791d_JaffaCakes118.exe	28
PID 2420 wrote to memory of 1112	2420	27a333e9aeb8c68751461090d080791d_JaffaCakes118.exe	28
PID 2420 wrote to memory of 1112	2420	27a333e9aeb8c68751461090d080791d_JaffaCakes118.exe	28
PID 2420 wrote to memory of 1112	2420	27a333e9aeb8c68751461090d080791d_JaffaCakes118.exe	28
PID 2420 wrote to memory of 1112	2420	27a333e9aeb8c68751461090d080791d_JaffaCakes118.exe	28
PID 1112 wrote to memory of 2552	1112	444.exe	29
PID 1112 wrote to memory of 2552	1112	444.exe	29
PID 1112 wrote to memory of 2552	1112	444.exe	29
PID 1112 wrote to memory of 2552	1112	444.exe	29
PID 1112 wrote to memory of 2552	1112	444.exe	29
PID 1112 wrote to memory of 2552	1112	444.exe	29
PID 1112 wrote to memory of 2552	1112	444.exe	29
PID 1112 wrote to memory of 3068	1112	444.exe	30
PID 1112 wrote to memory of 3068	1112	444.exe	30
PID 1112 wrote to memory of 3068	1112	444.exe	30
PID 1112 wrote to memory of 3068	1112	444.exe	30
PID 1112 wrote to memory of 3068	1112	444.exe	30
PID 1112 wrote to memory of 3068	1112	444.exe	30
PID 1112 wrote to memory of 3068	1112	444.exe	30

C:\Users\Admin\AppData\Local\Temp\27a333e9aeb8c68751461090d080791d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\27a333e9aeb8c68751461090d080791d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\444.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\444.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\program files\internet explorer\IEXPLORE.EXE
    "C:\program files\internet explorer\IEXPLORE.EXE"
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 372
    3⤵
    - Program crash
    PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\444.exe

Filesize
637KB

MD5
2c566c8913785c69a72f233a9cac074e

SHA1
b6e1c47d8911282be7ade6d6738a30e99ab229eb

SHA256
99795e2f8ab62e2769a31986ef6e258813872c48af72837b519db33dc6cf5411

SHA512
8e007fa141ceb545ebdbae4185af73c6535aabb2c84f5baf61f0f11a50fc0412e9f66ba6f80de02fa7fab9a6f3e7edcfdda725500aa4a67d7abc78a8639d0b40

Download Submit
memory/1112-10-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1112-15-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1112-14-0x00000000004B9000-0x00000000004BA000-memory.dmp

Filesize
4KB

Download
memory/1112-16-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1112-18-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1112-20-0x00000000004B9000-0x00000000004BA000-memory.dmp

Filesize
4KB

Download
memory/2420-9-0x00000000008A0000-0x00000000009B2000-memory.dmp

Filesize
1.1MB

Download
memory/2420-13-0x00000000008A0000-0x00000000009B2000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads