modiloader | 123f5a6eb28a7e7936a67234374dbc4519cb1f96b1378af2883a51d6e605fb85

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc12d5b309f5090cc04ae5a8aea31c5a_JaffaCakes118.exe
Size

173KB
MD5

fc12d5b309f5090cc04ae5a8aea31c5a
SHA1

0fa6b9ab2032dc01e5a2881b8610af5dd08bec46
SHA256

123f5a6eb28a7e7936a67234374dbc4519cb1f96b1378af2883a51d6e605fb85
SHA512

3238cbe92132472138d4f432044bfb077f20c4cf3fc8be8c92c4b45c8ab80a7fb3b58f6f81f06c4c559b85de4f5865178eee730de46eeb72b63789e19310af04
SSDEEP

3072:dtDulZKksGzZjDDeqCe5ToU21kkH2ip0KuPk2afiMpltkrkbtNLWGtVeHnx:d6KksSrIU2ykH2ipsPnafFlerkb3Lrta

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\srvinit.exe\""	srvinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe\"C:\\Windows\\srvinit.exe\","	srvinit.exe

Modiloader family
modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012267-3.dat	modiloader_stage2
behavioral1/memory/2168-9-0x0000000000400000-0x0000000000432000-memory.dmp	modiloader_stage2
behavioral1/memory/2432-17-0x0000000000400000-0x0000000000432000-memory.dmp	modiloader_stage2

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	srvinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\server = "C:\\Windows\\srvinit.exe"	srvinit.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05I41M56-QW07-U20F-YX8T-VB4U6TP4UX63}	srvinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05I41M56-QW07-U20F-YX8T-VB4U6TP4UX63}\StubPath = "\"C:\\Windows\\srvinit.exe\""	srvinit.exe

Deletes itself 1 IoCs

pid	Process
2432	srvinit.exe

Executes dropped EXE 1 IoCs

pid	Process
2432	srvinit.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\srvinit.exe	fc12d5b309f5090cc04ae5a8aea31c5a_JaffaCakes118.exe
File opened for modification	C:\Windows\srvinit.exe	fc12d5b309f5090cc04ae5a8aea31c5a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc12d5b309f5090cc04ae5a8aea31c5a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srvinit.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2168	fc12d5b309f5090cc04ae5a8aea31c5a_JaffaCakes118.exe
2432	srvinit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2432	2168	fc12d5b309f5090cc04ae5a8aea31c5a_JaffaCakes118.exe	30
PID 2168 wrote to memory of 2432	2168	fc12d5b309f5090cc04ae5a8aea31c5a_JaffaCakes118.exe	30
PID 2168 wrote to memory of 2432	2168	fc12d5b309f5090cc04ae5a8aea31c5a_JaffaCakes118.exe	30
PID 2168 wrote to memory of 2432	2168	fc12d5b309f5090cc04ae5a8aea31c5a_JaffaCakes118.exe	30
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31
PID 2432 wrote to memory of 2580	2432	srvinit.exe	31

C:\Users\Admin\AppData\Local\Temp\fc12d5b309f5090cc04ae5a8aea31c5a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc12d5b309f5090cc04ae5a8aea31c5a_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\srvinit.exe
  "C:\Windows\srvinit.exe" \melt "C:\Users\Admin\AppData\Local\Temp\fc12d5b309f5090cc04ae5a8aea31c5a_JaffaCakes118.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\srvinit.exe

Filesize
173KB

MD5
fc12d5b309f5090cc04ae5a8aea31c5a

SHA1
0fa6b9ab2032dc01e5a2881b8610af5dd08bec46

SHA256
123f5a6eb28a7e7936a67234374dbc4519cb1f96b1378af2883a51d6e605fb85

SHA512
3238cbe92132472138d4f432044bfb077f20c4cf3fc8be8c92c4b45c8ab80a7fb3b58f6f81f06c4c559b85de4f5865178eee730de46eeb72b63789e19310af04

Download Submit
memory/2168-9-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2432-17-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2432-11-0x0000000010410000-0x0000000010449000-memory.dmp

Filesize
228KB

Download