modiloader | e7911a67fb298be3497753989853d237fe3878c5ce08ac348ab296f50ff728ee

General

Target

0232a4455c6f6aafcd2ba32cdc5ff88d_JaffaCakes118.exe
Size

270KB
MD5

0232a4455c6f6aafcd2ba32cdc5ff88d
SHA1

15311cc7bc79f4d30a419d12b73b7e4ac6747a19
SHA256

e7911a67fb298be3497753989853d237fe3878c5ce08ac348ab296f50ff728ee
SHA512

d90e4532fcae0220ca3b23fab75e6e4baf77b2c03174c19496cf7754d4256464610b08e32c61e63d195d211e284c7850d7a8c464032a5d8dbed88df8726defa1
SSDEEP

6144:jG877xS21+Wi+io1XWwTBAWx4v5xBpcipJvHx:S27xS21+aswTSCO7pJvHx

Score

10^/10

modiloader evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

0232a4455c6f6aafcd2ba32cdc5ff88d_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0232a4455c6f6aafcd2ba32cdc5ff88d_JaffaCakes118.exe

ModiLoader Second Stage 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2764-4-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-8-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-9-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-10-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-13-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-14-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-17-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-18-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-21-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-24-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-27-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-30-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-33-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-36-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-39-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-42-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-45-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-48-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-51-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2

Loads dropped DLL 2 IoCs

Processes:

0232a4455c6f6aafcd2ba32cdc5ff88d_JaffaCakes118.exe

pid process

2764 0232a4455c6f6aafcd2ba32cdc5ff88d_JaffaCakes118.exe
2764 0232a4455c6f6aafcd2ba32cdc5ff88d_JaffaCakes118.exe

pid	process
2764	0232a4455c6f6aafcd2ba32cdc5ff88d_JaffaCakes118.exe
2764	0232a4455c6f6aafcd2ba32cdc5ff88d_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0232a4455c6f6aafcd2ba32cdc5ff88d_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\msn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0232a4455c6f6aafcd2ba32cdc5ff88d_JaffaCakes118.exe"	0232a4455c6f6aafcd2ba32cdc5ff88d_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

0232a4455c6f6aafcd2ba32cdc5ff88d_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0232a4455c6f6aafcd2ba32cdc5ff88d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0232a4455c6f6aafcd2ba32cdc5ff88d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0232a4455c6f6aafcd2ba32cdc5ff88d_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2764	0232a4455c6f6aafcd2ba32cdc5ff88d_JaffaCakes118.exe
Token: SeDebugPrivilege	2764	0232a4455c6f6aafcd2ba32cdc5ff88d_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

0232a4455c6f6aafcd2ba32cdc5ff88d_JaffaCakes118.exe

pid process

2764 0232a4455c6f6aafcd2ba32cdc5ff88d_JaffaCakes118.exe
2764 0232a4455c6f6aafcd2ba32cdc5ff88d_JaffaCakes118.exe

pid	process
2764	0232a4455c6f6aafcd2ba32cdc5ff88d_JaffaCakes118.exe
2764	0232a4455c6f6aafcd2ba32cdc5ff88d_JaffaCakes118.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

0232a4455c6f6aafcd2ba32cdc5ff88d_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0232a4455c6f6aafcd2ba32cdc5ff88d_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0232a4455c6f6aafcd2ba32cdc5ff88d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0232a4455c6f6aafcd2ba32cdc5ff88d_JaffaCakes118.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2764

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\cmsetac.dlL
Filesize
33KB

MD5
d5788d6c79a80195d8697b660982500e

SHA1
6265c445bd3831418b33a739ce8e40103384123e

SHA256
b427bf2fed570068eb175b81573c64e8f760bee6074012794f1d3dddd6ae5b53

SHA512
a9efcb012bc8aee73d54afa19a9d5f205bdadf561d12a97ac7364f2b8d78197bb011691d8aa60159be812a9ddd15c123e39f31ab1a82220aa9916d4fa06954a8

Download Submit
\Users\Admin\AppData\Local\Temp\ntdtcstp.dLl
Filesize
7KB

MD5
5711405e2cd266ccb4a4938ec260e1dc

SHA1
ede02b4ccdce48702216f3e8c598740ae65f91f0

SHA256
4d100edcbf80bff8570ae37ab56e932b38f01432f3334449aadc9203c7b7d065

SHA512
ec98f21c83b6be460d9dc02d275c4ab673380329d57c811be034d68c9389c690ae31657dc531af682f3f4df5106589ca00f162d2ccf06c81b3657f8319bc71c9

Download Submit
memory/2764-18-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2764-8-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2764-21-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2764-9-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2764-10-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2764-12-0x0000000001D50000-0x0000000001D5E000-memory.dmp

Filesize
56KB

Download
memory/2764-11-0x00000000001E0000-0x00000000001E8000-memory.dmp

Filesize
32KB

Download
memory/2764-13-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2764-24-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2764-17-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2764-51-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2764-6-0x0000000001D50000-0x0000000001D5E000-memory.dmp

Filesize
56KB

Download
memory/2764-14-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2764-27-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2764-30-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2764-33-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2764-36-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2764-39-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2764-42-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2764-45-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2764-48-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2764-4-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads