modiloader | 0668fba568301feea9bba907c24733a03118ea175c1d26523929ac19d14b9579

General

Target

cfec1649b1c52d288212b200f32e221c_JaffaCakes118.exe
Size

204KB
MD5

cfec1649b1c52d288212b200f32e221c
SHA1

6c6af933f4ff285d7858610d7793c2d02037c67b
SHA256

0668fba568301feea9bba907c24733a03118ea175c1d26523929ac19d14b9579
SHA512

706194eeefb19760d38391140ed8cb3a52e9a3cfc7e993e646049b1734d2c94deee2cc82f784125950164585ee3fb2d98c0348b616267e79af31760b291094e4
SSDEEP

6144:ZJwXA3qoseKW1N7cuT7nM8lNcMnrzsuIlizzhv:LwQaNeKW1vHzrGOzh

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/files/0x00090000000233f1-2.dat	modiloader_stage2
behavioral2/memory/3684-9-0x0000000010000000-0x0000000010079230-memory.dmp	modiloader_stage2

Executes dropped EXE 4 IoCs

pid	Process
5032	scPk.exe
3324	scPk.exe
3156	sc.exe
864	sc.exe

Loads dropped DLL 2 IoCs

pid	Process
3684	cfec1649b1c52d288212b200f32e221c_JaffaCakes118.exe
3684	cfec1649b1c52d288212b200f32e221c_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	scPk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	sc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cfec1649b1c52d288212b200f32e221c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	scPk.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ àb0¸Üôym¨uniƒÈx¸H©ÁCBœhŒog„y0¨un‰s°Èx¸Hb›oqoŽ0¨uŽ™{6›oqonhŒo‡t‘WÆJ;´ÁCBœhŒog„y0¨un‰sb›oqoŽ0¨uŽ™{6›o‘b™¦i’pYMEÁO…¢¨¶w˜®¶[‘S‚icA³ºb—uŽzwsb‹}{v…‘32¢{m„°i‚uˆD„iˆ™zVvaA³ºb—uŽzws¢«}{v…‘32\Drive›võê±.exe	sc.exe
File opened for modification	C:\Windows\SysWOW64\ àb0¸Üôym¨uniƒÈx¸H©ÁCBœhŒog„y0¨un‰s°Èx¸Hb›oqoŽ0¨uŽ™{6›oqonhŒo‡t‘WÆJ;´ÁCBœhŒog„y0¨un‰sb›oqoŽ0¨uŽ™{6›o‘b™¦i’pYMEÁO…¢¨¶w˜®¶[‘S‚icA³ºb—uŽzwsb‹}{v…‘32¢{m„°i‚uˆD„iˆ™zVvaA³ºb—uŽzws¢«}{v…‘32\Drive›võê±.exe	sc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3684 set thread context of 3856	3684	cfec1649b1c52d288212b200f32e221c_JaffaCakes118.exe	83

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3156	sc.exe
864	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfec1649b1c52d288212b200f32e221c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfec1649b1c52d288212b200f32e221c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scPk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scPk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3684 wrote to memory of 3856	3684	cfec1649b1c52d288212b200f32e221c_JaffaCakes118.exe	83
PID 3684 wrote to memory of 3856	3684	cfec1649b1c52d288212b200f32e221c_JaffaCakes118.exe	83
PID 3684 wrote to memory of 3856	3684	cfec1649b1c52d288212b200f32e221c_JaffaCakes118.exe	83
PID 3684 wrote to memory of 3856	3684	cfec1649b1c52d288212b200f32e221c_JaffaCakes118.exe	83
PID 3684 wrote to memory of 3856	3684	cfec1649b1c52d288212b200f32e221c_JaffaCakes118.exe	83
PID 3856 wrote to memory of 5032	3856	cfec1649b1c52d288212b200f32e221c_JaffaCakes118.exe	84
PID 3856 wrote to memory of 5032	3856	cfec1649b1c52d288212b200f32e221c_JaffaCakes118.exe	84
PID 3856 wrote to memory of 5032	3856	cfec1649b1c52d288212b200f32e221c_JaffaCakes118.exe	84
PID 5032 wrote to memory of 3324	5032	scPk.exe	85
PID 5032 wrote to memory of 3324	5032	scPk.exe	85
PID 5032 wrote to memory of 3324	5032	scPk.exe	85
PID 3324 wrote to memory of 3156	3324	scPk.exe	86
PID 3324 wrote to memory of 3156	3324	scPk.exe	86
PID 3324 wrote to memory of 3156	3324	scPk.exe	86
PID 3156 wrote to memory of 864	3156	sc.exe	88
PID 3156 wrote to memory of 864	3156	sc.exe	88
PID 3156 wrote to memory of 864	3156	sc.exe	88

C:\Users\Admin\AppData\Local\Temp\cfec1649b1c52d288212b200f32e221c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cfec1649b1c52d288212b200f32e221c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Users\Admin\AppData\Local\Temp\cfec1649b1c52d288212b200f32e221c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\cfec1649b1c52d288212b200f32e221c_JaffaCakes118.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scPk.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scPk.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5032
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\scPk.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\scPk.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3324
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sc.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sc.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Launches sc.exe
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3156
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sc.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sc.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scPk.exe

Filesize
156KB

MD5
e33de3df68c35266dfab3ef1c83be3ab

SHA1
8fc1428ebebc552a471cab3221258d9c29a200b7

SHA256
c8f750bbd89b8f610fb7a287130e543efaf46de54a786469ded2d26baae96fa3

SHA512
b9b54b56eed1e0cf0a9f7ab0685178381401a0cf28009102cf1fa2595689bf069b71dac1ae5523477c107d268e676fb2a15ac14d97251380eb4ed09f6513b1d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\scPk.exe

Filesize
124KB

MD5
223f1f43ae861f71edb0d0a800d17504

SHA1
aef11b32989f153a0868eeceedde556830f7c231

SHA256
e3bac78f033e3acf4e1245b883b74fff65e1805e77391a281c5810899d8390d9

SHA512
a991a03e14beac21eecfd099299daf660f6d9fe2c7a2e78c5ad732cea112465e926c516626e17955be10e7467fb7dcd0de739cbc87e73f61886bd96dd4e1c4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sc.exe

Filesize
93KB

MD5
abc70c54a47db29d860a6b6dabe9f649

SHA1
5e028d94d2d6629d3bf8dc095cc6e422c321716f

SHA256
ecadaef4e617c8101b4fcd9d01e865f8ac2139e4abdbaf7169da55254e401460

SHA512
bedc0d356afe1e2af2c939ec0ab326bf6306bb0bda1fb94a7bdd0ca37f60b70c09533bd91637f6ad633ebe9eb2cd47eb7d12a63a0d6c3e45d62457eea8b5ca35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sc.exe

Filesize
94KB

MD5
7d7a4c65d2b136fc79ee7d89994823b6

SHA1
34b6dcb2eb1a6e252903a4a262c01a65780669e1

SHA256
de9fe3c3f80a822891e0b82a4619208b2e73311d6bb3be34596b71274b52260b

SHA512
4b2bb4cb705835a8b9dcc34246046f82f0a9f9a909e6b0bf261a79cf62c44eeacae28f5ae5020873b9070c9ae400ff125a6e520c76f2c2790bde89aaa0d7ac20

Download Submit
C:\Users\Admin\AppData\Local\Temp\kacir.dll

Filesize
17KB

MD5
65b9130324abd8c5a802f5422fa60e88

SHA1
ca6590f37882e0752544cd2e7160d0c968fb9935

SHA256
b36c754d154ba74bafa17ae971010cd1b0eb979a1a766333776c05b5920eb95f

SHA512
7fefe2f732bb64a956508e5b94ac88cb86ac37bfb9f7d2b21bbd9e5a924a3455afd7e2405c9d7a8531ee1517272a93ca54334c02f66a8935a9edc9a5133c1359

Download Submit
memory/864-44-0x0000000000400000-0x0000000000425190-memory.dmp

Filesize
148KB

Download
memory/864-43-0x0000000000400000-0x0000000000425190-memory.dmp

Filesize
148KB

Download
memory/864-34-0x0000000000400000-0x0000000000425190-memory.dmp

Filesize
148KB

Download
memory/3156-45-0x0000000001000000-0x000000000103A7A0-memory.dmp

Filesize
233KB

Download
memory/3156-39-0x0000000001000000-0x000000000103A7A0-memory.dmp

Filesize
233KB

Download
memory/3156-28-0x0000000001000000-0x000000000103A7A0-memory.dmp

Filesize
233KB

Download
memory/3324-23-0x0000000001000000-0x000000000104A7A0-memory.dmp

Filesize
297KB

Download
memory/3324-38-0x0000000001000000-0x000000000104A7A0-memory.dmp

Filesize
297KB

Download
memory/3324-47-0x0000000001000000-0x000000000104A7A0-memory.dmp

Filesize
297KB

Download
memory/3684-0-0x0000000010000000-0x0000000010079230-memory.dmp

Filesize
484KB

Download
memory/3684-9-0x0000000010000000-0x0000000010079230-memory.dmp

Filesize
484KB

Download
memory/3856-10-0x0000000001000000-0x000000000103A000-memory.dmp

Filesize
232KB

Download
memory/3856-36-0x0000000001000000-0x000000000103A000-memory.dmp

Filesize
232KB

Download
memory/3856-7-0x0000000001000000-0x000000000103A000-memory.dmp

Filesize
232KB

Download
memory/3856-11-0x0000000001000000-0x000000000103A000-memory.dmp

Filesize
232KB

Download
memory/3856-49-0x0000000001000000-0x000000000103A000-memory.dmp

Filesize
232KB

Download
memory/5032-37-0x0000000001000000-0x000000000105A7A0-memory.dmp

Filesize
361KB

Download
memory/5032-16-0x0000000001000000-0x000000000105A7A0-memory.dmp

Filesize
361KB

Download
memory/5032-48-0x0000000001000000-0x000000000105A7A0-memory.dmp

Filesize
361KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads