modiloader | 0a220ee9d594c9de4973ed2dc5183cce41b565387f16ab5295801e286314ee31

General

Target

99d288140e04a53da62f6751f1142322_JaffaCakes118.exe
Size

544KB
MD5

99d288140e04a53da62f6751f1142322
SHA1

85ed195a89333ae9a75a03b55ec4a5fc0b92a8fe
SHA256

0a220ee9d594c9de4973ed2dc5183cce41b565387f16ab5295801e286314ee31
SHA512

35b8aa6813d70c809ec7a0072b8754f6e213e49b533b768404df147fba077b54d6a5c6d6e2f3fc38e67660e170a6e827a6cc326f6b92c93a5de791ebe1357c38
SSDEEP

12288:fGeQClYrDqt6bbDlVmE90kmmiQSQbJB/UPi4KaRAqxh:fDQCGrDqt6b7meDibQNBMLJjh

Score

10^/10

modiloader defense_evasion discovery persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2628-11-0x0000000000400000-0x0000000000940000-memory.dmp	modiloader_stage2
behavioral1/memory/2036-13-0x0000000000400000-0x0000000000584000-memory.dmp	modiloader_stage2
behavioral1/memory/2628-28-0x0000000000400000-0x0000000000940000-memory.dmp	modiloader_stage2
behavioral1/memory/2628-31-0x0000000000400000-0x0000000000940000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

Processes:

krutsy32.exeldapi32.exe

pid	Process
2628	krutsy32.exe
2100	ldapi32.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

Processes:

krutsy32.exe

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	krutsy32.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	krutsy32.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	krutsy32.exe

Loads dropped DLL 4 IoCs

Processes:

krutsy32.exe

pid	Process
2628	krutsy32.exe
2628	krutsy32.exe
2628	krutsy32.exe
2628	krutsy32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

99d288140e04a53da62f6751f1142322_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\krutsy32 = "C:\\Windows\\krutsy32.exe"	99d288140e04a53da62f6751f1142322_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

Processes:

krutsy32.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\ldapi32.exe	krutsy32.exe
File created	C:\Windows\SysWOW64\ntswrl32.dll	krutsy32.exe
File created	C:\Windows\SysWOW64\ntcvx32.dll	krutsy32.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2036-0-0x0000000000400000-0x0000000000584000-memory.dmp	upx
behavioral1/memory/2628-11-0x0000000000400000-0x0000000000940000-memory.dmp	upx
behavioral1/memory/2036-13-0x0000000000400000-0x0000000000584000-memory.dmp	upx
behavioral1/memory/2036-9-0x0000000004BA0000-0x00000000050E0000-memory.dmp	upx
behavioral1/files/0x000c00000001202c-8.dat	upx
behavioral1/memory/2628-28-0x0000000000400000-0x0000000000940000-memory.dmp	upx
behavioral1/memory/2628-31-0x0000000000400000-0x0000000000940000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

Processes:

99d288140e04a53da62f6751f1142322_JaffaCakes118.exe

description	ioc	Process
File created	C:\Windows\krutsy32.exe	99d288140e04a53da62f6751f1142322_JaffaCakes118.exe
File opened for modification	C:\Windows\krutsy32.exe	99d288140e04a53da62f6751f1142322_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

krutsy32.exe99d288140e04a53da62f6751f1142322_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	krutsy32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	99d288140e04a53da62f6751f1142322_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ldapi32.exe

description	pid	Process
Token: SeDebugPrivilege	2100	ldapi32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

krutsy32.exe

pid	Process
2628	krutsy32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

99d288140e04a53da62f6751f1142322_JaffaCakes118.exekrutsy32.exe

description	pid	Process	procid_target
PID 2036 wrote to memory of 2628	2036	99d288140e04a53da62f6751f1142322_JaffaCakes118.exe	30
PID 2036 wrote to memory of 2628	2036	99d288140e04a53da62f6751f1142322_JaffaCakes118.exe	30
PID 2036 wrote to memory of 2628	2036	99d288140e04a53da62f6751f1142322_JaffaCakes118.exe	30
PID 2036 wrote to memory of 2628	2036	99d288140e04a53da62f6751f1142322_JaffaCakes118.exe	30
PID 2628 wrote to memory of 2100	2628	krutsy32.exe	31
PID 2628 wrote to memory of 2100	2628	krutsy32.exe	31
PID 2628 wrote to memory of 2100	2628	krutsy32.exe	31
PID 2628 wrote to memory of 2100	2628	krutsy32.exe	31

C:\Users\Admin\AppData\Local\Temp\99d288140e04a53da62f6751f1142322_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\99d288140e04a53da62f6751f1142322_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\krutsy32.exe
  "C:\Windows\krutsy32.exe"
  2⤵
  - Executes dropped EXE
  - Impair Defenses: Safe Mode Boot
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\ldapi32.exe
    C:\Windows\system32\ldapi32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Safe Mode Boot

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\krutsy32.exe

Filesize
567KB

MD5
41109d6b0001ad636b220f2947404a90

SHA1
a1c9cd22c8a08b7a45bdb06133084309dbe1a88d

SHA256
9d8e296b7d110e077fa21db918f6246955076ae68fe723e5aad2e9ca0822b334

SHA512
21016c08338c654c36e44867b812b9b1d98ef693051b4ffc2e8fde5403b2c93f8c06394b1e23d48f5f3c3bb5509fc853e5969ab5615c903afd5b5d1b6f675c13

Download Submit
\Windows\SysWOW64\ldapi32.exe

Filesize
20KB

MD5
1093917aed9fc8213a0a71fb9062fd14

SHA1
ced9c73a3fcb6b2784ff36d56be91887900e7248

SHA256
40697f22c7abab737137263246f2af010a4d6b0676471bfa199ec022b548b5c1

SHA512
28b34bcc47525fea9ffbf128ca34ff9d1fa52931404987d5be62826220a32ef75e1fa54ea135a511d803f14bfc76cf057a4bed847b099b7b9a4b0fc6808a0467

Download Submit
\Windows\SysWOW64\ntswrl32.dll

Filesize
12KB

MD5
8dc496e74a083351a898c960ca4ad767

SHA1
f2f54b028f9fc5815868b315452e9ac1fa91576d

SHA256
f23108544e06a177ae964ccfdde103b5a5ea340462eab85271a69d3c6c313524

SHA512
4ab073c113a1036c7d4ec578db2190f0c397bfe9ec0fd12e54621b9c848aec7ec3f96f694aa19b44bd577e17e265710f163b7ff37c45d0c14939f813d7c77831

Download Submit
memory/2036-10-0x0000000004BA0000-0x00000000050E0000-memory.dmp

Filesize
5.2MB

Download
memory/2036-9-0x0000000004BA0000-0x00000000050E0000-memory.dmp

Filesize
5.2MB

Download
memory/2036-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2036-13-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2100-27-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2628-11-0x0000000000400000-0x0000000000940000-memory.dmp

Filesize
5.2MB

Download
memory/2628-28-0x0000000000400000-0x0000000000940000-memory.dmp

Filesize
5.2MB

Download
memory/2628-32-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/2628-31-0x0000000000400000-0x0000000000940000-memory.dmp

Filesize
5.2MB

Download
memory/2628-48-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads