modiloader | 47650245af5e31038b0c7ac5038b17a3bff8acb2b37929258ead84f55354b139

General

Target

ef47dc8ed4588f80c676fa26a0e437d6_JaffaCakes118.exe
Size

494KB
MD5

ef47dc8ed4588f80c676fa26a0e437d6
SHA1

945c118677be48838afb958de5e06e5953ec4a7e
SHA256

47650245af5e31038b0c7ac5038b17a3bff8acb2b37929258ead84f55354b139
SHA512

cf8045c7e7e2cfb311ac563a97da20aee854d39feb4ed3f68c0a51a38dfd24b7381b1a178739fdfe2be91bdc6398ffa9e8c4058c1a7369cd48196f51f96088ec
SSDEEP

6144:Y6T60qmwaw40TzxiUjER7tYfHE1RSMbzfDj2Rgyz/KrzUvbljpnyA4ybq1D4+TGL:3T6XWIVc1tYfk1YU/9+bnyYbGfTg

Score

10^/10

modiloader discovery evasion trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hccutils32.exe

ModiLoader Second Stage 16 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012256-3.dat	modiloader_stage2
behavioral1/memory/2360-11-0x0000000000400000-0x0000000000550000-memory.dmp	modiloader_stage2
behavioral1/memory/2360-24-0x0000000000400000-0x0000000000550000-memory.dmp	modiloader_stage2
behavioral1/memory/3000-32-0x0000000000400000-0x0000000000550000-memory.dmp	modiloader_stage2
behavioral1/memory/3000-36-0x0000000000400000-0x0000000000550000-memory.dmp	modiloader_stage2
behavioral1/memory/3000-39-0x0000000000400000-0x0000000000550000-memory.dmp	modiloader_stage2
behavioral1/memory/3000-43-0x0000000000400000-0x0000000000550000-memory.dmp	modiloader_stage2
behavioral1/memory/3000-47-0x0000000000400000-0x0000000000550000-memory.dmp	modiloader_stage2
behavioral1/memory/3000-51-0x0000000000400000-0x0000000000550000-memory.dmp	modiloader_stage2
behavioral1/memory/3000-55-0x0000000000400000-0x0000000000550000-memory.dmp	modiloader_stage2
behavioral1/memory/3000-58-0x0000000000400000-0x0000000000550000-memory.dmp	modiloader_stage2
behavioral1/memory/3000-62-0x0000000000400000-0x0000000000550000-memory.dmp	modiloader_stage2
behavioral1/memory/3000-66-0x0000000000400000-0x0000000000550000-memory.dmp	modiloader_stage2
behavioral1/memory/3000-69-0x0000000000400000-0x0000000000550000-memory.dmp	modiloader_stage2
behavioral1/memory/3000-72-0x0000000000400000-0x0000000000550000-memory.dmp	modiloader_stage2
behavioral1/memory/3000-76-0x0000000000400000-0x0000000000550000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2360	akin.exe
3000	hccutils32.exe

Loads dropped DLL 3 IoCs

pid	Process
2368	ef47dc8ed4588f80c676fa26a0e437d6_JaffaCakes118.exe
2368	ef47dc8ed4588f80c676fa26a0e437d6_JaffaCakes118.exe
2360	akin.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	akin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hccutils32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hccutils32.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\hccutils32.exe	akin.exe
File opened for modification	C:\Windows\hccutils32.exe	akin.exe
File created	C:\Windows\drvstore.dll	hccutils32.exe
File created	C:\Windows\bguiv32.dll	hccutils32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef47dc8ed4588f80c676fa26a0e437d6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	akin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hccutils32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2360	akin.exe
Token: SeBackupPrivilege	2848	vssvc.exe
Token: SeRestorePrivilege	2848	vssvc.exe
Token: SeAuditPrivilege	2848	vssvc.exe
Token: SeDebugPrivilege	3000	hccutils32.exe
Token: SeDebugPrivilege	3000	hccutils32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2360	akin.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3000	hccutils32.exe
3000	hccutils32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2360	2368	ef47dc8ed4588f80c676fa26a0e437d6_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2360	2368	ef47dc8ed4588f80c676fa26a0e437d6_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2360	2368	ef47dc8ed4588f80c676fa26a0e437d6_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2360	2368	ef47dc8ed4588f80c676fa26a0e437d6_JaffaCakes118.exe	29
PID 2360 wrote to memory of 3000	2360	akin.exe	33
PID 2360 wrote to memory of 3000	2360	akin.exe	33
PID 2360 wrote to memory of 3000	2360	akin.exe	33
PID 2360 wrote to memory of 3000	2360	akin.exe	33

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	hccutils32.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ef47dc8ed4588f80c676fa26a0e437d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ef47dc8ed4588f80c676fa26a0e437d6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\akin.exe
  "C:\Users\Admin\AppData\Local\akin.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\hccutils32.exe
    "C:\Windows\hccutils32.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:3000

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\hccutils32.lnk

Filesize
787B

MD5
a09101c15729ea8392c59b3635dea35c

SHA1
c57dff162770271b75066a64d33dddcc746719a4

SHA256
ab3dc4673edef1bf5f529b5d86eed206741936e9076d88b1015fc5994e1f1d87

SHA512
2b3f76d40f8d23f3a28456d326b55c30356922600e3208a06cb972edf036fa01cefea12ab8fdb6abdb543fb12844fba37090e8a0b5efdfede1aae1c72298c88d

Download Submit
\Users\Admin\AppData\Local\akin.exe

Filesize
1.3MB

MD5
1d4cd535bfb6f63430eca030b7d7a8c4

SHA1
4b51b492503843419e7e07c345187ff66c1d0245

SHA256
f3779cd0dda7696454a401faf4a7dcaae13405aa47c2801ba4d7718d80014199

SHA512
11ae8e96eb834558619b77cc0d979db8a061d19310838f705c98eb1614db20ee453f818989cbe7d1d26e472bf93ce751323c5fd97df8dd9a34ec76589cf30473

Download Submit
memory/2360-11-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/2360-12-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2360-24-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/2368-10-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3000-39-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/3000-51-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/3000-32-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/3000-36-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/3000-34-0x0000000002770000-0x000000000277E000-memory.dmp

Filesize
56KB

Download
memory/3000-43-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/3000-47-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/3000-33-0x00000000002B0000-0x00000000002B8000-memory.dmp

Filesize
32KB

Download
memory/3000-55-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/3000-58-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/3000-30-0x0000000002770000-0x000000000277E000-memory.dmp

Filesize
56KB

Download
memory/3000-62-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/3000-66-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/3000-69-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/3000-72-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/3000-76-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads