modiloader | 6b7d23df4d5bbde58d3abccbb7e92c60f884fc844f3ebb69c6c28584310dfa0e

General

Target

452bc14f39f1f9698ad10662c0a70f31_JaffaCakes118.exe
Size

1.5MB
MD5

452bc14f39f1f9698ad10662c0a70f31
SHA1

53d7ceacbe629becde73e4b8ffb7f9088c8b12f2
SHA256

6b7d23df4d5bbde58d3abccbb7e92c60f884fc844f3ebb69c6c28584310dfa0e
SHA512

9c279e282734b253a5f886a1164a08de620c229652875d808dd103168c1ffc5011486088560b7ea3efe6030843cec1fa9b672c4958537ed6e9b3a9ed06f82b28
SSDEEP

24576:51T+bpyHXJ9io9FSSqxGlIMb5EzH0FBuuND9mu70YNFMzFDK3CAdhNDQjTjJ:5NLHXTgIIdw6u7vIYQFDKSAdhNDQjT9

Score

10^/10

modiloader evasion persistence themida trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

ModiLoader Second Stage 16 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012115-9.dat	modiloader_stage2
behavioral1/memory/1232-32-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/944-38-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/944-41-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/944-44-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/944-47-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/944-50-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/944-54-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/944-57-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/944-60-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/944-63-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/944-66-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/944-69-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/944-72-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/944-75-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/944-78-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
1232	server.exe
944	svchost.exe

Loads dropped DLL 3 IoCs

pid	Process
2632	452bc14f39f1f9698ad10662c0a70f31_JaffaCakes118.exe
2632	452bc14f39f1f9698ad10662c0a70f31_JaffaCakes118.exe
1232	server.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2632-6-0x0000000000400000-0x0000000000539000-memory.dmp	themida
behavioral1/memory/2632-7-0x0000000000400000-0x0000000000539000-memory.dmp	themida
behavioral1/memory/2632-20-0x0000000000400000-0x0000000000539000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\svchost.exe"	svchost.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	server.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	server.exe
File opened for modification	C:\Windows\svchost.exe	server.exe
File created	C:\Windows\ntdtcstp.dll	svchost.exe
File created	C:\Windows\cmsetac.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2632	452bc14f39f1f9698ad10662c0a70f31_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1232	server.exe
Token: SeBackupPrivilege	2260	vssvc.exe
Token: SeRestorePrivilege	2260	vssvc.exe
Token: SeAuditPrivilege	2260	vssvc.exe
Token: SeDebugPrivilege	944	svchost.exe
Token: SeDebugPrivilege	944	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
840	DllHost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2632	452bc14f39f1f9698ad10662c0a70f31_JaffaCakes118.exe
944	svchost.exe
944	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 1232	2632	452bc14f39f1f9698ad10662c0a70f31_JaffaCakes118.exe	30
PID 2632 wrote to memory of 1232	2632	452bc14f39f1f9698ad10662c0a70f31_JaffaCakes118.exe	30
PID 2632 wrote to memory of 1232	2632	452bc14f39f1f9698ad10662c0a70f31_JaffaCakes118.exe	30
PID 2632 wrote to memory of 1232	2632	452bc14f39f1f9698ad10662c0a70f31_JaffaCakes118.exe	30
PID 1232 wrote to memory of 944	1232	server.exe	35
PID 1232 wrote to memory of 944	1232	server.exe	35
PID 1232 wrote to memory of 944	1232	server.exe	35
PID 1232 wrote to memory of 944	1232	server.exe	35

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\452bc14f39f1f9698ad10662c0a70f31_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\452bc14f39f1f9698ad10662c0a70f31_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\svchost.exe
    "C:\Windows\svchost.exe" \melt "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:944

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:840

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.JPG

Filesize
37KB

MD5
e5bd7eb29be001d06d4bb297864f959b

SHA1
ee3f7ab7b2d13f563c07a116aa13b3a19b745ea2

SHA256
a91819c76d0d08fcbdef24e5c26d2da41ce4f8623270309f9fa9a7c0e8d7461a

SHA512
b5344677bfa7837768133d22182e75921e1eeebe51effc2303f4394064a2bb48e32ea996c178265e396aafbd72d5c9f8c4167ce7ed06362b33c7627f63344598

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
270KB

MD5
f1a49b093b121c010164cd71d3c7602d

SHA1
1a679e706bf7e4d94ce0499d95ef1645c10f220f

SHA256
e947f94e16e229a1b779c9330fd8406fb05c4593903734d07fd239c208617156

SHA512
459140a060ec6262c94b7e435ebf6c02ddf262487bc39ed8139f103171bc96bdc140c9ed156d33e10409be8fa4b68a2cd8ebd976bdba4ee49358507b45b56264

Download Submit
memory/840-18-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download
memory/944-39-0x00000000002F0000-0x00000000002F8000-memory.dmp

Filesize
32KB

Download
memory/944-63-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/944-78-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/944-75-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/944-72-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/944-69-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/944-66-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/944-60-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/944-36-0x0000000000550000-0x000000000055E000-memory.dmp

Filesize
56KB

Download
memory/944-38-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/944-40-0x0000000000550000-0x000000000055E000-memory.dmp

Filesize
56KB

Download
memory/944-57-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/944-41-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/944-44-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/944-47-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/944-50-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/944-54-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1232-32-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2632-0-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2632-7-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2632-1-0x0000000000540000-0x0000000000624000-memory.dmp

Filesize
912KB

Download
memory/2632-20-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2632-2-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/2632-17-0x0000000006740000-0x0000000006742000-memory.dmp

Filesize
8KB

Download
memory/2632-6-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads