modiloader | 5be4847da11b0d4132d2d763a2d098a0907d2d31323df2e36b744e9df2712fee

General

Target

de9721321a7c4a0ffd6312bf355f0e30_JaffaCakes118.exe
Size

365KB
MD5

de9721321a7c4a0ffd6312bf355f0e30
SHA1

20d31f5595054b56390494aec19a7cec78a00c79
SHA256

5be4847da11b0d4132d2d763a2d098a0907d2d31323df2e36b744e9df2712fee
SHA512

f330dc0ed481c6121e12d6cdb3182f923f8466dc182bb6cc84cbc0ca8c586aab95eb291e1733c25baa03acedee7cd480eac9cd229c5311378fc153119209ccb7
SSDEEP

6144:/B2j3R7KR7lgjGH6EMjcOLe9W8liHNbMfrFCKEwbZCq3hm7yb/8V:/Be3Zc7lgjs6VLecYwNbMfrFtEKF3h2v

Score

10^/10

modiloader discovery evasion persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

ModiLoader Second Stage 16 IoCs

resource	yara_rule
behavioral2/memory/1160-24-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/1392-40-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/1392-43-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/1392-44-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/1392-47-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/1392-50-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/1392-53-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/1392-56-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/1392-59-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/1392-62-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/1392-65-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/1392-68-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/1392-71-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/1392-74-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/1392-77-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/1392-80-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	574.exe

Executes dropped EXE 2 IoCs

pid	Process
1160	574.exe
1392	mstwain32.exe

Loads dropped DLL 4 IoCs

pid	Process
1392	mstwain32.exe
1392	mstwain32.exe
1392	mstwain32.exe
1392	mstwain32.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000800000002343f-10.dat	upx
behavioral2/memory/1160-11-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/1160-24-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/1392-40-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/1392-43-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/1392-44-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/1392-47-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/1392-50-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/1392-53-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/1392-56-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/1392-59-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/1392-62-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/1392-65-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/1392-68-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/1392-71-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/1392-74-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/1392-77-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/1392-80-0x0000000000400000-0x000000000044F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe"	mstwain32.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstwain32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	574.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mstwain32.exe	574.exe
File created	C:\Windows\ntdtcstp.dll	mstwain32.exe
File created	C:\Windows\cmsetac.dll	mstwain32.exe
File created	C:\Windows\mstwain32.exe	574.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	574.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstwain32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1160	574.exe
Token: SeBackupPrivilege	2604	vssvc.exe
Token: SeRestorePrivilege	2604	vssvc.exe
Token: SeAuditPrivilege	2604	vssvc.exe
Token: SeDebugPrivilege	1392	mstwain32.exe
Token: SeDebugPrivilege	1392	mstwain32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1392	mstwain32.exe
1392	mstwain32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4276 wrote to memory of 1160	4276	de9721321a7c4a0ffd6312bf355f0e30_JaffaCakes118.exe	85
PID 4276 wrote to memory of 1160	4276	de9721321a7c4a0ffd6312bf355f0e30_JaffaCakes118.exe	85
PID 4276 wrote to memory of 1160	4276	de9721321a7c4a0ffd6312bf355f0e30_JaffaCakes118.exe	85
PID 1160 wrote to memory of 1392	1160	574.exe	90
PID 1160 wrote to memory of 1392	1160	574.exe	90
PID 1160 wrote to memory of 1392	1160	574.exe	90

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\de9721321a7c4a0ffd6312bf355f0e30_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\de9721321a7c4a0ffd6312bf355f0e30_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Users\Admin\AppData\Local\Temp\574.exe
  C:\Users\Admin\AppData\Local\Temp\574.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\mstwain32.exe
    "C:\Windows\mstwain32.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1392

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\574.exe

Filesize
110KB

MD5
ddee0091de8e83af3bc46f18f6703211

SHA1
4d0ca29b079952dc68e1863d2962eb0b77f54b57

SHA256
0cf367118bbfe67afca0fa75403c5940f52d89c93b54f9a118f20e8866b41b33

SHA512
a5d05c45074b6eab85aa8af6033490099c1aadc56c0d692947409a171b1897765770c1d8ff29265e4cddc1a692b86c1c5b289bd6842c4d5b81940670a3e012ad

Download Submit
C:\Windows\cmsetac.dll

Filesize
33KB

MD5
69a252e3946a333352ab6046371cebe5

SHA1
86a6f32f4c9d1ba5c4cc0625343dfbe2f16d0093

SHA256
c5fb30ffab029e3b499cf5d1548ab3aeaffad4017d7932c4c3e418d99c67bd4b

SHA512
a1c459002a394eaab502f57f55761878fe72e58214aa0c912c0c8afe64cfbca7d78df6abe2335ce467f68e2b364cec289abe77bdbfc8c96ff4837a72e4a60cd6

Download Submit
C:\Windows\ntdtcstp.dll

Filesize
7KB

MD5
67587e25a971a141628d7f07bd40ffa0

SHA1
76fcd014539a3bb247cc0b761225f68bd6055f6b

SHA256
e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

SHA512
6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

Download Submit
memory/1160-24-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1160-20-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/1160-11-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1392-40-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1392-59-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1392-80-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1392-77-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1392-74-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1392-71-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1392-68-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1392-65-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1392-35-0x00000000030E0000-0x00000000030EE000-memory.dmp

Filesize
56KB

Download
memory/1392-62-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1392-56-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1392-42-0x00000000030E0000-0x00000000030EE000-memory.dmp

Filesize
56KB

Download
memory/1392-41-0x0000000000970000-0x0000000000978000-memory.dmp

Filesize
32KB

Download
memory/1392-43-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1392-44-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1392-47-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1392-50-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1392-53-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4276-0-0x00007FFCA3B65000-0x00007FFCA3B66000-memory.dmp

Filesize
4KB

Download
memory/4276-5-0x000000001B1B0000-0x000000001B1B8000-memory.dmp

Filesize
32KB

Download
memory/4276-39-0x00007FFCA38B0000-0x00007FFCA4251000-memory.dmp

Filesize
9.6MB

Download
memory/4276-1-0x000000001B100000-0x000000001B1A6000-memory.dmp

Filesize
664KB

Download
memory/4276-2-0x00007FFCA38B0000-0x00007FFCA4251000-memory.dmp

Filesize
9.6MB

Download
memory/4276-3-0x000000001B780000-0x000000001BC4E000-memory.dmp

Filesize
4.8MB

Download
memory/4276-4-0x000000001BCF0000-0x000000001BD8C000-memory.dmp

Filesize
624KB

Download
memory/4276-6-0x00007FFCA38B0000-0x00007FFCA4251000-memory.dmp

Filesize
9.6MB

Download
memory/4276-7-0x000000001BE20000-0x000000001BE6C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads