modiloader | 8082e718969af2293684439e3f84a10be82cfbd87f440fe9e6b9e9ea77e7ec08

General

Target

e4c2640fbf0c15347e3de103b6ac415f_JaffaCakes118.exe
Size

617KB
MD5

e4c2640fbf0c15347e3de103b6ac415f
SHA1

066f2f7dbb3372109566e106b4dd3a3e68bb3d7c
SHA256

8082e718969af2293684439e3f84a10be82cfbd87f440fe9e6b9e9ea77e7ec08
SHA512

3999902f1bdc10d4a735e6857623e6f424cf3b6dc2d8f62ee27d1f5d1192b92b8aad325029a086b60df894e0bf633a14764634d0a88f7a6cf3e2c7846d826d93
SSDEEP

12288:9NYy0/pb2ZuA0kNVe3OJK1C8UJ7Bqc4AD9Y12WzX5FPMDv2disRfdi2:Qy0Rb2X0kNqOsw8WE75tY+disRY2

Score

10^/10

modiloader discovery evasion trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mspc32.exe

ModiLoader Second Stage 5 IoCs

resource	yara_rule
behavioral2/memory/3672-45-0x0000000000400000-0x0000000000453000-memory.dmp	modiloader_stage2
behavioral2/memory/3104-81-0x0000000000400000-0x0000000000453000-memory.dmp	modiloader_stage2
behavioral2/memory/3104-78-0x0000000000400000-0x0000000000453000-memory.dmp	modiloader_stage2
behavioral2/memory/3104-101-0x0000000000400000-0x0000000000453000-memory.dmp	modiloader_stage2
behavioral2/memory/3104-122-0x0000000000400000-0x0000000000453000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	TempServices.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	e4c2640fbf0c15347e3de103b6ac415f_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	fade7at-ameera-s3odeya-part2,3,4---------.exe

Executes dropped EXE 3 IoCs

pid	Process
4120	fade7at-ameera-s3odeya-part2,3,4---------.exe
3672	TempServices.exe
3104	mspc32.exe

Loads dropped DLL 4 IoCs

pid	Process
3104	mspc32.exe
3104	mspc32.exe
3104	mspc32.exe
3104	mspc32.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000234df-24.dat	upx
behavioral2/memory/3672-27-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3672-45-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3104-81-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3104-78-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3104-101-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3104-122-0x0000000000400000-0x0000000000453000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TempServices.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mspc32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mspc32.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mspc32.exe	TempServices.exe
File created	C:\Windows\olecstp.dll	mspc32.exe
File created	C:\Windows\oletac.dll	mspc32.exe
File created	C:\Windows\mspc32.exe	TempServices.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fade7at-ameera-s3odeya-part2,3,4---------.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mspc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4c2640fbf0c15347e3de103b6ac415f_JaffaCakes118.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	e4c2640fbf0c15347e3de103b6ac415f_JaffaCakes118.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3208	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3208	vlc.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3672	TempServices.exe
Token: SeBackupPrivilege	896	vssvc.exe
Token: SeRestorePrivilege	896	vssvc.exe
Token: SeAuditPrivilege	896	vssvc.exe
Token: 33	1392	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1392	AUDIODG.EXE
Token: 33	3208	vlc.exe
Token: SeIncBasePriorityPrivilege	3208	vlc.exe
Token: SeDebugPrivilege	3104	mspc32.exe
Token: SeDebugPrivilege	3104	mspc32.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
3208	vlc.exe
3208	vlc.exe
3208	vlc.exe
3208	vlc.exe
3208	vlc.exe
3208	vlc.exe
3208	vlc.exe
3208	vlc.exe
3208	vlc.exe
3208	vlc.exe
3208	vlc.exe
3208	vlc.exe
3208	vlc.exe
3208	vlc.exe
3208	vlc.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
3208	vlc.exe
3208	vlc.exe
3208	vlc.exe
3208	vlc.exe
3208	vlc.exe
3208	vlc.exe
3208	vlc.exe
3208	vlc.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4120	fade7at-ameera-s3odeya-part2,3,4---------.exe
3208	vlc.exe
3208	vlc.exe
3104	mspc32.exe
3104	mspc32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 4120	2484	e4c2640fbf0c15347e3de103b6ac415f_JaffaCakes118.exe	82
PID 2484 wrote to memory of 4120	2484	e4c2640fbf0c15347e3de103b6ac415f_JaffaCakes118.exe	82
PID 2484 wrote to memory of 4120	2484	e4c2640fbf0c15347e3de103b6ac415f_JaffaCakes118.exe	82
PID 2484 wrote to memory of 3208	2484	e4c2640fbf0c15347e3de103b6ac415f_JaffaCakes118.exe	83
PID 2484 wrote to memory of 3208	2484	e4c2640fbf0c15347e3de103b6ac415f_JaffaCakes118.exe	83
PID 4120 wrote to memory of 3672	4120	fade7at-ameera-s3odeya-part2,3,4---------.exe	84
PID 4120 wrote to memory of 3672	4120	fade7at-ameera-s3odeya-part2,3,4---------.exe	84
PID 4120 wrote to memory of 3672	4120	fade7at-ameera-s3odeya-part2,3,4---------.exe	84
PID 3672 wrote to memory of 3104	3672	TempServices.exe	89
PID 3672 wrote to memory of 3104	3672	TempServices.exe	89
PID 3672 wrote to memory of 3104	3672	TempServices.exe	89

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mspc32.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e4c2640fbf0c15347e3de103b6ac415f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e4c2640fbf0c15347e3de103b6ac415f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Local\Temp\fade7at-ameera-s3odeya-part2,3,4---------.exe
  "C:\Users\Admin\AppData\Local\Temp\fade7at-ameera-s3odeya-part2,3,4---------.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Users\Admin\AppData\Local\TempServices.exe
    "C:\Users\Admin\AppData\Local\TempServices.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3672
  - - C:\Windows\mspc32.exe
      "C:\Windows\mspc32.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:3104
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\01.3gp"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3208

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4c0 0x31c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempServices.exe

Filesize
113KB

MD5
561d40c832e2e51b9af464226cbe0ea9

SHA1
5e2323b64959d3815433e3e51a7dd980f323ef5f

SHA256
e1895ea0f152aaedb08d0e3f9e0420f03f1bd538885b3556588bdb95b66350ce

SHA512
7f0285f1920c41d3c0a4196376d95aecfba3a16fb366d1751102ab69e7bcc0d9101c9e5236e1347df842c3f88dce21d47d67364b73422e65cb9969b2a56db8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\01.3gp

Filesize
466KB

MD5
7fa0a29cfcfdd13a389b874471e4d128

SHA1
0deddd8943e8a96171596475b39d1b3c86221a79

SHA256
20321a96150af0b155067a731b3ea8ab6c92ce2c3c5c72e2c7a24a29efb1d982

SHA512
b4558c44d07c38246ebb4c72b9a32d1a530fd830252207f85c16eae90630063e8a295e54edc715d049da23dfc7e321ffbdee11dec3346a2ef604add27f9b1f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\fade7at-ameera-s3odeya-part2,3,4---------.exe

Filesize
133KB

MD5
6e46272917c572ad07a72d5f5950b739

SHA1
e88d6d6d28705e3212c8949df0e1f96699de2d2a

SHA256
44ce4cd49c1cae00bcd63101e6e1303c24f6b3727bb9b69ac48940e5af50e564

SHA512
f4a74a8c74c81d251101aaaa73da22be12d43015c2856eac9ba7c263465d893a1b9c98e362e36fd3f23fb85a8bd6dcd9e1357cd8397f6dc3ddf9c38986d9666d

Download Submit
C:\Windows\olecstp.dll

Filesize
7KB

MD5
f4029178f7c5ac4ccb5659457410298e

SHA1
65043a0067e8109879e18844165faa5a61efb71b

SHA256
9968ff29a376f012b4d6818b88a654a7129e2128631701b10661de89dcf5858e

SHA512
073ef503fd4d0a366fbd9bee028cc953f349779514336ff52dfaae58695e8f9f85bd70144d88a89caa7e4536d8301c64ab187473a163b3aa3a74d45500232d3c

Download Submit
C:\Windows\oletac.dll

Filesize
32KB

MD5
155196d398fe2d7b1c7b2ba2af0bb15d

SHA1
9f4c13743e0bc1d0924d54fdcd6a8ca8d6875488

SHA256
f648c7f198c27bda6d5899465571016a74e9ba25045888f113f8e3569a431d53

SHA512
4c4c19dac3aba52dfa9a22edf76469eaf0cffec4ce477b5adef2de9d31479669aa274bea1e8bc87cbf598df6c6bc41c267b3c60252b8e1caa11443f27944bcb7

Download Submit
memory/2484-18-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/3104-122-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3104-101-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3104-57-0x00000000036F0000-0x00000000036FE000-memory.dmp

Filesize
56KB

Download
memory/3104-78-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3104-79-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/3104-80-0x00000000036F0000-0x00000000036FE000-memory.dmp

Filesize
56KB

Download
memory/3104-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3208-66-0x00007FFF20D30000-0x00007FFF20D47000-memory.dmp

Filesize
92KB

Download
memory/3208-73-0x00007FFF209B0000-0x00007FFF209D1000-memory.dmp

Filesize
132KB

Download
memory/3208-67-0x00007FFF20A20000-0x00007FFF20A31000-memory.dmp

Filesize
68KB

Download
memory/3208-70-0x00007FFF116A0000-0x00007FFF118AB000-memory.dmp

Filesize
2.0MB

Download
memory/3208-65-0x00007FFF22F30000-0x00007FFF22F41000-memory.dmp

Filesize
68KB

Download
memory/3208-64-0x00007FFF26280000-0x00007FFF26297000-memory.dmp

Filesize
92KB

Download
memory/3208-63-0x00007FFF27E30000-0x00007FFF27E48000-memory.dmp

Filesize
96KB

Download
memory/3208-77-0x00007FFF20730000-0x00007FFF20741000-memory.dmp

Filesize
68KB

Download
memory/3208-76-0x00007FFF20870000-0x00007FFF20881000-memory.dmp

Filesize
68KB

Download
memory/3208-75-0x00007FFF20890000-0x00007FFF208A1000-memory.dmp

Filesize
68KB

Download
memory/3208-74-0x00007FFF208B0000-0x00007FFF208C8000-memory.dmp

Filesize
96KB

Download
memory/3208-68-0x00007FFF20A00000-0x00007FFF20A1D000-memory.dmp

Filesize
116KB

Download
memory/3208-72-0x00007FFF208D0000-0x00007FFF20911000-memory.dmp

Filesize
260KB

Download
memory/3208-71-0x00007FFF105F0000-0x00007FFF116A0000-memory.dmp

Filesize
16.7MB

Download
memory/3208-62-0x00007FFF20190000-0x00007FFF20446000-memory.dmp

Filesize
2.7MB

Download
memory/3208-69-0x00007FFF209E0000-0x00007FFF209F1000-memory.dmp

Filesize
68KB

Download
memory/3208-60-0x00007FF75BD30000-0x00007FF75BE28000-memory.dmp

Filesize
992KB

Download
memory/3208-61-0x00007FFF20BF0000-0x00007FFF20C24000-memory.dmp

Filesize
208KB

Download
memory/3208-93-0x00007FFF105F0000-0x00007FFF116A0000-memory.dmp

Filesize
16.7MB

Download
memory/3672-45-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3672-27-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads