modiloader | 1373e580f8e5ba39a6e6bd6cfc8b4cf0bcbee90432c79474bb929218b066a1ca

General

Target

f090b258b28c26822dc52f7b20e76e35_JaffaCakes118.exe
Size

1.6MB
MD5

f090b258b28c26822dc52f7b20e76e35
SHA1

66d4ce01db64ddb2970b65ece9136ccab0fe4892
SHA256

1373e580f8e5ba39a6e6bd6cfc8b4cf0bcbee90432c79474bb929218b066a1ca
SHA512

3fed1fc255c44c6011110c6b2dc737a235697dbc49fdcbc8ac7e7f551149647f0a09b6e56dec6c95d0ca009752736c42e6cddc3844bfa0b7fe409e46a9705287
SSDEEP

24576:h1kNoQeFze7zFjyzQgj5eQkxRsmJi5DUyWDANQtt6e0mIKu:h17M7UjXkkmNcN+we0mIKu

Score

10^/10

modiloader discovery evasion persistence themida trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

ModiLoader Second Stage 16 IoCs

resource	yara_rule
behavioral1/files/0x000700000001211a-8.dat	modiloader_stage2
behavioral1/memory/2316-30-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/1248-37-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/1248-40-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/1248-43-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/1248-46-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/1248-49-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/1248-53-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/1248-56-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/1248-59-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/1248-62-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/1248-65-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/1248-68-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/1248-71-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/1248-74-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/1248-77-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2316	6469232.exe
1248	mstwain32.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine	f090b258b28c26822dc52f7b20e76e35_JaffaCakes118.exe

Loads dropped DLL 3 IoCs

pid	Process
2280	f090b258b28c26822dc52f7b20e76e35_JaffaCakes118.exe
2280	f090b258b28c26822dc52f7b20e76e35_JaffaCakes118.exe
2316	6469232.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2280-0-0x0000000000400000-0x00000000004EA000-memory.dmp	themida
behavioral1/memory/2280-4-0x0000000000400000-0x00000000004EA000-memory.dmp	themida
behavioral1/memory/2280-6-0x0000000000400000-0x00000000004EA000-memory.dmp	themida
behavioral1/memory/2280-18-0x0000000000400000-0x00000000004EA000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6469232.exe"	f090b258b28c26822dc52f7b20e76e35_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe"	mstwain32.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstwain32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6469232.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2280	f090b258b28c26822dc52f7b20e76e35_JaffaCakes118.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\cmsetac.dll	mstwain32.exe
File created	C:\Windows\mstwain32.exe	6469232.exe
File opened for modification	C:\Windows\mstwain32.exe	6469232.exe
File created	C:\Windows\ntdtcstp.dll	mstwain32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f090b258b28c26822dc52f7b20e76e35_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6469232.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstwain32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2280	f090b258b28c26822dc52f7b20e76e35_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	6469232.exe
Token: SeBackupPrivilege	2696	vssvc.exe
Token: SeRestorePrivilege	2696	vssvc.exe
Token: SeAuditPrivilege	2696	vssvc.exe
Token: SeDebugPrivilege	1248	mstwain32.exe
Token: SeDebugPrivilege	1248	mstwain32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2788	DllHost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2280	f090b258b28c26822dc52f7b20e76e35_JaffaCakes118.exe
1248	mstwain32.exe
1248	mstwain32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2316	2280	f090b258b28c26822dc52f7b20e76e35_JaffaCakes118.exe	30
PID 2280 wrote to memory of 2316	2280	f090b258b28c26822dc52f7b20e76e35_JaffaCakes118.exe	30
PID 2280 wrote to memory of 2316	2280	f090b258b28c26822dc52f7b20e76e35_JaffaCakes118.exe	30
PID 2280 wrote to memory of 2316	2280	f090b258b28c26822dc52f7b20e76e35_JaffaCakes118.exe	30
PID 2316 wrote to memory of 1248	2316	6469232.exe	35
PID 2316 wrote to memory of 1248	2316	6469232.exe	35
PID 2316 wrote to memory of 1248	2316	6469232.exe	35
PID 2316 wrote to memory of 1248	2316	6469232.exe	35

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f090b258b28c26822dc52f7b20e76e35_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f090b258b28c26822dc52f7b20e76e35_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Local\Temp\6469232.exe
  "C:\Users\Admin\AppData\Local\Temp\6469232.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\mstwain32.exe
    "C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\6469232.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1248

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2788

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1780469.jpg

Filesize
83KB

MD5
50dc379ce0f1d88cc764d1dc4aafc6ed

SHA1
b21d517dfeeafa2d105187d15e6ba95df08fbfe1

SHA256
a1cdd95cb96630285a1cc73e1896518320d79c4ce53803105b40256022ec8e2b

SHA512
c98e129b0bdcf6c0b087fd724d11bd17f22c8621ab6bf444a8f8ba6090dd16b0b63f5081fe70c48a2c1b54f7a329fc59e62f70cf1e4e5ebf566f4f629dafad77

Download Submit
\Users\Admin\AppData\Local\Temp\6469232.exe

Filesize
270KB

MD5
1df2d65b833d18d508bd0d8378339c2b

SHA1
5cf3a63c30c201b4a3bb1b406af68258a3812774

SHA256
1e9215a82e1687b7d98d851b0fbd94dd45b6d375fddfc474a941915788d818a8

SHA512
ed50436896b902a03916e176850d7a4cff96ca4f08810246af42a7873cfb506b97e87ee600d68acfcb9adc16011b8f862f152d4ca269d5f46abeabdc6cf4d914

Download Submit
memory/1248-59-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1248-35-0x00000000022F0000-0x00000000022FE000-memory.dmp

Filesize
56KB

Download
memory/1248-40-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1248-43-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1248-38-0x0000000000370000-0x0000000000378000-memory.dmp

Filesize
32KB

Download
memory/1248-74-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1248-71-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1248-68-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1248-65-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1248-53-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1248-37-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1248-39-0x00000000022F0000-0x00000000022FE000-memory.dmp

Filesize
56KB

Download
memory/1248-77-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1248-62-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1248-56-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1248-46-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1248-49-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2280-4-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2280-16-0x0000000005030000-0x0000000005032000-memory.dmp

Filesize
8KB

Download
memory/2280-0-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2280-6-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2280-1-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/2280-19-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/2280-18-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2316-30-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2788-17-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads