modiloader | 9e4dca24744586a3254587eef80f7d785b37d8115117ff33b76b903119468f10

General

Target

JaffaCakes118_978f83ce21be15bfb4904e8482235963.exe
Size

1.5MB
MD5

978f83ce21be15bfb4904e8482235963
SHA1

f1fa7576818e47d2682a430467b84f4be682a1fd
SHA256

9e4dca24744586a3254587eef80f7d785b37d8115117ff33b76b903119468f10
SHA512

5c6b3f71df84fb560c2f4aac955b5be60a3208bedd77aab05140ebf7c41602d6a7822d6b3fe83223535e5c548bbaf9ec97398c89d8228680f3c85d9a7ab3671c
SSDEEP

24576:wj6o9kjX798iENBwGM6Io+tMrVmFsKyDTz07IReM68G1J3ORGUDsb1lUVBzK:w2vENBwGioMFsKSz07IRX6f1J3OcUDsN

Score

10^/10

modiloader discovery persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "userinit.exe,C:\\Windows\\apocalyps32.exe"	apocalyps32.exe

Modiloader family
modiloader

ModiLoader Second Stage 8 IoCs

resource	yara_rule
behavioral1/files/0x00070000000120ea-5.dat	modiloader_stage2
behavioral1/memory/1648-29-0x0000000030000000-0x000000003014B000-memory.dmp	modiloader_stage2
behavioral1/memory/2212-59-0x0000000030000000-0x000000003014B000-memory.dmp	modiloader_stage2
behavioral1/memory/2212-64-0x0000000030000000-0x000000003014B000-memory.dmp	modiloader_stage2
behavioral1/memory/2212-70-0x0000000030000000-0x000000003014B000-memory.dmp	modiloader_stage2
behavioral1/memory/2212-77-0x0000000030000000-0x000000003014B000-memory.dmp	modiloader_stage2
behavioral1/memory/2212-83-0x0000000030000000-0x000000003014B000-memory.dmp	modiloader_stage2
behavioral1/memory/2212-87-0x0000000030000000-0x000000003014B000-memory.dmp	modiloader_stage2

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 3 IoCs

pid	Process
1648	asadfg43rwaef.exe
2508	VkBot.exe
2212	apocalyps32.exe

Loads dropped DLL 3 IoCs

pid	Process
2036	JaffaCakes118_978f83ce21be15bfb4904e8482235963.exe
2036	JaffaCakes118_978f83ce21be15bfb4904e8482235963.exe
1648	asadfg43rwaef.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\apocalyps32 = "C:\\Windows\\apocalyps32.exe"	apocalyps32.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2036-0-0x0000000000400000-0x00000000004A4000-memory.dmp	upx
behavioral1/memory/2036-13-0x0000000000400000-0x00000000004A4000-memory.dmp	upx
behavioral1/files/0x0009000000016d7b-16.dat	upx
behavioral1/memory/1648-18-0x0000000002D20000-0x0000000002DB4000-memory.dmp	upx
behavioral1/memory/2508-23-0x0000000000400000-0x0000000000494000-memory.dmp	upx
behavioral1/memory/2508-58-0x0000000000400000-0x0000000000494000-memory.dmp	upx
behavioral1/memory/2508-60-0x0000000000400000-0x0000000000494000-memory.dmp	upx
behavioral1/memory/2508-61-0x0000000000400000-0x0000000000494000-memory.dmp	upx
behavioral1/memory/2508-63-0x0000000000400000-0x0000000000494000-memory.dmp	upx
behavioral1/memory/2508-65-0x0000000000400000-0x0000000000494000-memory.dmp	upx
behavioral1/memory/2508-67-0x0000000000400000-0x0000000000494000-memory.dmp	upx
behavioral1/memory/2508-69-0x0000000000400000-0x0000000000494000-memory.dmp	upx
behavioral1/memory/2508-74-0x0000000000400000-0x0000000000494000-memory.dmp	upx
behavioral1/memory/2508-76-0x0000000000400000-0x0000000000494000-memory.dmp	upx
behavioral1/memory/2508-78-0x0000000000400000-0x0000000000494000-memory.dmp	upx
behavioral1/memory/2508-80-0x0000000000400000-0x0000000000494000-memory.dmp	upx
behavioral1/memory/2508-82-0x0000000000400000-0x0000000000494000-memory.dmp	upx
behavioral1/memory/2508-84-0x0000000000400000-0x0000000000494000-memory.dmp	upx
behavioral1/memory/2508-86-0x0000000000400000-0x0000000000494000-memory.dmp	upx
behavioral1/memory/2508-89-0x0000000000400000-0x0000000000494000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apocalyps32.exe	asadfg43rwaef.exe
File opened for modification	C:\Windows\apocalyps32.exe	asadfg43rwaef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_978f83ce21be15bfb4904e8482235963.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asadfg43rwaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VkBot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apocalyps32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2508	VkBot.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2088	explorer.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2212	apocalyps32.exe
2508	VkBot.exe
2508	VkBot.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2508	VkBot.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe

Suspicious use of SendNotifyMessage 21 IoCs

pid	Process
2508	VkBot.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2508	VkBot.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2036	JaffaCakes118_978f83ce21be15bfb4904e8482235963.exe
2212	apocalyps32.exe
2508	VkBot.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1648	2036	JaffaCakes118_978f83ce21be15bfb4904e8482235963.exe	30
PID 2036 wrote to memory of 1648	2036	JaffaCakes118_978f83ce21be15bfb4904e8482235963.exe	30
PID 2036 wrote to memory of 1648	2036	JaffaCakes118_978f83ce21be15bfb4904e8482235963.exe	30
PID 2036 wrote to memory of 1648	2036	JaffaCakes118_978f83ce21be15bfb4904e8482235963.exe	30
PID 1648 wrote to memory of 2508	1648	asadfg43rwaef.exe	31
PID 1648 wrote to memory of 2508	1648	asadfg43rwaef.exe	31
PID 1648 wrote to memory of 2508	1648	asadfg43rwaef.exe	31
PID 1648 wrote to memory of 2508	1648	asadfg43rwaef.exe	31
PID 1648 wrote to memory of 2212	1648	asadfg43rwaef.exe	32
PID 1648 wrote to memory of 2212	1648	asadfg43rwaef.exe	32
PID 1648 wrote to memory of 2212	1648	asadfg43rwaef.exe	32
PID 1648 wrote to memory of 2212	1648	asadfg43rwaef.exe	32
PID 2212 wrote to memory of 1196	2212	apocalyps32.exe	21
PID 2212 wrote to memory of 1196	2212	apocalyps32.exe	21
PID 2212 wrote to memory of 1196	2212	apocalyps32.exe	21
PID 2212 wrote to memory of 1196	2212	apocalyps32.exe	21
PID 2212 wrote to memory of 1196	2212	apocalyps32.exe	21
PID 2212 wrote to memory of 1196	2212	apocalyps32.exe	21

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_978f83ce21be15bfb4904e8482235963.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_978f83ce21be15bfb4904e8482235963.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Users\Admin\AppData\Local\Temp\asadfg43rwaef.exe
    "C:\Users\Admin\AppData\Local\Temp\asadfg43rwaef.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\VkBot.exe
      "C:\Users\Admin\AppData\Local\Temp\VkBot.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2508
  - - C:\Windows\apocalyps32.exe
      -bs
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2212

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lock.png

Filesize
12KB

MD5
e71fb216d155cc4e8a8702e224419b28

SHA1
99959da9016ef902ed54e897802a5611326b5bf8

SHA256
beb2ab085cb49af7f7436b84e93e40732ac01375487f940545dabc2c5fd6ca53

SHA512
0a93ad4f6001c1f03482825e7d50ce977508f58710a03a774fc8d91825b953efad6b59c4cbe1982b344329c31a61070b97475b6ae470b52be62a6eeb48c5aa83

Download Submit
\Users\Admin\AppData\Local\Temp\VkBot.exe

Filesize
1.1MB

MD5
8f85b28a36faa456054d8af71fd58964

SHA1
33f83af9309eff55300364ba867666e23b1859f4

SHA256
1963321589af06749b418edd3fdca011777c3ad75aa96f6da3807b54f09e443a

SHA512
2e7090f6b9d76cb11c605800cc2d104c42d9db1d657f299789c770582c58071591a09ac27b12cf231b15a9c65b7c55d6723c9f2e21efbaeebb3929235fa5d92e

Download Submit
\Users\Admin\AppData\Local\Temp\asadfg43rwaef.exe

Filesize
1.3MB

MD5
d8c5fec4b20fbc0be8a5bb1eb4fccb53

SHA1
d6becfd4160f2c7d98e45783546a73675f265b82

SHA256
2022e1f3218dab197cd8f85afa2e1c73e86b30abb5abc37af0926e9e62235ccf

SHA512
9db5c3966c5bf1d926300836605e1452f1cd399da811db6cb420fdf7059979d0a8abc4201bb1332965d86427cf41977cde7459cd574e46bb4ca8f5543596a45e

Download Submit
memory/1196-31-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1648-18-0x0000000002D20000-0x0000000002DB4000-memory.dmp

Filesize
592KB

Download
memory/1648-29-0x0000000030000000-0x000000003014B000-memory.dmp

Filesize
1.3MB

Download
memory/2036-0-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2036-13-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2088-88-0x0000000003000000-0x0000000003010000-memory.dmp

Filesize
64KB

Download
memory/2212-64-0x0000000030000000-0x000000003014B000-memory.dmp

Filesize
1.3MB

Download
memory/2212-59-0x0000000030000000-0x000000003014B000-memory.dmp

Filesize
1.3MB

Download
memory/2212-87-0x0000000030000000-0x000000003014B000-memory.dmp

Filesize
1.3MB

Download
memory/2212-83-0x0000000030000000-0x000000003014B000-memory.dmp

Filesize
1.3MB

Download
memory/2212-77-0x0000000030000000-0x000000003014B000-memory.dmp

Filesize
1.3MB

Download
memory/2212-70-0x0000000030000000-0x000000003014B000-memory.dmp

Filesize
1.3MB

Download
memory/2508-65-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2508-78-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2508-69-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2508-58-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2508-74-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2508-76-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2508-63-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2508-67-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2508-80-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2508-82-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2508-61-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2508-84-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2508-86-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2508-60-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2508-23-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2508-89-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads