modiloader | 7b96dd3c5a1d3d29d215453168913ae85e9a86c65c8c7bad385863610b519e9d

General

Target

JaffaCakes118_01e71a1176c038060efed052a096a23b.exe
Size

34KB
MD5

01e71a1176c038060efed052a096a23b
SHA1

fa59e6b1193cb9502812910502986fc6bdc92e41
SHA256

7b96dd3c5a1d3d29d215453168913ae85e9a86c65c8c7bad385863610b519e9d
SHA512

f75808d41cda93c44714d746174abaaf95e794db0135a62d682a0e0e6b5c4ec6354980479dd376cd99c103b6a546f81a790600374de17960bd03c64613a28d4e
SSDEEP

768:bF4hw4J5Iq4XlnBQGEZDZ+U0Gds3S7ILyKC84dtN3pQOP14ei:KhVviBQ5ZB+sI+6sQOd4

Score

10^/10

modiloader defense_evasion discovery persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 4 IoCs

resource	yara_rule
behavioral1/memory/2452-11-0x00000000003D0000-0x00000000003E2000-memory.dmp	modiloader_stage2
behavioral1/files/0x0008000000015d07-10.dat	modiloader_stage2
behavioral1/memory/2452-20-0x0000000000400000-0x000000000041C000-memory.dmp	modiloader_stage2
behavioral1/memory/2452-19-0x00000000003D0000-0x00000000003E2000-memory.dmp	modiloader_stage2

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_01e71a1176c038060efed052a096a23b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wuacultj = "C:\\wuacultj.exe"	JaffaCakes118_01e71a1176c038060efed052a096a23b.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2420	attrib.exe

Loads dropped DLL 1 IoCs

pid	Process
2452	JaffaCakes118_01e71a1176c038060efed052a096a23b.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2452-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000015d30-17.dat	upx
behavioral1/memory/2452-20-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Insertjt.dll	JaffaCakes118_01e71a1176c038060efed052a096a23b.exe
File created	C:\Windows\inf\DllAddress.ini	JaffaCakes118_01e71a1176c038060efed052a096a23b.exe
File opened for modification	C:\Windows\inf\DllAddress.ini	JaffaCakes118_01e71a1176c038060efed052a096a23b.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_01e71a1176c038060efed052a096a23b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2452	JaffaCakes118_01e71a1176c038060efed052a096a23b.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2060	2452	JaffaCakes118_01e71a1176c038060efed052a096a23b.exe	30
PID 2452 wrote to memory of 2060	2452	JaffaCakes118_01e71a1176c038060efed052a096a23b.exe	30
PID 2452 wrote to memory of 2060	2452	JaffaCakes118_01e71a1176c038060efed052a096a23b.exe	30
PID 2452 wrote to memory of 2060	2452	JaffaCakes118_01e71a1176c038060efed052a096a23b.exe	30
PID 2060 wrote to memory of 2420	2060	cmd.exe	32
PID 2060 wrote to memory of 2420	2060	cmd.exe	32
PID 2060 wrote to memory of 2420	2060	cmd.exe	32
PID 2060 wrote to memory of 2420	2060	cmd.exe	32

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2420	attrib.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_01e71a1176c038060efed052a096a23b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_01e71a1176c038060efed052a096a23b.exe"
1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copyself.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\wuacultj.exe +r +h +s
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\copyself.bat

Filesize
114B

MD5
f446a49d2df32ab4fc954c07559d59c5

SHA1
ae5c84238de314eb4ea28b2185ae62958f3d1995

SHA256
f616541f5da07c0fca8ab806cee6e96d2c32b7c1e943c19dbbab27c0c659c7d9

SHA512
3c03a4914b183b6cb0a8f15b5e97ac1f41650b9d907d6011604ac1098d6d089d1355149a6a0e4fb2fd46a571e1d721fcad4be897ded3bcaa41d49bfa645ea300

Download Submit
C:\wuacultj.exe

Filesize
34KB

MD5
01e71a1176c038060efed052a096a23b

SHA1
fa59e6b1193cb9502812910502986fc6bdc92e41

SHA256
7b96dd3c5a1d3d29d215453168913ae85e9a86c65c8c7bad385863610b519e9d

SHA512
f75808d41cda93c44714d746174abaaf95e794db0135a62d682a0e0e6b5c4ec6354980479dd376cd99c103b6a546f81a790600374de17960bd03c64613a28d4e

Download Submit
\Windows\inf\Insertjt.dll

Filesize
54KB

MD5
530fc9fa45e74dbe2217e7247f268f30

SHA1
85d77678d65bc751402d96447d5f5d765abdbf36

SHA256
ab3012b0cdad12663a11cccb4b0c0c31a6ad1bdc6a6f624b0012da59075d2359

SHA512
c60c186414b544d57371fa8f703d6e0ed75b107e90d19750c8c97856607f22c8eb89536824ce3b961323e2e559322cfb7881f14035a860c18e686ceb7d2db7c5

Download Submit
memory/2452-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2452-11-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2452-20-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2452-19-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads