modiloader | 4149665b6053924d100a8bb0fd92e4cb357188a7b58562aee3aeb178abe49fb2

General

Target

f2f626c7a93785910871a794901bd7df_JaffaCakes118.exe
Size

1.7MB
MD5

f2f626c7a93785910871a794901bd7df
SHA1

da260335fd9c58162e698d1e6405132f273a0d7d
SHA256

4149665b6053924d100a8bb0fd92e4cb357188a7b58562aee3aeb178abe49fb2
SHA512

e8f688b0f2608e691562e0fd8709e83766851eb183c36ec5fe92195f800f79b891e4c5b117f59cc51e2e3d31f88b9d6f4f2c7c69d3f4edd2890d9998d6b656ab
SSDEEP

24576:oIldVy7gnkoKp4RmwqhiC2gvfHdlgzjq+ZYIHkoGekv7FdbZwgtDtCpA1K+eW+:hVedp4EyC2gn94qCk97xXDtDK++

Score

10^/10

modiloader discovery evasion persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

ModiLoader Second Stage 16 IoCs

resource	yara_rule
behavioral1/memory/2796-35-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2052-42-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2052-43-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2052-46-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2052-49-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2052-52-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2052-55-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2052-59-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2052-62-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2052-65-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2052-68-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2052-71-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2052-74-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2052-77-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2052-80-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2052-83-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2796	colt-1.exe
2052	mstwain32.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	f2f626c7a93785910871a794901bd7df_JaffaCakes118.exe

Loads dropped DLL 3 IoCs

pid	Process
2828	f2f626c7a93785910871a794901bd7df_JaffaCakes118.exe
2828	f2f626c7a93785910871a794901bd7df_JaffaCakes118.exe
2796	colt-1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe"	mstwain32.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	colt-1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstwain32.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000e0000000162b2-10.dat	upx
behavioral1/memory/2828-12-0x0000000005BC0000-0x0000000005C10000-memory.dmp	upx
behavioral1/memory/2052-36-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2796-35-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2052-42-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2052-43-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2052-46-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2052-49-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2052-52-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2052-55-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2052-59-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2052-62-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2052-65-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2052-68-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2052-71-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2052-74-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2052-77-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2052-80-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2052-83-0x0000000000400000-0x0000000000450000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mstwain32.exe	colt-1.exe
File created	C:\Windows\ntdtcstp.dll	mstwain32.exe
File created	C:\Windows\cmsetac.dll	mstwain32.exe
File created	C:\Windows\mstwain32.exe	colt-1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2f626c7a93785910871a794901bd7df_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	colt-1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstwain32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	colt-1.exe
Token: SeBackupPrivilege	2584	vssvc.exe
Token: SeRestorePrivilege	2584	vssvc.exe
Token: SeAuditPrivilege	2584	vssvc.exe
Token: SeDebugPrivilege	2052	mstwain32.exe
Token: SeDebugPrivilege	2052	mstwain32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2828	f2f626c7a93785910871a794901bd7df_JaffaCakes118.exe
2052	mstwain32.exe
2052	mstwain32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 2796	2828	f2f626c7a93785910871a794901bd7df_JaffaCakes118.exe	31
PID 2828 wrote to memory of 2796	2828	f2f626c7a93785910871a794901bd7df_JaffaCakes118.exe	31
PID 2828 wrote to memory of 2796	2828	f2f626c7a93785910871a794901bd7df_JaffaCakes118.exe	31
PID 2828 wrote to memory of 2796	2828	f2f626c7a93785910871a794901bd7df_JaffaCakes118.exe	31
PID 2796 wrote to memory of 2052	2796	colt-1.exe	35
PID 2796 wrote to memory of 2052	2796	colt-1.exe	35
PID 2796 wrote to memory of 2052	2796	colt-1.exe	35
PID 2796 wrote to memory of 2052	2796	colt-1.exe	35

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f2f626c7a93785910871a794901bd7df_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f2f626c7a93785910871a794901bd7df_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Local\Temp\colt-1.exe
  "C:\Users\Admin\AppData\Local\Temp\colt-1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\mstwain32.exe
    "C:\Windows\mstwain32.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\colt-1.exe

Filesize
111KB

MD5
b50b20caaf6c69db65d5cefd2ed8f3a7

SHA1
708360ff04c4d3e44cbc726da000fa6bd3eef98a

SHA256
4db93fd13b79c22255362adacc8f96d7601283d3da5be3d226ff2034da959948

SHA512
40f082f1618a036f1ba98e6e8dd735077ef7f1d8ae95729e0b29c6b1b5eed7d31ea99958830fc0bb1aad88eabeb3c06ff9360809c9f90170955432c5e06d9972

Download Submit
memory/2052-59-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2052-36-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2052-44-0x00000000002F0000-0x00000000002F8000-memory.dmp

Filesize
32KB

Download
memory/2052-83-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2052-45-0x0000000001E30000-0x0000000001E3E000-memory.dmp

Filesize
56KB

Download
memory/2052-80-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2052-77-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2052-74-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2052-71-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2052-55-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2052-68-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2052-46-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2052-42-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2052-43-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2052-65-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2052-62-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2052-40-0x0000000001E30000-0x0000000001E3E000-memory.dmp

Filesize
56KB

Download
memory/2052-49-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2052-52-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2796-28-0x0000000001DC0000-0x0000000001DD0000-memory.dmp

Filesize
64KB

Download
memory/2796-35-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2828-0-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2828-8-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2828-3-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/2828-1-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2828-22-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2828-12-0x0000000005BC0000-0x0000000005C10000-memory.dmp

Filesize
320KB

Download
memory/2828-2-0x0000000001DC0000-0x0000000001F33000-memory.dmp

Filesize
1.4MB

Download
memory/2828-7-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads