modiloader | b1925f44345d9f742e63320c812839c5cf6f2938da0262b6e153bac22fefa5a2

General

Target

de4647924f965d6eac627712b5135de9_JaffaCakes118.exe
Size

373KB
MD5

de4647924f965d6eac627712b5135de9
SHA1

90af1a55a113ceb135a7b07de86820a2871e5804
SHA256

b1925f44345d9f742e63320c812839c5cf6f2938da0262b6e153bac22fefa5a2
SHA512

66a35ec351de0de6b383b82be295b16ed1b3086300dc9c1d71d85ba7df455944b054c04ddc445ede2bd27cb92454717757ede54498c875fe0615ec7b1c1e5326
SSDEEP

6144:0Vs61FDrfb139bFDMbtw7C6iKlve+eJq8pp3f/0RS2rmlcNMn9okhizy03y14:Unf13xFZ7OK1kq8bf/0RWCR3zy0C2

Score

10^/10

modiloader discovery persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 15 IoCs

resource	yara_rule
behavioral1/memory/2500-32-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-37-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-38-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-40-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-42-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-44-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-46-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-48-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-50-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-52-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-54-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-56-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-58-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-60-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-62-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2

Executes dropped EXE 3 IoCs

pid	Process
2500	mod_sa_by_fyp.43.1.0_0.3e.exe
2356	easy hack.exe
2692	winmouse.exe

Loads dropped DLL 5 IoCs

pid	Process
2984	de4647924f965d6eac627712b5135de9_JaffaCakes118.exe
2984	de4647924f965d6eac627712b5135de9_JaffaCakes118.exe
2984	de4647924f965d6eac627712b5135de9_JaffaCakes118.exe
2500	mod_sa_by_fyp.43.1.0_0.3e.exe
2500	mod_sa_by_fyp.43.1.0_0.3e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\win32loader = "C:\\Users\\Admin\\AppData\\Local\\winmouse.exe"	winmouse.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000191d1-3.dat	upx
behavioral1/memory/2984-4-0x00000000021D0000-0x00000000021E4000-memory.dmp	upx
behavioral1/files/0x0007000000019214-14.dat	upx
behavioral1/memory/2984-17-0x0000000003760000-0x0000000003892000-memory.dmp	upx
behavioral1/memory/2500-32-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2356-34-0x0000000000400000-0x0000000000532000-memory.dmp	upx
behavioral1/memory/2692-37-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2692-38-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2692-40-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2692-42-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2692-44-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2692-46-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2692-48-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2692-50-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2692-52-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2692-54-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2692-56-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2692-58-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2692-60-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2692-62-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de4647924f965d6eac627712b5135de9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	easy hack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mod_sa_by_fyp.43.1.0_0.3e.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2692	winmouse.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2500	2984	de4647924f965d6eac627712b5135de9_JaffaCakes118.exe	31
PID 2984 wrote to memory of 2500	2984	de4647924f965d6eac627712b5135de9_JaffaCakes118.exe	31
PID 2984 wrote to memory of 2500	2984	de4647924f965d6eac627712b5135de9_JaffaCakes118.exe	31
PID 2984 wrote to memory of 2500	2984	de4647924f965d6eac627712b5135de9_JaffaCakes118.exe	31
PID 2984 wrote to memory of 2356	2984	de4647924f965d6eac627712b5135de9_JaffaCakes118.exe	32
PID 2984 wrote to memory of 2356	2984	de4647924f965d6eac627712b5135de9_JaffaCakes118.exe	32
PID 2984 wrote to memory of 2356	2984	de4647924f965d6eac627712b5135de9_JaffaCakes118.exe	32
PID 2984 wrote to memory of 2356	2984	de4647924f965d6eac627712b5135de9_JaffaCakes118.exe	32
PID 2500 wrote to memory of 2692	2500	mod_sa_by_fyp.43.1.0_0.3e.exe	33
PID 2500 wrote to memory of 2692	2500	mod_sa_by_fyp.43.1.0_0.3e.exe	33
PID 2500 wrote to memory of 2692	2500	mod_sa_by_fyp.43.1.0_0.3e.exe	33
PID 2500 wrote to memory of 2692	2500	mod_sa_by_fyp.43.1.0_0.3e.exe	33

C:\Users\Admin\AppData\Local\Temp\de4647924f965d6eac627712b5135de9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\de4647924f965d6eac627712b5135de9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Local\Temp\mod_sa_by_fyp.43.1.0_0.3e.exe
  "C:\Users\Admin\AppData\Local\Temp\mod_sa_by_fyp.43.1.0_0.3e.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Users\Admin\AppData\Local\winmouse.exe
    "C:\Users\Admin\AppData\Local\winmouse.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2692
- C:\Users\Admin\AppData\Local\Temp\easy hack.exe
  "C:\Users\Admin\AppData\Local\Temp\easy hack.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\easy hack.exe

Filesize
351KB

MD5
8a269ea56f2753dcf4355c7092782986

SHA1
cb7a075ed9b8b4da0954dac23531d83da3789894

SHA256
956a24e3043659e90b070e53c19f1ea2077e3d5c08a37ed63682600db4430ebd

SHA512
ce6a306fda60676e0acc557a8693ad907c1f56db7cc29ea0c378593f5337b727b190cda47108bffcb2cf84ec5489816a4f582bf751c72de554ea93035d475ea7

Download Submit
\Users\Admin\AppData\Local\Temp\mod_sa_by_fyp.43.1.0_0.3e.exe

Filesize
17KB

MD5
cfcc4f645a5319a4699a625e05b1fc7e

SHA1
8e2519efd7669dfa4a03740cabe9b09e79a6382b

SHA256
78c76c6165021c2a6740cdddeabd67778565cd9e5627ab6c574c53c066ab3114

SHA512
51e484410fa5f563888aae506042326514dfeffe95c650526a4cae0817a98be9f140e89b7bb7826e1dfdecd2cf59fff12748eacef142dc4df0bbdcf46625a4d5

Download Submit
memory/2356-34-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2356-35-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2356-19-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2500-29-0x00000000004A0000-0x00000000004B4000-memory.dmp

Filesize
80KB

Download
memory/2500-32-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2692-40-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2692-56-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2692-62-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2692-37-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2692-38-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2692-60-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2692-42-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2692-44-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2692-46-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2692-48-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2692-50-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2692-52-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2692-54-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2692-58-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2984-33-0x0000000003760000-0x0000000003892000-memory.dmp

Filesize
1.2MB

Download
memory/2984-4-0x00000000021D0000-0x00000000021E4000-memory.dmp

Filesize
80KB

Download
memory/2984-17-0x0000000003760000-0x0000000003892000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads