modiloader | 44456e1849cfa44b87c8370c48a1f74d697448d6b95a47756553f1fab192766f

General

Target

f25207789f34470c9795aaf72baede45_JaffaCakes118.exe
Size

160KB
MD5

f25207789f34470c9795aaf72baede45
SHA1

8e9f0cfa32bd163a16002d72d81dfb8be62d0bc6
SHA256

44456e1849cfa44b87c8370c48a1f74d697448d6b95a47756553f1fab192766f
SHA512

3a8facff2da353a4185fc7fb30e0709f91af3d6fc06235ddbded94ec9fc5cb004075efa46edea4768db080643ce6d60bceea2e074281cda33221ef7f5985f181
SSDEEP

3072:+fJTydd6+BxWLUeunVTAz9jZkUWP5VxNL2lWO3hew7D9dDz:uydd8QVTMdZkUWxJL+d7Drz

Score

10^/10

modiloader discovery evasion persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

ModiLoader Second Stage 16 IoCs

resource	yara_rule
behavioral1/memory/2728-29-0x0000000000400000-0x0000000000448000-memory.dmp	modiloader_stage2
behavioral1/memory/2504-36-0x0000000000400000-0x0000000000448000-memory.dmp	modiloader_stage2
behavioral1/memory/2504-34-0x0000000000400000-0x0000000000448000-memory.dmp	modiloader_stage2
behavioral1/memory/2504-37-0x0000000000400000-0x0000000000448000-memory.dmp	modiloader_stage2
behavioral1/memory/2504-39-0x0000000000400000-0x0000000000448000-memory.dmp	modiloader_stage2
behavioral1/memory/2504-41-0x0000000000400000-0x0000000000448000-memory.dmp	modiloader_stage2
behavioral1/memory/2504-43-0x0000000000400000-0x0000000000448000-memory.dmp	modiloader_stage2
behavioral1/memory/2504-45-0x0000000000400000-0x0000000000448000-memory.dmp	modiloader_stage2
behavioral1/memory/2504-47-0x0000000000400000-0x0000000000448000-memory.dmp	modiloader_stage2
behavioral1/memory/2504-49-0x0000000000400000-0x0000000000448000-memory.dmp	modiloader_stage2
behavioral1/memory/2504-51-0x0000000000400000-0x0000000000448000-memory.dmp	modiloader_stage2
behavioral1/memory/2504-53-0x0000000000400000-0x0000000000448000-memory.dmp	modiloader_stage2
behavioral1/memory/2504-55-0x0000000000400000-0x0000000000448000-memory.dmp	modiloader_stage2
behavioral1/memory/2504-57-0x0000000000400000-0x0000000000448000-memory.dmp	modiloader_stage2
behavioral1/memory/2504-59-0x0000000000400000-0x0000000000448000-memory.dmp	modiloader_stage2
behavioral1/memory/2504-61-0x0000000000400000-0x0000000000448000-memory.dmp	modiloader_stage2

Executes dropped EXE 3 IoCs

pid	Process
2836	Exploit Chams.exe
2728	server.exe
2504	mstwain32.exe

Loads dropped DLL 1 IoCs

pid	Process
2728	server.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000173f3-14.dat	upx
behavioral1/memory/2728-16-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2728-29-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2504-36-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2504-34-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2504-37-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2504-39-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2504-41-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2504-43-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2504-45-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2504-47-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2504-49-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2504-51-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2504-53-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2504-55-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2504-57-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2504-59-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2504-61-0x0000000000400000-0x0000000000448000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe"	mstwain32.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	server.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstwain32.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\mstwain32.exe	server.exe
File opened for modification	C:\Windows\mstwain32.exe	server.exe
File created	C:\Windows\ntdtcstp.dll	mstwain32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstwain32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	server.exe
Token: SeDebugPrivilege	2504	mstwain32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2504	mstwain32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 2836	2152	f25207789f34470c9795aaf72baede45_JaffaCakes118.exe	30
PID 2152 wrote to memory of 2836	2152	f25207789f34470c9795aaf72baede45_JaffaCakes118.exe	30
PID 2152 wrote to memory of 2836	2152	f25207789f34470c9795aaf72baede45_JaffaCakes118.exe	30
PID 2152 wrote to memory of 2728	2152	f25207789f34470c9795aaf72baede45_JaffaCakes118.exe	31
PID 2152 wrote to memory of 2728	2152	f25207789f34470c9795aaf72baede45_JaffaCakes118.exe	31
PID 2152 wrote to memory of 2728	2152	f25207789f34470c9795aaf72baede45_JaffaCakes118.exe	31
PID 2152 wrote to memory of 2728	2152	f25207789f34470c9795aaf72baede45_JaffaCakes118.exe	31
PID 2728 wrote to memory of 2504	2728	server.exe	32
PID 2728 wrote to memory of 2504	2728	server.exe	32
PID 2728 wrote to memory of 2504	2728	server.exe	32
PID 2728 wrote to memory of 2504	2728	server.exe	32

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

C:\Users\Admin\AppData\Local\Temp\f25207789f34470c9795aaf72baede45_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f25207789f34470c9795aaf72baede45_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Users\Admin\AppData\Local\Temp\Exploit Chams.exe
  "C:\Users\Admin\AppData\Local\Temp\Exploit Chams.exe"
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\mstwain32.exe
    "C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Exploit Chams.exe

Filesize
40KB

MD5
4905e2edc9b05899ffdde135aa84f223

SHA1
508b7e595c9181b04e3f111ed9fa0128f7951b71

SHA256
dd3cc350a9623069263a64afb3454f4e05d80d909a37ec610bd36111ebf21662

SHA512
d7dac5c35a7b96cff7643ecdfe942a92f1ada9151f3b9e3c4eaf8a7b52c62609bd4eb052428f68096c9ce59db6c61c2372c731044d6c7a3b5b3e70dfe5fa041b

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
102KB

MD5
d024967ee0f8a8cb24dc4f9ae4dcc6e6

SHA1
a328ec251a00ff6ab52113bc7898ecadc760033e

SHA256
6ed9fa8fa1c8c12e6b0cf22818f3a7ae5657ecc30e427c4492cb67df4dee8e68

SHA512
685a533004ee411112819b2fdbf8f10e8d30cb9dd76e2ccf0a29961f3702d83caaadba372a31f937745d273f05bfac3edbe25d50314787b062855563bd655454

Download Submit
memory/2152-22-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/2152-1-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/2152-2-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/2152-5-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/2152-0-0x000007FEF599E000-0x000007FEF599F000-memory.dmp

Filesize
4KB

Download
memory/2504-49-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2504-43-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2504-61-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2504-59-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2504-57-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2504-36-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2504-35-0x0000000000300000-0x0000000000308000-memory.dmp

Filesize
32KB

Download
memory/2504-34-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2504-37-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2504-39-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2504-41-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2504-55-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2504-45-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2504-47-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2504-53-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2504-51-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2728-16-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2728-29-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2836-23-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/2836-33-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/2836-17-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads