modiloader | a46f03ae4f900892f68811a37e0d87ed9ef37cf316e5afd2c27d82cba3deb008

General

Target

b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe
Size

21KB
MD5

b13b6e28e3e02a62d42c09aca347a56e
SHA1

6c1f69df7b9895e3247e369ece09a2bb43570475
SHA256

a46f03ae4f900892f68811a37e0d87ed9ef37cf316e5afd2c27d82cba3deb008
SHA512

72d0b79404fa6a45714b1de77268c5a4dcf9b2d0707b1e5c6d7b7a2b269d94a780be829bfc497b4d4a2b60cccdcc6034a2de8408759880c4ad16572ce4cede0e
SSDEEP

192:syrNCkGOuZJUAy7A4afcKK79y0BZOoWxZokqUYJLGiliH2JFPEY52MnHVhMYngMX:syrNNGOul14PQtZ5ilvL5bgHOS37Zyg

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/memory/216-7-0x0000000000400000-0x0000000000415000-memory.dmp	modiloader_stage2
behavioral2/memory/1276-10-0x0000000000400000-0x0000000000415000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
1276	tcpip.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tcpip.exe	b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\tcpip.exe	b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\CABSDE.bat	b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\portable.dll	tcpip.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tcpip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
216	b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe
216	b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe
216	b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe
216	b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe
216	b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe
216	b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe
216	b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe
216	b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe
216	b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe
216	b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe
216	b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe
216	b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe
216	b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe
216	b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe
216	b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe
216	b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe
1276	tcpip.exe
1276	tcpip.exe
1276	tcpip.exe
1276	tcpip.exe
1276	tcpip.exe
1276	tcpip.exe
1276	tcpip.exe
1276	tcpip.exe
1276	tcpip.exe
1276	tcpip.exe
1276	tcpip.exe
1276	tcpip.exe
1276	tcpip.exe
1276	tcpip.exe
1276	tcpip.exe
1276	tcpip.exe
216	b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe
216	b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe
1276	tcpip.exe
1276	tcpip.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	216	b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe
Token: SeDebugPrivilege	1276	tcpip.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 4664	216	b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe	85
PID 216 wrote to memory of 4664	216	b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe	85
PID 216 wrote to memory of 4664	216	b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe	85
PID 1276 wrote to memory of 3496	1276	tcpip.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3496
- C:\Users\Admin\AppData\Local\Temp\b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe"
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\system32\CABSDE.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4664

C:\Windows\SysWOW64\tcpip.exe
C:\Windows\SysWOW64\tcpip.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\CABSDE.bat

Filesize
214B

MD5
9436179d6f8994d035a8b811140b7887

SHA1
916f4685ec8b6b598461d678c195029cd6fa6613

SHA256
0ae8ef73d41c827307e08b64e77254ff9b284c3c8fe609a81f0f42e185d981fe

SHA512
feff1c5257fdca2958f967d30a760632f3a08070adc26c705b01f80bbc3dfe19d41463251dbb6d318ae931525380229110b9948c6500b092bf251b2b47f9a53e

Download Submit
C:\Windows\SysWOW64\tcpip.exe

Filesize
21KB

MD5
b13b6e28e3e02a62d42c09aca347a56e

SHA1
6c1f69df7b9895e3247e369ece09a2bb43570475

SHA256
a46f03ae4f900892f68811a37e0d87ed9ef37cf316e5afd2c27d82cba3deb008

SHA512
72d0b79404fa6a45714b1de77268c5a4dcf9b2d0707b1e5c6d7b7a2b269d94a780be829bfc497b4d4a2b60cccdcc6034a2de8408759880c4ad16572ce4cede0e

Download Submit
memory/216-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/216-1-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/216-7-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1276-10-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing