modiloader | fa95285c286bb416e62a41c5a7ffdf9fe57babca2376b97c7cdb1b0e651f97e6

General

Target

f8c8a9d8c7c42ed36538c53e1a4fb36c_JaffaCakes118.exe
Size

343KB
MD5

f8c8a9d8c7c42ed36538c53e1a4fb36c
SHA1

ccad6efee3f5491e825362b0df3465dca5f7b6db
SHA256

fa95285c286bb416e62a41c5a7ffdf9fe57babca2376b97c7cdb1b0e651f97e6
SHA512

05f009fbc1aff8f4c202132119efb88881de72b28c8cb6276836acd6a22e70eb3de584116c1b9ef162443d257f3f0f15c09538bd5dee6313fc82b1311dc2ad68
SSDEEP

6144:JsPy0UKrGRXl1cNwPLvoqg0R2VhPefm0ToOhPWjA5EiYnxmWSH/Ir:N3z1c2obY79PWjt3SH/Y

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/3220-22-0x0000000000590000-0x00000000005B4000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
3220	server.exe

Loads dropped DLL 2 IoCs

pid	Process
3220	server.exe
3220	server.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f8c8a9d8c7c42ed36538c53e1a4fb36c_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\atmQQ2.dll	server.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8c8a9d8c7c42ed36538c53e1a4fb36c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3220	server.exe
3220	server.exe
3220	server.exe
3220	server.exe
3220	server.exe
3220	server.exe
3220	server.exe
3220	server.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3220	server.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 3220	4664	f8c8a9d8c7c42ed36538c53e1a4fb36c_JaffaCakes118.exe	82
PID 4664 wrote to memory of 3220	4664	f8c8a9d8c7c42ed36538c53e1a4fb36c_JaffaCakes118.exe	82
PID 4664 wrote to memory of 3220	4664	f8c8a9d8c7c42ed36538c53e1a4fb36c_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\f8c8a9d8c7c42ed36538c53e1a4fb36c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f8c8a9d8c7c42ed36538c53e1a4fb36c_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\MSInfo\atmQQ2.dll

Filesize
20KB

MD5
55377f4ce338d858ba630338f17ca06c

SHA1
1923bb950fb8bbf12ff0a3bfe84f4637e25b02c0

SHA256
708b620a064d990efbb7a74878ea03727651ffcdc7fd679c5cba1eaa929f0a7d

SHA512
e9e86534ce76a151bf565b274a8273b242c2385adbe640e235bd0f55f2ccb9613902c7bdd527393c5212f8ab9975ea2959fb9bef1ccb6dbcef68204461d3baac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
36KB

MD5
0f273e9acace10070da12c5f3ad8ad40

SHA1
320d35dd405899106209dc72384ec26f482dc326

SHA256
b078168c2f723493e9cbd57331f5365dd037195977403744773d466d20dcb9ae

SHA512
4395205d9172e2f390c7bde3a37f3bb207b17604feefaa09e86fdfa978911e5192ef050efc04a6e9ca70137f3cedbafec5be36742b4bfaacc0744cbf1f86dbf4

Download Submit
memory/3220-23-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3220-22-0x0000000000590000-0x00000000005B4000-memory.dmp

Filesize
144KB

Download
memory/3220-15-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4664-5-0x0000000001000000-0x0000000001062000-memory.dmp

Filesize
392KB

Download
memory/4664-7-0x0000000001000000-0x0000000001062000-memory.dmp

Filesize
392KB

Download
memory/4664-6-0x0000000001000000-0x0000000001062000-memory.dmp

Filesize
392KB

Download
memory/4664-0-0x0000000001000000-0x0000000001062000-memory.dmp

Filesize
392KB

Download
memory/4664-8-0x0000000001000000-0x0000000001062000-memory.dmp

Filesize
392KB

Download
memory/4664-3-0x0000000001000000-0x0000000001062000-memory.dmp

Filesize
392KB

Download
memory/4664-4-0x0000000001000000-0x0000000001062000-memory.dmp

Filesize
392KB

Download
memory/4664-14-0x0000000001000000-0x0000000001062000-memory.dmp

Filesize
392KB

Download
memory/4664-2-0x0000000001000000-0x0000000001062000-memory.dmp

Filesize
392KB

Download
memory/4664-1-0x000000000101B000-0x000000000101C000-memory.dmp

Filesize
4KB

Download
memory/4664-24-0x000000000101B000-0x000000000101C000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads