modiloader | 5be4847da11b0d4132d2d763a2d098a0907d2d31323df2e36b744e9df2712fee

General

Target

de9721321a7c4a0ffd6312bf355f0e30_JaffaCakes118.exe
Size

365KB
MD5

de9721321a7c4a0ffd6312bf355f0e30
SHA1

20d31f5595054b56390494aec19a7cec78a00c79
SHA256

5be4847da11b0d4132d2d763a2d098a0907d2d31323df2e36b744e9df2712fee
SHA512

f330dc0ed481c6121e12d6cdb3182f923f8466dc182bb6cc84cbc0ca8c586aab95eb291e1733c25baa03acedee7cd480eac9cd229c5311378fc153119209ccb7
SSDEEP

6144:/B2j3R7KR7lgjGH6EMjcOLe9W8liHNbMfrFCKEwbZCq3hm7yb/8V:/Be3Zc7lgjs6VLecYwNbMfrFtEKF3h2v

Score

10^/10

modiloader discovery evasion persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

ModiLoader Second Stage 17 IoCs

resource	yara_rule
behavioral1/memory/2344-22-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/840-26-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/840-33-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/840-36-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/840-37-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/840-40-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/840-43-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/840-46-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/840-50-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/840-53-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/840-56-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/840-59-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/840-62-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/840-65-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/840-68-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/840-71-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/840-74-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2344	2592.exe
840	mstwain32.exe

Loads dropped DLL 1 IoCs

pid	Process
2344	2592.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000015d64-9.dat	upx
behavioral1/memory/2344-10-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2344-22-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/840-26-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/840-33-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/840-36-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/840-37-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/840-40-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/840-43-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/840-46-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/840-50-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/840-53-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/840-56-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/840-59-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/840-62-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/840-65-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/840-68-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/840-71-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/840-74-0x0000000000400000-0x000000000044F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe"	mstwain32.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2592.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstwain32.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ntdtcstp.dll	mstwain32.exe
File created	C:\Windows\cmsetac.dll	mstwain32.exe
File created	C:\Windows\mstwain32.exe	2592.exe
File opened for modification	C:\Windows\mstwain32.exe	2592.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2592.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstwain32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2344	2592.exe
Token: SeBackupPrivilege	844	vssvc.exe
Token: SeRestorePrivilege	844	vssvc.exe
Token: SeAuditPrivilege	844	vssvc.exe
Token: SeDebugPrivilege	840	mstwain32.exe
Token: SeDebugPrivilege	840	mstwain32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
840	mstwain32.exe
840	mstwain32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2344	2500	de9721321a7c4a0ffd6312bf355f0e30_JaffaCakes118.exe	30
PID 2500 wrote to memory of 2344	2500	de9721321a7c4a0ffd6312bf355f0e30_JaffaCakes118.exe	30
PID 2500 wrote to memory of 2344	2500	de9721321a7c4a0ffd6312bf355f0e30_JaffaCakes118.exe	30
PID 2500 wrote to memory of 2344	2500	de9721321a7c4a0ffd6312bf355f0e30_JaffaCakes118.exe	30
PID 2344 wrote to memory of 840	2344	2592.exe	34
PID 2344 wrote to memory of 840	2344	2592.exe	34
PID 2344 wrote to memory of 840	2344	2592.exe	34
PID 2344 wrote to memory of 840	2344	2592.exe	34

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\de9721321a7c4a0ffd6312bf355f0e30_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\de9721321a7c4a0ffd6312bf355f0e30_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Users\Admin\AppData\Local\Temp\2592.exe
  C:\Users\Admin\AppData\Local\Temp\2592.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\mstwain32.exe
    "C:\Windows\mstwain32.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:840

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2592.exe

Filesize
110KB

MD5
ddee0091de8e83af3bc46f18f6703211

SHA1
4d0ca29b079952dc68e1863d2962eb0b77f54b57

SHA256
0cf367118bbfe67afca0fa75403c5940f52d89c93b54f9a118f20e8866b41b33

SHA512
a5d05c45074b6eab85aa8af6033490099c1aadc56c0d692947409a171b1897765770c1d8ff29265e4cddc1a692b86c1c5b289bd6842c4d5b81940670a3e012ad

Download Submit
memory/840-50-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/840-56-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/840-74-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/840-71-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/840-68-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/840-65-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/840-62-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/840-26-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/840-59-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/840-37-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/840-30-0x00000000005A0000-0x00000000005AE000-memory.dmp

Filesize
56KB

Download
memory/840-53-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/840-35-0x00000000005A0000-0x00000000005AE000-memory.dmp

Filesize
56KB

Download
memory/840-34-0x0000000000300000-0x0000000000308000-memory.dmp

Filesize
32KB

Download
memory/840-36-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/840-46-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/840-33-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/840-40-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/840-43-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2344-22-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2344-16-0x0000000000870000-0x0000000000880000-memory.dmp

Filesize
64KB

Download
memory/2344-10-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2500-2-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

Filesize
9.6MB

Download
memory/2500-0-0x000007FEF61CE000-0x000007FEF61CF000-memory.dmp

Filesize
4KB

Download
memory/2500-32-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

Filesize
9.6MB

Download
memory/2500-24-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

Filesize
9.6MB

Download
memory/2500-25-0x000007FEF61CE000-0x000007FEF61CF000-memory.dmp

Filesize
4KB

Download
memory/2500-1-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

Filesize
9.6MB

Download
memory/2500-3-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads