modiloader | f2afe2a1581477f9526559d2b61a4c3760a9332ce2712a90d8dac4ce58c6c20b

General

Target

dc2c420aa21d3a65927094f63879e801_JaffaCakes118.exe
Size

1.2MB
MD5

dc2c420aa21d3a65927094f63879e801
SHA1

0aa614fe54efb128dc6b0cc0c83129ee6b89914f
SHA256

f2afe2a1581477f9526559d2b61a4c3760a9332ce2712a90d8dac4ce58c6c20b
SHA512

262e924e477a517a18af3e7f290f46b7dd2ea1917a38864f93895984cff3f29598ec64a3adfab931383a5e30beca3d072e08fc8bf968f5e9c684b9002a939a1f
SSDEEP

24576:oIjegyC225c7EFJWkPbFlpbj0pyDPVq9AdhNDQjTjW:ygy0tHFjIwPVoAdhNDQjT6

Score

10^/10

modiloader discovery evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

ModiLoader Second Stage 16 IoCs

resource	yara_rule
behavioral1/files/0x0008000000018dea-18.dat	modiloader_stage2
behavioral1/memory/2884-22-0x0000000000400000-0x0000000000443000-memory.dmp	modiloader_stage2
behavioral1/memory/2884-33-0x0000000000400000-0x0000000000443000-memory.dmp	modiloader_stage2
behavioral1/memory/1240-37-0x0000000000400000-0x0000000000443000-memory.dmp	modiloader_stage2
behavioral1/memory/1240-39-0x0000000000400000-0x0000000000443000-memory.dmp	modiloader_stage2
behavioral1/memory/1240-41-0x0000000000400000-0x0000000000443000-memory.dmp	modiloader_stage2
behavioral1/memory/1240-43-0x0000000000400000-0x0000000000443000-memory.dmp	modiloader_stage2
behavioral1/memory/1240-46-0x0000000000400000-0x0000000000443000-memory.dmp	modiloader_stage2
behavioral1/memory/1240-48-0x0000000000400000-0x0000000000443000-memory.dmp	modiloader_stage2
behavioral1/memory/1240-50-0x0000000000400000-0x0000000000443000-memory.dmp	modiloader_stage2
behavioral1/memory/1240-52-0x0000000000400000-0x0000000000443000-memory.dmp	modiloader_stage2
behavioral1/memory/1240-54-0x0000000000400000-0x0000000000443000-memory.dmp	modiloader_stage2
behavioral1/memory/1240-56-0x0000000000400000-0x0000000000443000-memory.dmp	modiloader_stage2
behavioral1/memory/1240-58-0x0000000000400000-0x0000000000443000-memory.dmp	modiloader_stage2
behavioral1/memory/1240-60-0x0000000000400000-0x0000000000443000-memory.dmp	modiloader_stage2
behavioral1/memory/1240-62-0x0000000000400000-0x0000000000443000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2884	server.exe
1240	mstwain32.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	dc2c420aa21d3a65927094f63879e801_JaffaCakes118.exe

Loads dropped DLL 3 IoCs

pid	Process
320	dc2c420aa21d3a65927094f63879e801_JaffaCakes118.exe
320	dc2c420aa21d3a65927094f63879e801_JaffaCakes118.exe
2884	server.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe"	mstwain32.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	server.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstwain32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
320	dc2c420aa21d3a65927094f63879e801_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\ntdtcstp.dll	mstwain32.exe
File created	C:\Windows\mstwain32.exe	server.exe
File opened for modification	C:\Windows\mstwain32.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstwain32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc2c420aa21d3a65927094f63879e801_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
320	dc2c420aa21d3a65927094f63879e801_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	server.exe
Token: SeBackupPrivilege	2100	vssvc.exe
Token: SeRestorePrivilege	2100	vssvc.exe
Token: SeAuditPrivilege	2100	vssvc.exe
Token: SeDebugPrivilege	1240	mstwain32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2932	DllHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
320	dc2c420aa21d3a65927094f63879e801_JaffaCakes118.exe
1240	mstwain32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 2884	320	dc2c420aa21d3a65927094f63879e801_JaffaCakes118.exe	31
PID 320 wrote to memory of 2884	320	dc2c420aa21d3a65927094f63879e801_JaffaCakes118.exe	31
PID 320 wrote to memory of 2884	320	dc2c420aa21d3a65927094f63879e801_JaffaCakes118.exe	31
PID 320 wrote to memory of 2884	320	dc2c420aa21d3a65927094f63879e801_JaffaCakes118.exe	31
PID 2884 wrote to memory of 1240	2884	server.exe	35
PID 2884 wrote to memory of 1240	2884	server.exe	35
PID 2884 wrote to memory of 1240	2884	server.exe	35
PID 2884 wrote to memory of 1240	2884	server.exe	35

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\dc2c420aa21d3a65927094f63879e801_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc2c420aa21d3a65927094f63879e801_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:320
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\mstwain32.exe
    "C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1240

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2932

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Paisagem-sol[1].jpg

Filesize
102KB

MD5
1aab4859406aa69578959161237c588b

SHA1
030649178212b66174f48b26d9e724dfbfa72911

SHA256
8d1d392f0a92aecde2ff20563dedcfaee137a6354befbeeb3b76138bedc72757

SHA512
3833afc7b1b3ce39638bcaed0c09cbbc0aa927aaaa27eebfd3b24be3f22a08f6a509d3aea2c644831417e7cc558576f53de9da6be1f293a326231ea5bd80710f

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
237KB

MD5
2e4cba471a11c515949cd4a7baa791b7

SHA1
4efcffeb18f9595581dccb1147f4c84dc8a951da

SHA256
d334eedb2cd52998f855177c0b965c2dc7dd1f3d396cfb820297bda8ebe50b91

SHA512
b59e7c61c817addc5aa5557b38f7f57809ff134eabdbe33339c2277a89d97972f12dcae54f7da49cfeb48ce9ba6a6a8db7cc27814ef588346e6ed2013edb3b56

Download Submit
memory/320-1-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/320-20-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/320-0-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/320-7-0x0000000004C70000-0x0000000004C72000-memory.dmp

Filesize
8KB

Download
memory/320-5-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/320-4-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1240-46-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1240-43-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1240-62-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1240-60-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1240-58-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1240-38-0x00000000003A0000-0x00000000003A8000-memory.dmp

Filesize
32KB

Download
memory/1240-37-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1240-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1240-41-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1240-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1240-54-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1240-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1240-50-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1240-52-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2884-33-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2884-22-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2932-10-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2932-8-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/2932-23-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads