modiloader | abff86df170c399beace1e61c1cf317c9cf44b6923f9ce49328b7fc60117ef76

General

Target

023608e654951d4f51de802b743d3e4e_JaffaCakes118.exe
Size

273KB
MD5

023608e654951d4f51de802b743d3e4e
SHA1

5d6e740831122afdb543b254b75bc114af9a9b27
SHA256

abff86df170c399beace1e61c1cf317c9cf44b6923f9ce49328b7fc60117ef76
SHA512

05acf2857527c59bb005755f5ddd988819dba14b346b6c3fefff4b25073a35b484847730c62124b0bad47fc667bc00ce5deaf3e41bf0f83b270ecdbc25586252
SSDEEP

6144:bjkxGANLL8CG/TjjDrTJ9eq526TMijnNJploYb:bjkxP5qvDrLaijnoW

Score

10^/10

modiloader evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

cmd32.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd32.exe

ModiLoader Second Stage 13 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1664-0-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral2/memory/640-1-0x0000000010000000-0x000000001004B000-memory.dmp	modiloader_stage2
behavioral2/memory/1664-2-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral2/memory/1664-3-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral2/memory/1664-4-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
C:\Windows\cmd32.exe	modiloader_stage2
behavioral2/memory/1664-15-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral2/memory/2588-18-0x0000000010000000-0x000000001004B000-memory.dmp	modiloader_stage2
behavioral2/memory/4044-21-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral2/memory/4044-20-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral2/memory/4044-22-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral2/memory/4044-35-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral2/memory/4044-39-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

023608e654951d4f51de802b743d3e4e_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	023608e654951d4f51de802b743d3e4e_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

cmd32.execmd32.exe

pid process

2588 cmd32.exe
4044 cmd32.exe
Loads dropped DLL 4 IoCs

Processes:

cmd32.exe

pid process

4044 cmd32.exe
4044 cmd32.exe
4044 cmd32.exe
4044 cmd32.exe

pid	process
2588	cmd32.exe
4044	cmd32.exe

pid	process
4044	cmd32.exe
4044	cmd32.exe
4044	cmd32.exe
4044	cmd32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

cmd32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd32 = "C:\\Windows\\cmd32.exe"	cmd32.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

023608e654951d4f51de802b743d3e4e_JaffaCakes118.execmd32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	023608e654951d4f51de802b743d3e4e_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd32.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

023608e654951d4f51de802b743d3e4e_JaffaCakes118.execmd32.exe

description	pid	process	target process
PID 640 set thread context of 1664	640	023608e654951d4f51de802b743d3e4e_JaffaCakes118.exe	023608e654951d4f51de802b743d3e4e_JaffaCakes118.exe
PID 2588 set thread context of 4044	2588	cmd32.exe	cmd32.exe

Drops file in Windows directory 4 IoCs

Processes:

023608e654951d4f51de802b743d3e4e_JaffaCakes118.execmd32.exe

description	ioc	process
File created	C:\Windows\cmd32.exe	023608e654951d4f51de802b743d3e4e_JaffaCakes118.exe
File opened for modification	C:\Windows\cmd32.exe	023608e654951d4f51de802b743d3e4e_JaffaCakes118.exe
File created	C:\Windows\ntdtcstp.dll	cmd32.exe
File created	C:\Windows\cmsetac.dll	cmd32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

023608e654951d4f51de802b743d3e4e_JaffaCakes118.exevssvc.execmd32.exe

description	pid	process
Token: SeDebugPrivilege	1664	023608e654951d4f51de802b743d3e4e_JaffaCakes118.exe
Token: SeBackupPrivilege	744	vssvc.exe
Token: SeRestorePrivilege	744	vssvc.exe
Token: SeAuditPrivilege	744	vssvc.exe
Token: SeDebugPrivilege	4044	cmd32.exe
Token: SeDebugPrivilege	4044	cmd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

cmd32.exe

pid process

4044 cmd32.exe
4044 cmd32.exe

pid	process
4044	cmd32.exe
4044	cmd32.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

023608e654951d4f51de802b743d3e4e_JaffaCakes118.exe023608e654951d4f51de802b743d3e4e_JaffaCakes118.execmd32.exe

description	pid	process	target process
PID 640 wrote to memory of 1664	640	023608e654951d4f51de802b743d3e4e_JaffaCakes118.exe	023608e654951d4f51de802b743d3e4e_JaffaCakes118.exe
PID 640 wrote to memory of 1664	640	023608e654951d4f51de802b743d3e4e_JaffaCakes118.exe	023608e654951d4f51de802b743d3e4e_JaffaCakes118.exe
PID 640 wrote to memory of 1664	640	023608e654951d4f51de802b743d3e4e_JaffaCakes118.exe	023608e654951d4f51de802b743d3e4e_JaffaCakes118.exe
PID 640 wrote to memory of 1664	640	023608e654951d4f51de802b743d3e4e_JaffaCakes118.exe	023608e654951d4f51de802b743d3e4e_JaffaCakes118.exe
PID 640 wrote to memory of 1664	640	023608e654951d4f51de802b743d3e4e_JaffaCakes118.exe	023608e654951d4f51de802b743d3e4e_JaffaCakes118.exe
PID 1664 wrote to memory of 2588	1664	023608e654951d4f51de802b743d3e4e_JaffaCakes118.exe	cmd32.exe
PID 1664 wrote to memory of 2588	1664	023608e654951d4f51de802b743d3e4e_JaffaCakes118.exe	cmd32.exe
PID 1664 wrote to memory of 2588	1664	023608e654951d4f51de802b743d3e4e_JaffaCakes118.exe	cmd32.exe
PID 2588 wrote to memory of 4044	2588	cmd32.exe	cmd32.exe
PID 2588 wrote to memory of 4044	2588	cmd32.exe	cmd32.exe
PID 2588 wrote to memory of 4044	2588	cmd32.exe	cmd32.exe
PID 2588 wrote to memory of 4044	2588	cmd32.exe	cmd32.exe
PID 2588 wrote to memory of 4044	2588	cmd32.exe	cmd32.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

cmd32.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd32.exe
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd32.exe

C:\Users\Admin\AppData\Local\Temp\023608e654951d4f51de802b743d3e4e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\023608e654951d4f51de802b743d3e4e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:640

C:\Users\Admin\AppData\Local\Temp\023608e654951d4f51de802b743d3e4e_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\023608e654951d4f51de802b743d3e4e_JaffaCakes118.exe
2⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\cmd32.exe
"C:\Windows\cmd32.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\cmd32.exe
C:\Windows\cmd32.exe
4⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4044

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\cmd32.exe

Filesize
273KB

MD5
023608e654951d4f51de802b743d3e4e

SHA1
5d6e740831122afdb543b254b75bc114af9a9b27

SHA256
abff86df170c399beace1e61c1cf317c9cf44b6923f9ce49328b7fc60117ef76

SHA512
05acf2857527c59bb005755f5ddd988819dba14b346b6c3fefff4b25073a35b484847730c62124b0bad47fc667bc00ce5deaf3e41bf0f83b270ecdbc25586252

Download Submit
C:\Windows\cmsetac.dll

Filesize
33KB

MD5
a66a11bff6bf9d404ece9f7fda73c771

SHA1
e2abe812e52ae443bf4feec8574c4ebb1246b176

SHA256
815d7c101f13ddb83abc569e769edd4a44cf2fa6c8c88bce13ed0ae7f3bcd617

SHA512
3c839adb31f926d73f42707ccd9a7704efd1d7ebb4b9fce9fac223bbd43a3e29fa1738d3ceb0ee2a89d05003c5d29090df46c447a43495859d67a3bdb313bc88

Download Submit
C:\Windows\ntdtcstp.dll

Filesize
7KB

MD5
67587e25a971a141628d7f07bd40ffa0

SHA1
76fcd014539a3bb247cc0b761225f68bd6055f6b

SHA256
e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

SHA512
6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

Download Submit
memory/640-1-0x0000000010000000-0x000000001004B000-memory.dmp

Filesize
300KB

Download
memory/1664-2-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1664-3-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1664-4-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1664-13-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/1664-15-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1664-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2588-18-0x0000000010000000-0x000000001004B000-memory.dmp

Filesize
300KB

Download
memory/4044-20-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4044-22-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4044-29-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/4044-21-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4044-33-0x00000000030E0000-0x00000000030EE000-memory.dmp

Filesize
56KB

Download
memory/4044-35-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4044-36-0x0000000002F90000-0x0000000002F91000-memory.dmp

Filesize
4KB

Download
memory/4044-37-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/4044-38-0x00000000030E0000-0x00000000030EE000-memory.dmp

Filesize
56KB

Download
memory/4044-39-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads