modiloader | f6b42240ce066396715329e5c502a86a715fcd8c3217597926a3c95ca928518f

General

Target

75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe
Size

268KB
MD5

75e42902bc8d9f2c8d856b565f800223
SHA1

853b6ca6439f5041f17332fb33106477a9809eb7
SHA256

f6b42240ce066396715329e5c502a86a715fcd8c3217597926a3c95ca928518f
SHA512

c76da052e4d53f9b01c3e0289bf2842595f7134c53b243064f5ec69c818f839e9e1d72ce61d5f96b0c64f0fbff81ae3fd3c1e5b2a8aca199a6a31fd7abcb606a
SSDEEP

6144:Ev1nCsqQoNSWiwassZFbuPZYHNv/5rH4+af2rJpT/YSnNBz4:unCs2sqascFQqtv/V4NfkJpT/L

Score

10^/10

modiloader defense_evasion discovery persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\System32\\userinit.exe,\"C:\\Users\\Admin\\Favorites\\netservice.exe\"un userinit.exe"	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3064-7-0x0000000000400000-0x0000000000448000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2164 cmd.exe

pid	process
2164	cmd.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3064-4-0x0000000010410000-0x0000000010494000-memory.dmp	upx

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 3064 75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe

description	pid	process	target process
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe
PID 3064 wrote to memory of 2276	3064	75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" about:blank
2⤵
PID:2276

C:\Windows\SysWOW64\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Local\Temp\75e42902bc8d9f2c8d856b565f800223_JaffaCakes118.exe"
2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3064-4-0x0000000010410000-0x0000000010494000-memory.dmp

Filesize
528KB

Download
memory/3064-7-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads