modiloader | 21d36c59d1e17b806190ad7610c86c08f40549c92e59deec82a40b046f36d301

General

Target

ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe
Size

79KB
MD5

ea426e6d819e8e5fb992918e92a618ec
SHA1

0c726aece5b25b66bde0573a3b36664ad1425502
SHA256

21d36c59d1e17b806190ad7610c86c08f40549c92e59deec82a40b046f36d301
SHA512

aa4101dde41b8ccbfe91b6da652c57e15aa963a9448e243f2a5c76f73dd5148f52b4da763c8939f7ed238ba26232067ee5b45d19e202a908045bedf8796890bd
SSDEEP

1536:gyhPiKGK2KapxL2RfDn7xtsWFTP2lZjcjLmlNelfUmwWHpX:taKcZZ2Rb7xBFTP2gXmyNUmfHpX

Score

10^/10

modiloader discovery persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 16 IoCs

resource	yara_rule
behavioral2/memory/4000-6-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2
behavioral2/memory/3312-15-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2
behavioral2/memory/3312-14-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2
behavioral2/memory/3312-17-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2
behavioral2/memory/3312-19-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2
behavioral2/memory/3312-21-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2
behavioral2/memory/3312-24-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2
behavioral2/memory/3312-25-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2
behavioral2/memory/3312-26-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2
behavioral2/memory/3312-27-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2
behavioral2/memory/3312-28-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2
behavioral2/memory/3312-29-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2
behavioral2/memory/3312-30-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2
behavioral2/memory/3312-31-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2
behavioral2/memory/3312-32-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2
behavioral2/memory/3312-33-0x0000000000400000-0x0000000000422000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
3312	netprotocol.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4000-0-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/4000-6-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/files/0x00070000000234a4-10.dat	upx
behavioral2/memory/3312-11-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/3312-15-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/3312-14-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/3312-17-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/3312-19-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/3312-21-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/3312-24-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/3312-25-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/3312-26-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/3312-27-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/3312-28-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/3312-29-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/3312-30-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/3312-31-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/3312-32-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/3312-33-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Netprotocol = "C:\\Users\\Admin\\AppData\\Roaming\\netprotocol.exe"	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4000 set thread context of 760	4000	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe	86

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netprotocol.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 760	4000	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe	86
PID 4000 wrote to memory of 760	4000	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe	86
PID 4000 wrote to memory of 760	4000	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe	86
PID 4000 wrote to memory of 760	4000	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe	86
PID 4000 wrote to memory of 760	4000	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe	86
PID 4000 wrote to memory of 760	4000	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe	86
PID 4000 wrote to memory of 760	4000	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe	86
PID 4000 wrote to memory of 760	4000	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe	86
PID 760 wrote to memory of 3312	760	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe	87
PID 760 wrote to memory of 3312	760	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe	87
PID 760 wrote to memory of 3312	760	ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Users\Admin\AppData\Local\Temp\ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe
  ea426e6d819e8e5fb992918e92a618ec_JaffaCakes118.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Users\Admin\AppData\Roaming\netprotocol.exe
    C:\Users\Admin\AppData\Roaming\netprotocol.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\netprotocol.exe

Filesize
79KB

MD5
7541b81a39e6dee7568cc576d7da8a31

SHA1
455983bb7d82c64d0287182661fb7c6848c2c37c

SHA256
056e52398cbbf09724f986b51e229c0bcf77038d7ccd13a730b9a6247d3be34c

SHA512
62794a7a3e84903ba45916d271f4f766c4dc13b750a1d7f1cbbe123e16e9187c1c7e66420b1a2951913b544100f3386ede6e1bf927ae7edbfeed4da1ea4db67e

Download Submit
memory/760-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/760-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/760-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/760-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/760-7-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3312-19-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3312-25-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3312-15-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3312-14-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3312-33-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3312-17-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3312-32-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3312-21-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3312-24-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3312-11-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3312-26-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3312-27-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3312-28-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3312-29-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3312-30-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3312-31-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4000-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4000-6-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads