modiloader | c1f19661fe142568d5292d71b3d1a536cddeb767e67c7a208ec7b7d2b2783c90

General

Target

fc21c75bba1c1e51c67075fc8d7c51d7_JaffaCakes118.exe
Size

213KB
MD5

fc21c75bba1c1e51c67075fc8d7c51d7
SHA1

6279b17f31ea2ea7944c464f59d2eb988293eb5b
SHA256

c1f19661fe142568d5292d71b3d1a536cddeb767e67c7a208ec7b7d2b2783c90
SHA512

c205035df8fb2d2f371cff94ce3af40751204892d582c57ef84bc6fedabd6daa1520eb379cb2b25af301c261052d6c6e5d49319622e1bce45ef302527224164d
SSDEEP

3072:dd2rUPFQYgI0eaqYanzxueMcXEKeYEODaoM06IaSTJUtej:nNP2uWfCVX9+Z06iTJIM

Score

10^/10

modiloader discovery evasion trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jeudi.exe

ModiLoader Second Stage 15 IoCs

resource	yara_rule
behavioral1/files/0x0006000000016d9c-29.dat	modiloader_stage2
behavioral1/memory/2712-36-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2712-40-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2712-41-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2712-42-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2712-43-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2712-45-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2712-46-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2712-47-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2712-48-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2712-49-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2712-50-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2712-51-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2712-52-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2712-53-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2828	jeudiC.exe
2712	jeudi.exe

Loads dropped DLL 6 IoCs

pid	Process
2720	fc21c75bba1c1e51c67075fc8d7c51d7_JaffaCakes118.exe
2720	fc21c75bba1c1e51c67075fc8d7c51d7_JaffaCakes118.exe
2720	fc21c75bba1c1e51c67075fc8d7c51d7_JaffaCakes118.exe
2828	jeudiC.exe
2828	jeudiC.exe
2828	jeudiC.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jeudi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jeudi.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\aplib.dll	fc21c75bba1c1e51c67075fc8d7c51d7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\aplib.dll	jeudiC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc21c75bba1c1e51c67075fc8d7c51d7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jeudiC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jeudi.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2712	jeudi.exe
Token: SeBackupPrivilege	1668	vssvc.exe
Token: SeRestorePrivilege	1668	vssvc.exe
Token: SeAuditPrivilege	1668	vssvc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2720	fc21c75bba1c1e51c67075fc8d7c51d7_JaffaCakes118.exe
2828	jeudiC.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2828	2720	fc21c75bba1c1e51c67075fc8d7c51d7_JaffaCakes118.exe	30
PID 2720 wrote to memory of 2828	2720	fc21c75bba1c1e51c67075fc8d7c51d7_JaffaCakes118.exe	30
PID 2720 wrote to memory of 2828	2720	fc21c75bba1c1e51c67075fc8d7c51d7_JaffaCakes118.exe	30
PID 2720 wrote to memory of 2828	2720	fc21c75bba1c1e51c67075fc8d7c51d7_JaffaCakes118.exe	30
PID 2828 wrote to memory of 2712	2828	jeudiC.exe	31
PID 2828 wrote to memory of 2712	2828	jeudiC.exe	31
PID 2828 wrote to memory of 2712	2828	jeudiC.exe	31
PID 2828 wrote to memory of 2712	2828	jeudiC.exe	31

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jeudi.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\fc21c75bba1c1e51c67075fc8d7c51d7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc21c75bba1c1e51c67075fc8d7c51d7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Users\Admin\AppData\Local\Temp\jeudiC.exe
  "C:\Users\Admin\AppData\Local\Temp\jeudiC.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Users\Admin\AppData\Local\Temp\jeudi.exe
    "C:\Users\Admin\AppData\Local\Temp\jeudi.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2712

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\jeudi.exe

Filesize
270KB

MD5
ba91b9d7b59dbed24ba308e5c0c68dad

SHA1
4adf0f0d84a6cbcaf46930952bb2a2f2571f3322

SHA256
34735313fcec56540e75800b27440a5c63f49e90b4f03150c5c719d37e9676ca

SHA512
3dcb8244133a0c5c5d19cae48fc5cd55c97592e6fabcb37c3084b200b6718764b2da2efc88c21a61dea05088e08c0531fc3aa2876afd4d61f2e3719f9650d7e4

Download Submit
\Users\Admin\AppData\Local\Temp\jeudiC.exe

Filesize
190KB

MD5
3b7b2818888ac27d4a95aabb3b8ef59f

SHA1
b36390621524ca1e67a51d9cb60d2e406e6d2727

SHA256
c03fe7761168d02ab4c670817ab100b60a8e6c4d4051fac613e4a75cc4c9a2c2

SHA512
5a4b672a0e7d87c0f2d62199c878b10c705c0716de131fbaaa8cbcf6a7d033d9a0d1016b993b352910c800acfc4678614e2de3bd095b3d79b038e935ceebce5c

Download Submit
\Windows\SysWOW64\aplib.dll

Filesize
12KB

MD5
35d174edd3c0bcfa9a32dce19e1abeb9

SHA1
c22638e64f8a5f34809811a2c286ae2f115028f8

SHA256
34194aa58d0eb70b513ea6a876a4f35ba6cc2f19c4fb6d408dd05580dcc74b04

SHA512
f807df3655e6dd0cea2412ae82aa7b3babe3862fa9eee5d38673ee30b26a528b9618e1a25d3a58ef1ff14be36a666fabd32968b5f4dc481539d2372b526c1ead

Download Submit
memory/2712-43-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2712-46-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2712-40-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2712-41-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2712-42-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2712-36-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2712-45-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2712-39-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2712-47-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2712-48-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2712-49-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2712-50-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2712-51-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2712-52-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2712-53-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads