modiloader | ee92973ac7a82fa137167b3419941d6a31e479a98529d92ee9cc87c605c96938

General

Target

d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe
Size

24KB
MD5

d74227a8211ccd1a6b6581f1809e0697
SHA1

a8aaf1df1e9b870b93cbea79aa3efe8622ddcaa1
SHA256

ee92973ac7a82fa137167b3419941d6a31e479a98529d92ee9cc87c605c96938
SHA512

d3d80ce695779f9d4bbc5aa84bdd467268f5327e035044e4a223cc1214a4d97ab890dd0e055f0d9ea2854374208a63ed10d29a29286b04454c9da3ad71b8e069
SSDEEP

384:V2XxZEVBj4AywxjoXMcJQQhpKw87S4FYqzgZwdCyi+Ju4UVOPUn4STF7:Va2nLBxUX2wf4FY2cV6u4UelKF

Score

10^/10

modiloader discovery trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/memory/3276-6-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral2/memory/1708-9-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
1708	tcpip.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3276-0-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/files/0x0009000000023455-2.dat	upx
behavioral2/memory/3276-6-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/1708-9-0x0000000000400000-0x0000000000411000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msiupdata.dll	tcpip.exe
File created	C:\Windows\SysWOW64\tcpip.exe	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\tcpip.exe	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\farf.bat	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tcpip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3276	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe
3276	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe
3276	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe
3276	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe
3276	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe
3276	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe
3276	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe
3276	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe
3276	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe
3276	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe
3276	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe
3276	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe
3276	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe
3276	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe
1708	tcpip.exe
1708	tcpip.exe
1708	tcpip.exe
1708	tcpip.exe
1708	tcpip.exe
1708	tcpip.exe
1708	tcpip.exe
1708	tcpip.exe
1708	tcpip.exe
1708	tcpip.exe
1708	tcpip.exe
1708	tcpip.exe
1708	tcpip.exe
1708	tcpip.exe
3276	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe
3276	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe
3276	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe
3276	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe
3276	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe
3276	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe
3276	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe
3276	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe
3276	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe
3276	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe
3276	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe
3276	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe
1708	tcpip.exe
1708	tcpip.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3276	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe
Token: SeDebugPrivilege	1708	tcpip.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3276 wrote to memory of 464	3276	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe	84
PID 3276 wrote to memory of 464	3276	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe	84
PID 3276 wrote to memory of 464	3276	d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe	84
PID 1708 wrote to memory of 3420	1708	tcpip.exe	55

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3420
- C:\Users\Admin\AppData\Local\Temp\d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d74227a8211ccd1a6b6581f1809e0697_JaffaCakes118.exe"
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\system32\farf.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:464

C:\Windows\SysWOW64\tcpip.exe
C:\Windows\SysWOW64\tcpip.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\farf.bat

Filesize
212B

MD5
5bdf0fcca259db8cc0cb5919e58f1806

SHA1
d98848a204bc5878b5d6445a84b6c06e314512f5

SHA256
a867a6ee2c24c332e8787a769472292901429cacc877db50eaab4f082e9e70c3

SHA512
cc7dc34040d627ed9ec036fe2ac14a076187b42d30400ad23a28f8910a3b756c0261396f55a57a76c635a1c78623666f8c8b00b771b14b43919e6a89e9bb1004

Download Submit
C:\Windows\SysWOW64\tcpip.exe

Filesize
24KB

MD5
d74227a8211ccd1a6b6581f1809e0697

SHA1
a8aaf1df1e9b870b93cbea79aa3efe8622ddcaa1

SHA256
ee92973ac7a82fa137167b3419941d6a31e479a98529d92ee9cc87c605c96938

SHA512
d3d80ce695779f9d4bbc5aa84bdd467268f5327e035044e4a223cc1214a4d97ab890dd0e055f0d9ea2854374208a63ed10d29a29286b04454c9da3ad71b8e069

Download Submit
memory/1708-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3276-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3276-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing