modiloader | cf19534b8e344a5e4d02947caa6f0d563ead18da7b51368c52038ff37e15c04f

General

Target

8ccbb61fc64817ecb98fef73dbd83a85_JaffaCakes118.exe
Size

864KB
MD5

8ccbb61fc64817ecb98fef73dbd83a85
SHA1

3211b6bb82d795322aa76d54e4269cfa22f3c58c
SHA256

cf19534b8e344a5e4d02947caa6f0d563ead18da7b51368c52038ff37e15c04f
SHA512

67d5e7a451674bac85d761f67b9529c0941f0619942fc470bfbeaf136ceae818e73d71a8b4bca8c719d3c9a3bcf35d41725c5bd8780d90621fad9a7b0b4b71a1
SSDEEP

12288:hl+EwN8dwnLb3wpnkSS3Ogn1Y5UHB4WNAlAqZ1ODbdDsrGp7FdRGvO8DVOtd:hl+Ew2pniFY5UhqrZ6bdDsUZdR4D2

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5040-10-0x0000000000400000-0x000000000056F000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

Processes:

2222222.exeCAMFRO~1.EXE

pid	Process
5040	2222222.exe
1792	CAMFRO~1.EXE

Loads dropped DLL 1 IoCs

Processes:

CAMFRO~1.EXE

pid	Process
1792	CAMFRO~1.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

8ccbb61fc64817ecb98fef73dbd83a85_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8ccbb61fc64817ecb98fef73dbd83a85_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

Processes:

CAMFRO~1.EXE

description	ioc	Process
File created	C:\Windows\SysWOW64\BASSMOD.dll	CAMFRO~1.EXE

Drops file in Program Files directory 1 IoCs

Processes:

2222222.exe

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt	2222222.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
1612	5040	WerFault.exe	84
2728	5040	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

8ccbb61fc64817ecb98fef73dbd83a85_JaffaCakes118.exe2222222.exeCAMFRO~1.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ccbb61fc64817ecb98fef73dbd83a85_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2222222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAMFRO~1.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description	pid	Process
Token: 33	740	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	740	AUDIODG.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

8ccbb61fc64817ecb98fef73dbd83a85_JaffaCakes118.exe2222222.exe

description	pid	Process	procid_target
PID 1160 wrote to memory of 5040	1160	8ccbb61fc64817ecb98fef73dbd83a85_JaffaCakes118.exe	84
PID 1160 wrote to memory of 5040	1160	8ccbb61fc64817ecb98fef73dbd83a85_JaffaCakes118.exe	84
PID 1160 wrote to memory of 5040	1160	8ccbb61fc64817ecb98fef73dbd83a85_JaffaCakes118.exe	84
PID 5040 wrote to memory of 1884	5040	2222222.exe	91
PID 5040 wrote to memory of 1884	5040	2222222.exe	91
PID 1160 wrote to memory of 1792	1160	8ccbb61fc64817ecb98fef73dbd83a85_JaffaCakes118.exe	94
PID 1160 wrote to memory of 1792	1160	8ccbb61fc64817ecb98fef73dbd83a85_JaffaCakes118.exe	94
PID 1160 wrote to memory of 1792	1160	8ccbb61fc64817ecb98fef73dbd83a85_JaffaCakes118.exe	94

C:\Users\Admin\AppData\Local\Temp\8ccbb61fc64817ecb98fef73dbd83a85_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8ccbb61fc64817ecb98fef73dbd83a85_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2222222.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2222222.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 540
    3⤵
    - Program crash
    PID:1612
- - C:\program files\internet explorer\IEXPLORE.EXE
    "C:\program files\internet explorer\IEXPLORE.EXE"
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 764
    3⤵
    - Program crash
    PID:2728
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CAMFRO~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CAMFRO~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5040 -ip 5040
1⤵
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5040 -ip 5040
1⤵
PID:1620

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b4 0x488
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2222222.exe

Filesize
683KB

MD5
08521b4a7057cef60d8281f50a7bdc58

SHA1
2543185e7052bf667bda9886bca838c8a3374a3e

SHA256
d3e8b9e99e2e1c7580d0664798cac729328e8cea50aba3dd64aa8ce3a8cb451e

SHA512
50e86cc8f508ee91574efff05f8fd03e71e608d264da642e2cde5c700b90231b314208f0e6ffe706d59d9ddb7aa15feeb04d8e28f11ac7efb65f3eaea72182a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CAMFRO~1.EXE

Filesize
158KB

MD5
3aef5ca939b245a2562fa564ef3b4324

SHA1
022a599433e335082be4d7c8853d2be85356c8f6

SHA256
b748ebdf06ef75f2baca63ceff4aa638a5eeb69a1dfe0a25d6466d36394ae91c

SHA512
d4cc80a0dc02d13686d836ca55d38a021b7773e465a7c6e63b1ae1c620b4cd2913694b7dabc84d8fcc45db607929913e5685205049bf59ba7043c10186941e01

Download Submit
C:\Windows\SysWOW64\BASSMOD.dll

Filesize
9KB

MD5
8d56adca34e7fb2dfacfc5ea87b23ff9

SHA1
0e93ae841d7a1f9587655906847ddcfc3269d9d1

SHA256
01742d6f3acdbaa65d5bfaaa62f97414d0c9a295305a526d089b34a06b6099b7

SHA512
96ceab8b750dae2a8e42bc353c1dfb5c43b879675e0f7e70d34467deebc2f9833269d38a6dadd621c76cadd465aa59fba0535c88a79a9ad8ea092caca04e78ab

Download Submit
memory/5040-7-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/5040-8-0x00000000007D0000-0x0000000000824000-memory.dmp

Filesize
336KB

Download
memory/5040-10-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/5040-11-0x00000000007D0000-0x0000000000824000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads