modiloader | e7f6f2aa80fdd420744af707fd7938bcac4d1e4e085a3095c76faa26a23711fb

General

Target

JaffaCakes118_0e7c027d9480001b14cc2ced1a4d90e3.exe
Size

451KB
MD5

0e7c027d9480001b14cc2ced1a4d90e3
SHA1

ceb6ec15b92de333524cfd65f5b758303a7fefaa
SHA256

e7f6f2aa80fdd420744af707fd7938bcac4d1e4e085a3095c76faa26a23711fb
SHA512

828342a8c678d935954671412d96c2fc8bf9ab90ba82bceed2915fe215a272ecd767011f303aab6cdd5f608cd8d464d067cf4bcec62cb2c7fa304d16c29f5381
SSDEEP

12288:dhjpKcIQhe/grUVLvCc3Bdwz8RPAyRiYHmU6Zhpih:d1pKcIbTVrxD06aBzw

Score

10^/10

modiloader discovery persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 6 IoCs

resource	yara_rule
behavioral2/memory/3972-33-0x0000000000400000-0x00000000004F0000-memory.dmp	modiloader_stage2
behavioral2/memory/3456-35-0x0000000000400000-0x00000000004F0000-memory.dmp	modiloader_stage2
behavioral2/memory/3456-39-0x0000000000400000-0x00000000004F0000-memory.dmp	modiloader_stage2
behavioral2/memory/3456-42-0x0000000000400000-0x00000000004F0000-memory.dmp	modiloader_stage2
behavioral2/memory/3456-45-0x0000000000400000-0x00000000004F0000-memory.dmp	modiloader_stage2
behavioral2/memory/3456-48-0x0000000000400000-0x00000000004F0000-memory.dmp	modiloader_stage2

Executes dropped EXE 3 IoCs

pid	Process
1492	PATCHER.EXE
3972	www.exe
3456	spooll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vscanner = "c:\\windows\\spooll32.exe"	www.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/540-0-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/540-21-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3972-22-0x0000000000400000-0x00000000004F0000-memory.dmp	upx
behavioral2/files/0x0007000000023c8e-20.dat	upx
behavioral2/memory/3456-27-0x0000000000400000-0x00000000004F0000-memory.dmp	upx
behavioral2/memory/3972-33-0x0000000000400000-0x00000000004F0000-memory.dmp	upx
behavioral2/memory/3456-35-0x0000000000400000-0x00000000004F0000-memory.dmp	upx
behavioral2/memory/3456-39-0x0000000000400000-0x00000000004F0000-memory.dmp	upx
behavioral2/memory/3456-42-0x0000000000400000-0x00000000004F0000-memory.dmp	upx
behavioral2/memory/3456-45-0x0000000000400000-0x00000000004F0000-memory.dmp	upx
behavioral2/memory/3456-48-0x0000000000400000-0x00000000004F0000-memory.dmp	upx

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\PATCHER.EXE	JaffaCakes118_0e7c027d9480001b14cc2ced1a4d90e3.exe
File opened for modification	\??\c:\windows\spooll32.exe	www.exe
File created	C:\Windows\JaffaCakes118_0e7c027d9480001b14cc2ced1a4d90e3.dat	JaffaCakes118_0e7c027d9480001b14cc2ced1a4d90e3.exe
File created	C:\Windows\PATCHER.EXE.tmp	JaffaCakes118_0e7c027d9480001b14cc2ced1a4d90e3.exe
File created	C:\Windows\www.exe.tmp	JaffaCakes118_0e7c027d9480001b14cc2ced1a4d90e3.exe
File created	C:\Windows\www.bat	www.exe
File opened for modification	C:\Windows\JaffaCakes118_0e7c027d9480001b14cc2ced1a4d90e3.dat	JaffaCakes118_0e7c027d9480001b14cc2ced1a4d90e3.exe
File created	C:\Windows\www.exe	JaffaCakes118_0e7c027d9480001b14cc2ced1a4d90e3.exe
File created	\??\c:\windows\spooll32.exe	www.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	www.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spooll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0e7c027d9480001b14cc2ced1a4d90e3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PATCHER.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3972	www.exe
3972	www.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3972	www.exe
Token: SeDebugPrivilege	3972	www.exe
Token: SeDebugPrivilege	3456	spooll32.exe
Token: SeDebugPrivilege	3456	spooll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1492	PATCHER.EXE
1492	PATCHER.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 1492	540	JaffaCakes118_0e7c027d9480001b14cc2ced1a4d90e3.exe	83
PID 540 wrote to memory of 1492	540	JaffaCakes118_0e7c027d9480001b14cc2ced1a4d90e3.exe	83
PID 540 wrote to memory of 1492	540	JaffaCakes118_0e7c027d9480001b14cc2ced1a4d90e3.exe	83
PID 540 wrote to memory of 3972	540	JaffaCakes118_0e7c027d9480001b14cc2ced1a4d90e3.exe	84
PID 540 wrote to memory of 3972	540	JaffaCakes118_0e7c027d9480001b14cc2ced1a4d90e3.exe	84
PID 540 wrote to memory of 3972	540	JaffaCakes118_0e7c027d9480001b14cc2ced1a4d90e3.exe	84
PID 3972 wrote to memory of 3456	3972	www.exe	85
PID 3972 wrote to memory of 3456	3972	www.exe	85
PID 3972 wrote to memory of 3456	3972	www.exe	85
PID 3972 wrote to memory of 1388	3972	www.exe	86
PID 3972 wrote to memory of 1388	3972	www.exe	86
PID 3972 wrote to memory of 1388	3972	www.exe	86

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e7c027d9480001b14cc2ced1a4d90e3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e7c027d9480001b14cc2ced1a4d90e3.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\PATCHER.EXE
  C:\Windows\PATCHER.EXE
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1492
- C:\Windows\www.exe
  C:\Windows\www.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3972
- - \??\c:\windows\spooll32.exe
    c:\windows\spooll32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\www.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\PATCHER.EXE

Filesize
60KB

MD5
01cf070cee7496138972e6769e460aaa

SHA1
6b3babd9853bc90524640f2b292bd7208f614aa4

SHA256
b1fd93259baf0ec3858dc67d7d09e2bf6f7b157f5772d10974d75ff17e89d129

SHA512
0d406b9b11c0d50375bd1d5249d1d224c03a506ad21b3e8473255ba83a8c424cb0f7430682aeea60f3dc4f22ed030b342b9b8789fb4060cf6456a7944239613b

Download Submit
C:\Windows\www.bat

Filesize
104B

MD5
7fb206308356847e1da38ede43dd77b5

SHA1
0e0b58668ec5323457fbf1160d0b592792148648

SHA256
a29093701cec8a29ae2710941a2800e444981ea38b61f0967ea707b7a696f1b6

SHA512
dbe86e944c7a4484de23efa1812ca586afaa77a7398d2c84df64e2cb50f8a547fa47b5b39763218fbbe9746b5a6ea8e77d5a6b7634a8203a09364d5439d543dd

Download Submit
C:\Windows\www.exe

Filesize
337KB

MD5
8812cd0e000eb34533f6b371c82b082b

SHA1
6284e9e0e84b08861d053421614fa3b5f2878319

SHA256
4221f516d0facf399172e2ad9421af5c3dbdad03b867aef6e3ce73cdc980a46c

SHA512
0c1356f2caa9cf13b69584a60026cf5b7b4dc7a22c4e249bc2c4ebb9eb32fa61036b2a6be11f92c1157a982787be2715be1d2d53fc56baabe5c89554b6a4ea0f

Download Submit
memory/540-1-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/540-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/540-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3456-37-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/3456-27-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3456-29-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/3456-35-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3456-39-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3456-42-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3456-45-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3456-48-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3972-33-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3972-23-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3972-22-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads