modiloader | 568bb20f086c3b66c94ac2bdc7bff91d5452d118aebe74d81dfdd70633e6ab50

Analysis

max time kernel
135s
max time network
136s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe
Size

302KB
MD5

188153f381a3b62bad11dd2f6ea6b498
SHA1

1468ddf7ad4464c787e216bf3a2f6a8f9e454778
SHA256

568bb20f086c3b66c94ac2bdc7bff91d5452d118aebe74d81dfdd70633e6ab50
SHA512

4dd529ba660261eedc5a152dd7cca11a2033440579f273f1edea2ff2ac882b8e6d6962450e29d702ff0e91725f8d407cb8d3d7db2b3b6139737b49f248726686
SSDEEP

6144:3q3W2JBfvGQopEnL3L+Z4i14RjzgKQQI697orKOYwUiJ+KRH0NNe3:6NopoLKZx1U9QssrswUYRHye3

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 5 IoCs

Processes:

resource	yara_rule
\??\c:\windows\SysWOW64\sysns.dll	modiloader_stage2
behavioral1/memory/2588-10-0x00000000009D0000-0x0000000000A4C000-memory.dmp	modiloader_stage2
behavioral1/memory/2996-11-0x0000000013140000-0x0000000013222000-memory.dmp	modiloader_stage2
behavioral1/memory/2588-15-0x00000000009D0000-0x0000000000A4C000-memory.dmp	modiloader_stage2
behavioral1/memory/2588-17-0x00000000009D0000-0x0000000000A4C000-memory.dmp	modiloader_stage2

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
persistence

Terminal Services DLL
T1505.005

Processes:

188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\netns\Parameters\ServiceDll = "C:\\Windows\\System32\\sysns.dll" 188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2600 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

svchost.exe

pid process

2588 svchost.exe
2588 svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\netns\Parameters\ServiceDll = "C:\\Windows\\System32\\sysns.dll"	188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe

pid	process
2600	cmd.exe

pid	process
2588	svchost.exe
2588	svchost.exe

Drops file in System32 directory 5 IoCs

Processes:

188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\netservice.exe	188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\netservice.exe	188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sysns.dll	188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sysns.dll	188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\plugin\001.dll	188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe

pid process

2996 188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe

pid	process
2996	188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe

description	pid	process
Token: SeBackupPrivilege	2996	188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe
Token: SeRestorePrivilege	2996	188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe
Token: SeRestorePrivilege	2996	188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe
Token: SeRestorePrivilege	2996	188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe
Token: SeRestorePrivilege	2996	188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe
Token: SeRestorePrivilege	2996	188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe
Token: SeBackupPrivilege	2996	188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe
Token: SeRestorePrivilege	2996	188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe
Token: SeRestorePrivilege	2996	188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe
Token: SeRestorePrivilege	2996	188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe
Token: SeRestorePrivilege	2996	188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe
Token: SeRestorePrivilege	2996	188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe

description	pid	process	target process
PID 2996 wrote to memory of 2600	2996	188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe	cmd.exe
PID 2996 wrote to memory of 2600	2996	188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe	cmd.exe
PID 2996 wrote to memory of 2600	2996	188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe	cmd.exe
PID 2996 wrote to memory of 2600	2996	188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\SysWOW64\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Local\Temp\188153f381a3b62bad11dd2f6ea6b498_JaffaCakes118.exe"
2⤵
- Deletes itself
PID:2600

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k network
1⤵
- Loads dropped DLL
PID:2588

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\plugin\001.dll
Filesize
19KB

MD5
279ddab68e523c810d457eebda80a8ad

SHA1
596b4ccd79c548d05346fd2c22a6a8d8eddc13af

SHA256
1d316b0a0d0b607e61f7ec6d4336855a0fd229733c90ba6baed5fd3b847628e8

SHA512
5281706afe3d0859770ba458ec083fd5abf4c78b62ef68bd8d8bf6b846d50f1f4c017f81898b71ebfd731d938c8f5e742dd08dec62df29b305ac13c051dbf2f9

Download Submit
\??\c:\windows\SysWOW64\sysns.dll
Filesize
475KB

MD5
813a5af74a429a664eaa2623eaa3b390

SHA1
71db501ac359ac462e3af5419b888dc43b58a9f9

SHA256
51b0294a20a1e958bab85e607e5500bb4bea26fe4f41846851befc4d54f3e93f

SHA512
66a547b4db3a6c270fa3adb4b0f089544ebcd93ad56e10822d959e9a7630b1c573ed040185b401195a6e6da9349f7bf390768bb0b132bc3f4c52f76a7899a259

Download Submit
memory/2588-10-0x00000000009D0000-0x0000000000A4C000-memory.dmp

Filesize
496KB

Download
memory/2588-16-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2588-15-0x00000000009D0000-0x0000000000A4C000-memory.dmp

Filesize
496KB

Download
memory/2588-17-0x00000000009D0000-0x0000000000A4C000-memory.dmp

Filesize
496KB

Download
memory/2996-1-0x0000000013140000-0x0000000013222000-memory.dmp

Filesize
904KB

Download
memory/2996-2-0x00000000131D5000-0x0000000013221000-memory.dmp

Filesize
304KB

Download
memory/2996-0-0x0000000013140000-0x0000000013222000-memory.dmp

Filesize
904KB

Download
memory/2996-11-0x0000000013140000-0x0000000013222000-memory.dmp

Filesize
904KB

Download
memory/2996-12-0x00000000131D5000-0x0000000013221000-memory.dmp

Filesize
304KB

Download