modiloader | 21d36c59d1e17b806190ad7610c86c08f40549c92e59deec82a40b046f36d301

General

Target

ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe
Size

79KB
MD5

ea426e6d819e8e5fb992918e92a618ec
SHA1

0c726aece5b25b66bde0573a3b36664ad1425502
SHA256

21d36c59d1e17b806190ad7610c86c08f40549c92e59deec82a40b046f36d301
SHA512

aa4101dde41b8ccbfe91b6da652c57e15aa963a9448e243f2a5c76f73dd5148f52b4da763c8939f7ed238ba26232067ee5b45d19e202a908045bedf8796890bd
SSDEEP

1536:gyhPiKGK2KapxL2RfDn7xtsWFTP2lZjcjLmlNelfUmwWHpX:taKcZZ2Rb7xBFTP2gXmyNUmfHpX

Score

10^/10

modiloader discovery persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 17 IoCs

resource	yara_rule
behavioral1/memory/2152-15-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2
behavioral1/memory/2152-29-0x0000000000220000-0x0000000000242000-memory.dmp	modiloader_stage2
behavioral1/memory/2316-30-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2
behavioral1/memory/2316-32-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2
behavioral1/memory/2316-34-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2
behavioral1/memory/2316-36-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2
behavioral1/memory/2316-38-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2
behavioral1/memory/2316-41-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2
behavioral1/memory/2316-42-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2
behavioral1/memory/2316-43-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2
behavioral1/memory/2316-44-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2
behavioral1/memory/2316-45-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2
behavioral1/memory/2316-46-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2
behavioral1/memory/2316-47-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2
behavioral1/memory/2316-48-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2
behavioral1/memory/2316-49-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2
behavioral1/memory/2316-50-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
2316	netprotocol.exe

Loads dropped DLL 2 IoCs

pid	Process
980	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe
980	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2152-0-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/files/0x0009000000015cb8-25.dat	upx
behavioral1/memory/2316-28-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2152-15-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2152-29-0x0000000000220000-0x0000000000242000-memory.dmp	upx
behavioral1/memory/2316-30-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2316-32-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2316-34-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2316-36-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2316-38-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2316-41-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2316-42-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2316-43-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2316-44-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2316-45-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2316-46-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2316-47-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2316-48-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2316-49-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2316-50-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Netprotocol = "C:\\Users\\Admin\\AppData\\Roaming\\netprotocol.exe"	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2152 set thread context of 980	2152	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 980	2152	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe	31
PID 2152 wrote to memory of 980	2152	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe	31
PID 2152 wrote to memory of 980	2152	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe	31
PID 2152 wrote to memory of 980	2152	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe	31
PID 2152 wrote to memory of 980	2152	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe	31
PID 2152 wrote to memory of 980	2152	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe	31
PID 2152 wrote to memory of 980	2152	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe	31
PID 2152 wrote to memory of 980	2152	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe	31
PID 2152 wrote to memory of 980	2152	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe	31
PID 980 wrote to memory of 2316	980	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe	32
PID 980 wrote to memory of 2316	980	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe	32
PID 980 wrote to memory of 2316	980	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe	32
PID 980 wrote to memory of 2316	980	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Users\Admin\AppData\Local\Temp\ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe
  ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Users\Admin\AppData\Roaming\netprotocol.exe
    C:\Users\Admin\AppData\Roaming\netprotocol.exe
    3⤵
    - Executes dropped EXE
    PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\netprotocol.exe

Filesize
79KB

MD5
7541b81a39e6dee7568cc576d7da8a31

SHA1
455983bb7d82c64d0287182661fb7c6848c2c37c

SHA256
056e52398cbbf09724f986b51e229c0bcf77038d7ccd13a730b9a6247d3be34c

SHA512
62794a7a3e84903ba45916d271f4f766c4dc13b750a1d7f1cbbe123e16e9187c1c7e66420b1a2951913b544100f3386ede6e1bf927ae7edbfeed4da1ea4db67e

Download Submit
memory/980-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/980-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/980-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/980-27-0x0000000000220000-0x0000000000242000-memory.dmp

Filesize
136KB

Download
memory/980-26-0x0000000000220000-0x0000000000242000-memory.dmp

Filesize
136KB

Download
memory/980-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/980-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/980-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/980-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/980-8-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2152-29-0x0000000000220000-0x0000000000242000-memory.dmp

Filesize
136KB

Download
memory/2152-15-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2152-16-0x0000000000220000-0x0000000000242000-memory.dmp

Filesize
136KB

Download
memory/2152-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2316-38-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2316-42-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2316-28-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2316-34-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2316-36-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2316-30-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2316-41-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2316-32-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2316-43-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2316-44-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2316-45-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2316-46-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2316-47-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2316-48-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2316-49-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2316-50-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads