modiloader | b64168f04fa5819d3661d61068bb4629ecc4ea6da57321a1cc61ca47acc9a1ce

General

Target

d02a28730109def550aef09db44a0493_JaffaCakes118.exe
Size

2.7MB
MD5

d02a28730109def550aef09db44a0493
SHA1

b40e7d402c2a26a54c36d4ec6c70397ba89e229e
SHA256

b64168f04fa5819d3661d61068bb4629ecc4ea6da57321a1cc61ca47acc9a1ce
SHA512

05bc6009fa7ec5f01459620e6b74fcd1d8828ee5118b7113151cb2ec25cac0c25d4546cf2455648b88c0fe6b825013a147937577705d18f7cd6a83aba12f2d8b
SSDEEP

49152:x8SSmX3nu9IYGvgKP15OxzVDxq9cgT25B7GYJVZN4zGUX0JBa9RQOLnGrPAdhNDa:GSSmX3uzGH/Gxqcgar6SoXueiQoILtQb

Score

10^/10

modiloader discovery evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

ModiLoader Second Stage 12 IoCs

resource	yara_rule
behavioral2/files/0x00090000000233f1-8.dat	modiloader_stage2
behavioral2/memory/5012-41-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/4896-70-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/4896-76-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/4896-82-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/4896-88-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/4896-94-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/4896-100-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/4896-106-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/4896-112-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/4896-118-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/4896-124-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	d02a28730109def550aef09db44a0493_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	test server.exe

Executes dropped EXE 4 IoCs

pid	Process
5012	test server.exe
1248	Turkojan4.exe
4220	Turkojan4.tmp
4896	mstwain32.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine	d02a28730109def550aef09db44a0493_JaffaCakes118.exe

Loads dropped DLL 6 IoCs

pid	Process
4896	mstwain32.exe
4896	mstwain32.exe
4896	mstwain32.exe
4896	mstwain32.exe
4220	Turkojan4.tmp
4220	Turkojan4.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe"	mstwain32.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstwain32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	test server.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\mstwain32.exe	test server.exe
File opened for modification	C:\Windows\mstwain32.exe	test server.exe
File created	C:\Windows\ntdtcstp.dll	mstwain32.exe
File created	C:\Windows\cmsetac.dll	mstwain32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Turkojan4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Turkojan4.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstwain32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d02a28730109def550aef09db44a0493_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	5012	test server.exe
Token: SeBackupPrivilege	4888	vssvc.exe
Token: SeRestorePrivilege	4888	vssvc.exe
Token: SeAuditPrivilege	4888	vssvc.exe
Token: SeDebugPrivilege	4896	mstwain32.exe
Token: SeDebugPrivilege	4896	mstwain32.exe
Token: SeDebugPrivilege	4220	Turkojan4.tmp

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2752	d02a28730109def550aef09db44a0493_JaffaCakes118.exe
4896	mstwain32.exe
4896	mstwain32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 5012	2752	d02a28730109def550aef09db44a0493_JaffaCakes118.exe	86
PID 2752 wrote to memory of 5012	2752	d02a28730109def550aef09db44a0493_JaffaCakes118.exe	86
PID 2752 wrote to memory of 5012	2752	d02a28730109def550aef09db44a0493_JaffaCakes118.exe	86
PID 2752 wrote to memory of 1248	2752	d02a28730109def550aef09db44a0493_JaffaCakes118.exe	87
PID 2752 wrote to memory of 1248	2752	d02a28730109def550aef09db44a0493_JaffaCakes118.exe	87
PID 2752 wrote to memory of 1248	2752	d02a28730109def550aef09db44a0493_JaffaCakes118.exe	87
PID 1248 wrote to memory of 4220	1248	Turkojan4.exe	89
PID 1248 wrote to memory of 4220	1248	Turkojan4.exe	89
PID 1248 wrote to memory of 4220	1248	Turkojan4.exe	89
PID 5012 wrote to memory of 4896	5012	test server.exe	92
PID 5012 wrote to memory of 4896	5012	test server.exe	92
PID 5012 wrote to memory of 4896	5012	test server.exe	92

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d02a28730109def550aef09db44a0493_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d02a28730109def550aef09db44a0493_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Identifies Wine through registry keys
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Users\Admin\AppData\Local\Temp\test server.exe
  "C:\Users\Admin\AppData\Local\Temp\test server.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\mstwain32.exe
    "C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\test server.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:4896
- C:\Users\Admin\AppData\Local\Temp\Turkojan4.exe
  "C:\Users\Admin\AppData\Local\Temp\Turkojan4.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Users\Admin\AppData\Local\Temp\is-HOHHS.tmp\Turkojan4.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-HOHHS.tmp\Turkojan4.tmp" /SL5="$80056,1651681,53248,C:\Users\Admin\AppData\Local\Temp\Turkojan4.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4220

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Turkojan4.exe

Filesize
1.8MB

MD5
8b8d8522dd4975f759479a7c8132b15a

SHA1
cfb70e95680cbce231f80b2c2c75a2c28ae98d1c

SHA256
d151c9f9a8fd3c2a1f1a45b1a92209335eb9b4bd041c2cbf2f78de6900fa5716

SHA512
5dfc5e074622df15736f29aaf53d62a489ece4854b4d8fadca5df3f98a2bb8276db51ca8e8ce1beeb62ad3838e4e1770f336511a7904a080cda8e67f73e02d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HOHHS.tmp\Turkojan4.tmp

Filesize
665KB

MD5
9e30ab5e3f6b43f69f928e6b4fcfd604

SHA1
b110f04114c52f2439715cbad3769250dbcdb1b3

SHA256
affbe7f0320f9602d8c51468ecb7bc7960df4f62ab1a36c05ac2fe2816d175ba

SHA512
8d751d8c8023bbd54ea2ea0969ad9f379d8bf1066980fdd58007e778bdf654e4e13264ac8917be91ac8583ea9ae5536ca600530f413cbd887c234ec60be5a45d

Download Submit
C:\Users\Admin\AppData\Local\Temp\test server.exe

Filesize
270KB

MD5
2e20b294c0fceb12b3019fb48af4b5fd

SHA1
38f6c059be2a1158adc151fc3a7fc0dc80183646

SHA256
ed7909d45123676d009796dc2cbc5d4b108e49546fecf4f15b7acf9a80d3bc4a

SHA512
840a2d4cc2ec9245026070dcf55fea61765c6eb59e1dfa764f64b87b3c4571d78e6b79a862b96345fc84712c4eaaccbbd2f30705f8b2f92c20f26a6e395e1705

Download Submit
C:\Windows\cmsetac.dll

Filesize
33KB

MD5
ba6dbe3b8316f0a5fb703f712b8384b8

SHA1
fe29015c690f32e364334e2e49e84e3cf1a72a1b

SHA256
1422022d028fc89b56fc57e99515b6a45a5ad56785e2bb18ab25a96bc74f26fc

SHA512
0665a83ca27dae146905304b2bc0ba26bbf40fb7635c0142f3ac0ab942a2706b91a52b7c7c75807ca894cfb7d2dba23ddc65adf5777ddceeb411ec785791a5ae

Download Submit
C:\Windows\ntdtcstp.dll

Filesize
7KB

MD5
67587e25a971a141628d7f07bd40ffa0

SHA1
76fcd014539a3bb247cc0b761225f68bd6055f6b

SHA256
e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

SHA512
6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

Download Submit
memory/1248-66-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1248-27-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1248-23-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2752-29-0x0000000000401000-0x0000000000407000-memory.dmp

Filesize
24KB

Download
memory/2752-28-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2752-1-0x0000000000401000-0x0000000000407000-memory.dmp

Filesize
24KB

Download
memory/2752-0-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/4220-68-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4220-69-0x0000000003220000-0x000000000322E000-memory.dmp

Filesize
56KB

Download
memory/4220-60-0x0000000003220000-0x000000000322E000-memory.dmp

Filesize
56KB

Download
memory/4896-54-0x00000000030E0000-0x00000000030EE000-memory.dmp

Filesize
56KB

Download
memory/4896-88-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4896-70-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4896-71-0x0000000002230000-0x0000000002238000-memory.dmp

Filesize
32KB

Download
memory/4896-72-0x00000000030E0000-0x00000000030EE000-memory.dmp

Filesize
56KB

Download
memory/4896-76-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4896-82-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4896-124-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4896-94-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4896-100-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4896-106-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4896-112-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4896-118-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5012-41-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads