modiloader | f2311764e12c512800409cc377a36af427a6a3359476433e4762cc677209d9ef

General

Target

dda7edce12b4124dd7be6faf2843aea4_JaffaCakes118.exe
Size

1.6MB
MD5

dda7edce12b4124dd7be6faf2843aea4
SHA1

a0f074733daa9e5715edd823186629ac3dd965b0
SHA256

f2311764e12c512800409cc377a36af427a6a3359476433e4762cc677209d9ef
SHA512

bf8b027719de6bda6b7416c45a9134bbbd4f8aca1e78c4b10c64c574d506589e75460199c5e7e4d4063eafe9ad0efdb0e083b90eefab2a3d220dddfba15a50d3
SSDEEP

24576:3cEqeoirXtjsFYCgVVtsFMQG/xkz0UuIViDY8Dy7uI7fQXIWoLm2I0dyV+oBMiXI:3cEqePV3e9C3HoC5JvY7j8mJhySlT

Score

10^/10

modiloader discovery evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dda7edce12b4124dd7be6faf2843aea4_JaffaCakes118.exe

ModiLoader Second Stage 22 IoCs

resource	yara_rule
behavioral1/memory/2916-0-0x0000000000401000-0x000000000041C000-memory.dmp	modiloader_stage2
behavioral1/memory/2916-5-0x0000000000400000-0x00000000005C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2916-9-0x0000000000400000-0x00000000005C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2916-10-0x0000000000400000-0x00000000005C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2916-11-0x0000000000400000-0x00000000005C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2916-12-0x0000000000400000-0x00000000005C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2916-15-0x0000000000400000-0x00000000005C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2916-16-0x0000000000400000-0x00000000005C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2916-17-0x0000000000400000-0x00000000005C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2916-18-0x0000000000400000-0x00000000005C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2916-21-0x0000000000400000-0x00000000005C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2916-24-0x0000000000400000-0x00000000005C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2916-27-0x0000000000400000-0x00000000005C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2916-31-0x0000000000400000-0x00000000005C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2916-34-0x0000000000400000-0x00000000005C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2916-37-0x0000000000400000-0x00000000005C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2916-40-0x0000000000400000-0x00000000005C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2916-43-0x0000000000400000-0x00000000005C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2916-46-0x0000000000400000-0x00000000005C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2916-49-0x0000000000400000-0x00000000005C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2916-52-0x0000000000400000-0x00000000005C0000-memory.dmp	modiloader_stage2
behavioral1/memory/2916-55-0x0000000000400000-0x00000000005C0000-memory.dmp	modiloader_stage2

Loads dropped DLL 2 IoCs

pid	Process
2916	dda7edce12b4124dd7be6faf2843aea4_JaffaCakes118.exe
2916	dda7edce12b4124dd7be6faf2843aea4_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dda7edce12b4124dd7be6faf2843aea4_JaffaCakes118.exe"	dda7edce12b4124dd7be6faf2843aea4_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dda7edce12b4124dd7be6faf2843aea4_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dda7edce12b4124dd7be6faf2843aea4_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dda7edce12b4124dd7be6faf2843aea4_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2916	dda7edce12b4124dd7be6faf2843aea4_JaffaCakes118.exe
Token: SeBackupPrivilege	540	vssvc.exe
Token: SeRestorePrivilege	540	vssvc.exe
Token: SeAuditPrivilege	540	vssvc.exe
Token: SeDebugPrivilege	2916	dda7edce12b4124dd7be6faf2843aea4_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2916	dda7edce12b4124dd7be6faf2843aea4_JaffaCakes118.exe
2916	dda7edce12b4124dd7be6faf2843aea4_JaffaCakes118.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dda7edce12b4124dd7be6faf2843aea4_JaffaCakes118.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\dda7edce12b4124dd7be6faf2843aea4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dda7edce12b4124dd7be6faf2843aea4_JaffaCakes118.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2916

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\cmsetac.dll

Filesize
33KB

MD5
7a8a49c76180f8a5bcde18bccdcf05af

SHA1
d2d7382aaceae82d2b261f1093f67f3186224590

SHA256
d6e7a916240da9bd13f9e2039723dd3b228bc75515c865afc037b43350eda6ae

SHA512
b6dd3846d38b00c1bb26e767ac802007b5b8503d25387d1adb31050f0d3f5e663c3655f1913d28a80b66e3be9da64ba165ae4a40ca33096f016b73152b3af513

Download Submit
\Users\Admin\AppData\Local\Temp\ntdtcstp.dll

Filesize
7KB

MD5
67587e25a971a141628d7f07bd40ffa0

SHA1
76fcd014539a3bb247cc0b761225f68bd6055f6b

SHA256
e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

SHA512
6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

Download Submit
memory/2916-16-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2916-46-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2916-5-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2916-9-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2916-10-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2916-11-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2916-14-0x0000000004920000-0x000000000492E000-memory.dmp

Filesize
56KB

Download
memory/2916-13-0x0000000003DB0000-0x0000000003DB8000-memory.dmp

Filesize
32KB

Download
memory/2916-12-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2916-15-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2916-0-0x0000000000401000-0x000000000041C000-memory.dmp

Filesize
108KB

Download
memory/2916-17-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2916-7-0x0000000004920000-0x000000000492E000-memory.dmp

Filesize
56KB

Download
memory/2916-24-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2916-18-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2916-27-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2916-31-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2916-34-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2916-37-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2916-40-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2916-43-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2916-21-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2916-49-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2916-52-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2916-55-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads