modiloader | 57d44ccc7d88330019d60fb72f8be93c1ae1893a79437a18f724ef62c7a5cebd

General

Target

26eeb6e7c89d45c066307de3d8d5ccb7_JaffaCakes118.exe
Size

1.2MB
MD5

26eeb6e7c89d45c066307de3d8d5ccb7
SHA1

1d95087fefaacc828aac005f87e53f3f7e0a5171
SHA256

57d44ccc7d88330019d60fb72f8be93c1ae1893a79437a18f724ef62c7a5cebd
SHA512

441f0bab37fb242073177d43a86e6d438e1b30387fd038e67849066af77f22becf3ba29c55a27f12b3957effa7dc20402c0816c0be35a4e5a4cb0f1796c40b3c
SSDEEP

24576:sS2Vp6RwT/HLJvHYifLNgbNpU8fBos6x2stEtWT+4f9uDdqA2bxIdJeS:up6STDdZ/8fSTx2RtWT+41ScA2eJeS

Score

10^/10

modiloader evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

ModiLoader Second Stage 16 IoCs

resource	yara_rule
behavioral1/files/0x003800000001566b-12.dat	modiloader_stage2
behavioral1/memory/1988-27-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2940-33-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2940-36-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2940-39-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2940-42-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2940-45-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2940-49-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2940-52-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2940-55-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2940-58-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2940-61-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2940-64-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2940-67-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2940-70-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2940-73-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2

Executes dropped EXE 3 IoCs

pid	Process
1988	p4r4d0xTemp1.exe
2500	p4r4d0xTemp2.exe
2940	winlogon.exe

Loads dropped DLL 1 IoCs

pid	Process
1988	p4r4d0xTemp1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\winlogon.exe"	winlogon.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	p4r4d0xTemp1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winlogon.exe	p4r4d0xTemp1.exe
File created	C:\Windows\ntdtcstp.dll	winlogon.exe
File created	C:\Windows\cmsetac.dll	winlogon.exe
File created	C:\Windows\winlogon.exe	p4r4d0xTemp1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1988	p4r4d0xTemp1.exe
Token: SeBackupPrivilege	2668	vssvc.exe
Token: SeRestorePrivilege	2668	vssvc.exe
Token: SeAuditPrivilege	2668	vssvc.exe
Token: SeDebugPrivilege	2940	winlogon.exe
Token: SeDebugPrivilege	2940	winlogon.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2940	winlogon.exe
2940	winlogon.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 1988	2968	26eeb6e7c89d45c066307de3d8d5ccb7_JaffaCakes118.exe	28
PID 2968 wrote to memory of 1988	2968	26eeb6e7c89d45c066307de3d8d5ccb7_JaffaCakes118.exe	28
PID 2968 wrote to memory of 1988	2968	26eeb6e7c89d45c066307de3d8d5ccb7_JaffaCakes118.exe	28
PID 2968 wrote to memory of 1988	2968	26eeb6e7c89d45c066307de3d8d5ccb7_JaffaCakes118.exe	28
PID 2968 wrote to memory of 2500	2968	26eeb6e7c89d45c066307de3d8d5ccb7_JaffaCakes118.exe	29
PID 2968 wrote to memory of 2500	2968	26eeb6e7c89d45c066307de3d8d5ccb7_JaffaCakes118.exe	29
PID 2968 wrote to memory of 2500	2968	26eeb6e7c89d45c066307de3d8d5ccb7_JaffaCakes118.exe	29
PID 2968 wrote to memory of 2500	2968	26eeb6e7c89d45c066307de3d8d5ccb7_JaffaCakes118.exe	29
PID 1988 wrote to memory of 2940	1988	p4r4d0xTemp1.exe	33
PID 1988 wrote to memory of 2940	1988	p4r4d0xTemp1.exe	33
PID 1988 wrote to memory of 2940	1988	p4r4d0xTemp1.exe	33
PID 1988 wrote to memory of 2940	1988	p4r4d0xTemp1.exe	33

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\26eeb6e7c89d45c066307de3d8d5ccb7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\26eeb6e7c89d45c066307de3d8d5ccb7_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Admin\AppData\Local\Temp\p4r4d0xTemp1.exe
  "C:\Users\Admin\AppData\Local\Temp\p4r4d0xTemp1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\winlogon.exe
    "C:\Windows\winlogon.exe" \melt "C:\Users\Admin\AppData\Local\Temp\p4r4d0xTemp1.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2940
- C:\Users\Admin\AppData\Local\Temp\p4r4d0xTemp2.exe
  "C:\Users\Admin\AppData\Local\Temp\p4r4d0xTemp2.exe"
  2⤵
  - Executes dropped EXE
  PID:2500

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\p4r4d0xTemp1.exe

Filesize
270KB

MD5
54467dbaa6c1b7babe9cb517f027cd26

SHA1
6467f0e0da78a8e62821e9cc0aae3b5382b4b93f

SHA256
c36f418d5328fb94a529d924253ba3710fed91442d39294240c0151ed771bb4b

SHA512
7bb6ccca9ace5adf4d026edf0dc027f009810a989954eb2f483b4e71befd9cf3d195fac56188b59027e15d028e50fd4207bd9cadbb5b70a13c3c26363d8faa78

Download Submit
C:\Users\Admin\AppData\Local\Temp\p4r4d0xTemp2.exe

Filesize
940KB

MD5
342c60e8dc2b2cc817927dc5af30353f

SHA1
e56ecc75c36b66c547255e894f4d539a67f18212

SHA256
0fdc3b8f49d653ecca0dc87627659e62176678e709e7ae9d24480e89324833af

SHA512
58a4f96ab51a7f678a654bbc6ba326219d98cb9697e772ad2af641389bfceab7af3ca460515b77969cfe567cb6a3d3783e21102d0041b6d46db768b2870480ed

Download Submit
memory/1988-27-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2940-55-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2940-42-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2940-73-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2940-70-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2940-67-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2940-31-0x00000000004A0000-0x00000000004AE000-memory.dmp

Filesize
56KB

Download
memory/2940-33-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2940-35-0x00000000004A0000-0x00000000004AE000-memory.dmp

Filesize
56KB

Download
memory/2940-34-0x0000000000280000-0x0000000000288000-memory.dmp

Filesize
32KB

Download
memory/2940-36-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2940-39-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2940-64-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2940-45-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2940-49-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2940-52-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2940-61-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2940-58-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2968-0-0x000007FEF5C2E000-0x000007FEF5C2F000-memory.dmp

Filesize
4KB

Download
memory/2968-6-0x000007FEF5970000-0x000007FEF630D000-memory.dmp

Filesize
9.6MB

Download
memory/2968-1-0x000007FEF5970000-0x000007FEF630D000-memory.dmp

Filesize
9.6MB

Download
memory/2968-16-0x000007FEF5970000-0x000007FEF630D000-memory.dmp

Filesize
9.6MB

Download
memory/2968-2-0x000007FEF5970000-0x000007FEF630D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads