modiloader | d8a6731bcaa9520380ed44fdfdbb1053a1c861fb5ab35046c0dc1eb9093650d7

General

Target

85f87eb7d77596c6404f53e25fa7e24e_JaffaCakes118.exe
Size

328KB
MD5

85f87eb7d77596c6404f53e25fa7e24e
SHA1

a70dc0eb32778f5b3cd8a412c66bbb9ce082ed5a
SHA256

d8a6731bcaa9520380ed44fdfdbb1053a1c861fb5ab35046c0dc1eb9093650d7
SHA512

753b21ec76afe1962e004d539e4c5b1db5949ddbc084e6de3f85998eeef08a6e00f741075bcad3498145579e4f7441d904b03ebbc072b3a1ebeb7fa3cb18e52f
SSDEEP

6144:X8ppr6oVwAT/Y/GABOx7SYxiO5S/FkGb7UH0DzEwD/L:sp4oVn8emYxPGPUUDl/L

Score

10^/10

modiloader adware discovery evasion stealer trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies firewall policy service 3 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

INSTALLER.EXE

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	INSTALLER.EXE
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"	INSTALLER.EXE

Modiloader family
modiloader

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0008000000016d9f-9.dat	modiloader_stage2
behavioral1/memory/1920-16-0x0000000000400000-0x0000000000459000-memory.dmp	modiloader_stage2
behavioral1/memory/2768-27-0x0000000013140000-0x0000000013163000-memory.dmp	modiloader_stage2

Executes dropped EXE 3 IoCs

Processes:

DIVXWEBPLAYERINSTALLER.EXEINSTALLER.EXEINSTALLER.EXE

pid	Process
2472	DIVXWEBPLAYERINSTALLER.EXE
2768	INSTALLER.EXE
108	INSTALLER.EXE

Loads dropped DLL 12 IoCs

Processes:

85f87eb7d77596c6404f53e25fa7e24e_JaffaCakes118.exeDIVXWEBPLAYERINSTALLER.EXEINSTALLER.EXEINSTALLER.EXE

pid	Process
1920	85f87eb7d77596c6404f53e25fa7e24e_JaffaCakes118.exe
1920	85f87eb7d77596c6404f53e25fa7e24e_JaffaCakes118.exe
2472	DIVXWEBPLAYERINSTALLER.EXE
2472	DIVXWEBPLAYERINSTALLER.EXE
2472	DIVXWEBPLAYERINSTALLER.EXE
2768	INSTALLER.EXE
2768	INSTALLER.EXE
2768	INSTALLER.EXE
2768	INSTALLER.EXE
108	INSTALLER.EXE
108	INSTALLER.EXE
108	INSTALLER.EXE

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

INSTALLER.EXE

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\browser helper objects\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}	INSTALLER.EXE

Drops file in System32 directory 2 IoCs

Processes:

INSTALLER.EXE

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ipv6monl.dll	INSTALLER.EXE
File created	C:\Windows\SysWOW64\ipv6monl.dll	INSTALLER.EXE

Suspicious use of SetThreadContext 1 IoCs

Processes:

INSTALLER.EXE

description	pid	Process	procid_target
PID 2768 set thread context of 108	2768	INSTALLER.EXE	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

INSTALLER.EXE85f87eb7d77596c6404f53e25fa7e24e_JaffaCakes118.exeDIVXWEBPLAYERINSTALLER.EXEINSTALLER.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	INSTALLER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85f87eb7d77596c6404f53e25fa7e24e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DIVXWEBPLAYERINSTALLER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	INSTALLER.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

INSTALLER.EXE

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	INSTALLER.EXE

Modifies registry class 5 IoCs

Processes:

INSTALLER.EXE

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}	INSTALLER.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}	INSTALLER.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}\InprocServer32	INSTALLER.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}\InprocServer32\ = "C:\\Windows\\SysWow64\\ipv6monl.dll"	INSTALLER.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}\InprocServer32\ThreadingModel = "apartment"	INSTALLER.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

INSTALLER.EXE

pid	Process
108	INSTALLER.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

85f87eb7d77596c6404f53e25fa7e24e_JaffaCakes118.exeINSTALLER.EXE

description	pid	Process	procid_target
PID 1920 wrote to memory of 2472	1920	85f87eb7d77596c6404f53e25fa7e24e_JaffaCakes118.exe	31
PID 1920 wrote to memory of 2472	1920	85f87eb7d77596c6404f53e25fa7e24e_JaffaCakes118.exe	31
PID 1920 wrote to memory of 2472	1920	85f87eb7d77596c6404f53e25fa7e24e_JaffaCakes118.exe	31
PID 1920 wrote to memory of 2472	1920	85f87eb7d77596c6404f53e25fa7e24e_JaffaCakes118.exe	31
PID 1920 wrote to memory of 2472	1920	85f87eb7d77596c6404f53e25fa7e24e_JaffaCakes118.exe	31
PID 1920 wrote to memory of 2472	1920	85f87eb7d77596c6404f53e25fa7e24e_JaffaCakes118.exe	31
PID 1920 wrote to memory of 2472	1920	85f87eb7d77596c6404f53e25fa7e24e_JaffaCakes118.exe	31
PID 1920 wrote to memory of 2768	1920	85f87eb7d77596c6404f53e25fa7e24e_JaffaCakes118.exe	32
PID 1920 wrote to memory of 2768	1920	85f87eb7d77596c6404f53e25fa7e24e_JaffaCakes118.exe	32
PID 1920 wrote to memory of 2768	1920	85f87eb7d77596c6404f53e25fa7e24e_JaffaCakes118.exe	32
PID 1920 wrote to memory of 2768	1920	85f87eb7d77596c6404f53e25fa7e24e_JaffaCakes118.exe	32
PID 1920 wrote to memory of 2768	1920	85f87eb7d77596c6404f53e25fa7e24e_JaffaCakes118.exe	32
PID 1920 wrote to memory of 2768	1920	85f87eb7d77596c6404f53e25fa7e24e_JaffaCakes118.exe	32
PID 1920 wrote to memory of 2768	1920	85f87eb7d77596c6404f53e25fa7e24e_JaffaCakes118.exe	32
PID 2768 wrote to memory of 108	2768	INSTALLER.EXE	33
PID 2768 wrote to memory of 108	2768	INSTALLER.EXE	33
PID 2768 wrote to memory of 108	2768	INSTALLER.EXE	33
PID 2768 wrote to memory of 108	2768	INSTALLER.EXE	33
PID 2768 wrote to memory of 108	2768	INSTALLER.EXE	33
PID 2768 wrote to memory of 108	2768	INSTALLER.EXE	33
PID 2768 wrote to memory of 108	2768	INSTALLER.EXE	33
PID 2768 wrote to memory of 108	2768	INSTALLER.EXE	33
PID 2768 wrote to memory of 108	2768	INSTALLER.EXE	33

C:\Users\Admin\AppData\Local\Temp\85f87eb7d77596c6404f53e25fa7e24e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\85f87eb7d77596c6404f53e25fa7e24e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Users\Admin\AppData\Local\Temp\DIVXWEBPLAYERINSTALLER.EXE
  "C:\Users\Admin\AppData\Local\Temp\DIVXWEBPLAYERINSTALLER.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2472
- C:\Users\Admin\AppData\Local\Temp\INSTALLER.EXE
  "C:\Users\Admin\AppData\Local\Temp\INSTALLER.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Users\Admin\AppData\Local\Temp\INSTALLER.EXE
    C:\Users\Admin\AppData\Local\Temp\INSTALLER.EXE
    3⤵
    - Modifies firewall policy service
    - Executes dropped EXE
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\DIVXWEBPLAYERINSTALLER.EXE

Filesize
179KB

MD5
68d15a9ef85b1a195aefa82a53581170

SHA1
5c7f938e98afe27b17322ced790e27a23bf74d5b

SHA256
ca0dedd4c80c9addd0898340abb55ab54aefb5a5027a563328c2db08c18d0882

SHA512
d5bb98b3dc580e5c4e0f2cbbc9713895987040461f16e6058c4927223673f3faa72aafc87d3079e8c6692f1c1970d81fa6a0a08e155d621192a4a9be8ecc2d2a

Download Submit
\Users\Admin\AppData\Local\Temp\INSTALLER.EXE

Filesize
112KB

MD5
34ba1f6300ecfaf7bc0f8b06955cc4bc

SHA1
a05240a098da6ceb842912a6d1b2256eb45137d5

SHA256
a03cff756ee7677cbcc2b2ceae601664263b91ba073c1e6a819a52d99fb63554

SHA512
6e8e348c0506a576bd39ed1a4a5df012c9e079d2d44165a800e6a2f9c163cd6451e39e9fe8eacf502c5c99d4fef9ebb0eb6057c9791d95a27af565c5af4458aa

Download Submit
memory/108-25-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/108-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/108-22-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/108-28-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/108-33-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1920-16-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2472-36-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2472-37-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2768-27-0x0000000013140000-0x0000000013163000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads