modiloader | 2cf0f0256f20b1971392fadcee01d37280693338c0aaf82cda02db47bf2fc050

Analysis

max time kernel
146s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe
Size

203KB
MD5

19dc3a57ed03c603c7da981158a8e8a4
SHA1

04016028516db80bc9f8dc3824aa175c8852da13
SHA256

2cf0f0256f20b1971392fadcee01d37280693338c0aaf82cda02db47bf2fc050
SHA512

a21112cea09493daf31ec0f089c94fe9b5a0b01e088bfb4eb8031cea74b8018e7a6bdd01f954409f30cabc2cd70e292d998e77eb339688c41f6993b0d86fd462
SSDEEP

6144:cGtD2qOgIEx3VrzGGvySj3bMYwu68lzr1:nx1nPVon8lt

Score

10^/10

modiloader persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 4 IoCs

Processes:

resource	yara_rule
\??\c:\windows\SysWOW64\sysn.dll	modiloader_stage2
behavioral1/memory/2344-8-0x00000000003A0000-0x0000000000408000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-10-0x0000000013140000-0x00000000131BA000-memory.dmp	modiloader_stage2
behavioral1/memory/2344-11-0x00000000003A0000-0x0000000000408000-memory.dmp	modiloader_stage2

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
persistence

Terminal Services DLL
T1505.005

Processes:

19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\netrt\Parameters\ServiceDll = "C:\\Windows\\System32\\sysn.dll" 19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3068 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

2344 svchost.exe
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

behavioral1/memory/2340-0-0x0000000013140000-0x00000000131BA000-memory.dmp upx
behavioral1/memory/2340-10-0x0000000013140000-0x00000000131BA000-memory.dmp upx

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\netrt\Parameters\ServiceDll = "C:\\Windows\\System32\\sysn.dll"	19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe

pid	process
3068	cmd.exe

pid	process
2344	svchost.exe

resource	yara_rule
behavioral1/memory/2340-0-0x0000000013140000-0x00000000131BA000-memory.dmp	upx
behavioral1/memory/2340-10-0x0000000013140000-0x00000000131BA000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\sysn.dll	19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sysn.dll	19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe

description	pid	process
Token: SeBackupPrivilege	2340	19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe
Token: SeRestorePrivilege	2340	19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe
Token: SeRestorePrivilege	2340	19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe
Token: SeRestorePrivilege	2340	19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe
Token: SeRestorePrivilege	2340	19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe
Token: SeRestorePrivilege	2340	19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe
Token: SeBackupPrivilege	2340	19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe
Token: SeRestorePrivilege	2340	19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe
Token: SeRestorePrivilege	2340	19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe
Token: SeRestorePrivilege	2340	19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe
Token: SeRestorePrivilege	2340	19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe
Token: SeRestorePrivilege	2340	19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe

description	pid	process	target process
PID 2340 wrote to memory of 3068	2340	19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe	cmd.exe
PID 2340 wrote to memory of 3068	2340	19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe	cmd.exe
PID 2340 wrote to memory of 3068	2340	19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe	cmd.exe
PID 2340 wrote to memory of 3068	2340	19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\SysWOW64\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Local\Temp\19dc3a57ed03c603c7da981158a8e8a4_JaffaCakes118.exe"
2⤵
- Deletes itself
PID:3068

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k network
1⤵
- Loads dropped DLL
PID:2344

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\sysn.dll
Filesize
391KB

MD5
431d67d36495437027ef3f67326515ba

SHA1
3909a4cf87ec124f135f401886d12414bafe499c

SHA256
4d9974222b842ceb454be5f0dfcfaac54f5a9c4cd38e1594f4636e229577f5e2

SHA512
da81cbf6d820b8962c2723a543912078846dcba983f6d094c6f24c99af1c8b7659e21c05fab8880235034480536cfdf701d51bcb2b8fd5798d759a524387c96c

Download Submit
memory/2340-0-0x0000000013140000-0x00000000131BA000-memory.dmp

Filesize
488KB

Download
memory/2340-10-0x0000000013140000-0x00000000131BA000-memory.dmp

Filesize
488KB

Download
memory/2344-8-0x00000000003A0000-0x0000000000408000-memory.dmp

Filesize
416KB

Download
memory/2344-11-0x00000000003A0000-0x0000000000408000-memory.dmp

Filesize
416KB

Download