modiloader | 1a3fdab24213f1bc2371bfea9c5888f20508963f91e1190d0e53eda5b3556901

General

Target

10726b13d6d7ab3a1130071bcaef0bdf_JaffaCakes118.exe
Size

412KB
MD5

10726b13d6d7ab3a1130071bcaef0bdf
SHA1

7725efe7a6c4a6bf7ba4a30fa756a659df6d39c8
SHA256

1a3fdab24213f1bc2371bfea9c5888f20508963f91e1190d0e53eda5b3556901
SHA512

4ecc6478680a5f8f6ffaae2f458d64937dbe2de5bd434ebfbf526446fc262562a076a34c01a7212b0ab64c44453ca2572608921171fbee02c90142fbe32515cc
SSDEEP

6144:ElZ/zUMu4pDSxsCMRzf7x3SfS1JAzXBtL76lLIJfNXi08038L2k95XAuFgIeYAjb:EHLUMuiv9RgfSjAzRtyKA0ZIeYAH

Score

10^/10

modiloader discovery evasion persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Decrypted.eXe

ModiLoader Second Stage 15 IoCs

resource	yara_rule
behavioral1/memory/2972-39-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/2972-41-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/2972-45-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/2972-48-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/2972-51-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/2972-54-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/2972-57-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/2972-60-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/2972-63-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/2972-66-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/2972-69-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/2972-72-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/2972-75-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/2972-78-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/2972-81-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2764	ter.exe
2972	Decrypted.eXe

Loads dropped DLL 6 IoCs

pid	Process
1552	10726b13d6d7ab3a1130071bcaef0bdf_JaffaCakes118.exe
1552	10726b13d6d7ab3a1130071bcaef0bdf_JaffaCakes118.exe
2764	ter.exe
2764	ter.exe
2972	Decrypted.eXe
2972	Decrypted.eXe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Decrypted.eXe"	Decrypted.eXe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Decrypted.eXe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Decrypted.eXe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1552-14-0x0000000000400000-0x00000000004B8000-memory.dmp	autoit_exe
behavioral1/memory/2972-40-0x0000000076960000-0x0000000076A50000-memory.dmp	autoit_exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1552-0-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/1552-14-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2764-22-0x0000000003130000-0x000000000317F000-memory.dmp	upx
behavioral1/files/0x0008000000012116-20.dat	upx
behavioral1/memory/2972-28-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2972-39-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2972-40-0x0000000076960000-0x0000000076A50000-memory.dmp	upx
behavioral1/memory/2972-41-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2972-45-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2972-48-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2972-51-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2972-54-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2972-57-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2972-60-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2972-63-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2972-66-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2972-69-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2972-72-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2972-75-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2972-78-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2972-81-0x0000000000400000-0x000000000044F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10726b13d6d7ab3a1130071bcaef0bdf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Decrypted.eXe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2972	Decrypted.eXe
Token: SeDebugPrivilege	2972	Decrypted.eXe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2764	ter.exe
2972	Decrypted.eXe
2972	Decrypted.eXe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 2764	1552	10726b13d6d7ab3a1130071bcaef0bdf_JaffaCakes118.exe	30
PID 1552 wrote to memory of 2764	1552	10726b13d6d7ab3a1130071bcaef0bdf_JaffaCakes118.exe	30
PID 1552 wrote to memory of 2764	1552	10726b13d6d7ab3a1130071bcaef0bdf_JaffaCakes118.exe	30
PID 1552 wrote to memory of 2764	1552	10726b13d6d7ab3a1130071bcaef0bdf_JaffaCakes118.exe	30
PID 2764 wrote to memory of 2972	2764	ter.exe	31
PID 2764 wrote to memory of 2972	2764	ter.exe	31
PID 2764 wrote to memory of 2972	2764	ter.exe	31
PID 2764 wrote to memory of 2972	2764	ter.exe	31

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Decrypted.eXe

C:\Users\Admin\AppData\Local\Temp\10726b13d6d7ab3a1130071bcaef0bdf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\10726b13d6d7ab3a1130071bcaef0bdf_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Local\Temp\ter.exe
  C:\Users\Admin\AppData\Local\Temp/ter.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Users\Admin\AppData\Local\Temp\Decrypted.eXe
    "C:\Users\Admin\AppData\Local\Temp\Decrypted.eXe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Decrypted.eXe

Filesize
110KB

MD5
4a550cc7d0d51f73ece80e558bd20b57

SHA1
9439a539d09cf9f90ec557e478ad4f9ff7e5744f

SHA256
b099eb1e3df40f4fd172d84313df944d52e03975a5b745b36428f422fd7b3b9d

SHA512
de91e66ecdcaddcf1d6f5948f58b7fad35c209fb4e4734f832fe35cd5e08346e373de4932db89b63ea94f8a6e80f37d948675d3a4805bec1d2bc92b72b3ffca6

Download Submit
\Users\Admin\AppData\Local\Temp\cmsetac.dll

Filesize
32KB

MD5
436fb2e564bb0a6f438713231735e0bb

SHA1
a74282e0dab85c9dd58f744b3e3973d464225375

SHA256
9a0a11d58ca7d3897db2db298d6d18f89bdb145a612f36c06c9e3335dc601909

SHA512
0d17e54c2ecbd47baef94262f8fce79a9bf5c28ac4040f0d865cf55349b5d7c1d24914161733f65ae0483001e60686a780bdc87446a4e5d1ef751c9de2f7774b

Download Submit
\Users\Admin\AppData\Local\Temp\ntdtcstp.dll

Filesize
7KB

MD5
67587e25a971a141628d7f07bd40ffa0

SHA1
76fcd014539a3bb247cc0b761225f68bd6055f6b

SHA256
e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

SHA512
6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

Download Submit
\Users\Admin\AppData\Local\Temp\ter.exe

Filesize
130KB

MD5
74d9f35d53167151beaf561c92d3d066

SHA1
2547f4e19d74bac4aa24f0682c038b6f3e76ddae

SHA256
22e18b52f784da9250f51ad401e9f2db1e3d8eb0702dff88bde106177cb986e1

SHA512
7c623dd63f0425a939047d4f9593cbd64b55ec8f59a6b6c509d10370ebdf851a568ae92d7b22596e55f757976a4643ba511ac061d9053d157bce2a2929655ff0

Download Submit
memory/1552-14-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1552-0-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2764-22-0x0000000003130000-0x000000000317F000-memory.dmp

Filesize
316KB

Download
memory/2972-41-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2972-45-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2972-33-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2972-38-0x0000000076960000-0x0000000076A50000-memory.dmp

Filesize
960KB

Download
memory/2972-37-0x0000000076970000-0x0000000076971000-memory.dmp

Filesize
4KB

Download
memory/2972-39-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2972-40-0x0000000076960000-0x0000000076A50000-memory.dmp

Filesize
960KB

Download
memory/2972-28-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2972-42-0x0000000000270000-0x0000000000278000-memory.dmp

Filesize
32KB

Download
memory/2972-43-0x0000000000560000-0x000000000056E000-memory.dmp

Filesize
56KB

Download
memory/2972-44-0x0000000076960000-0x0000000076A50000-memory.dmp

Filesize
960KB

Download
memory/2972-35-0x0000000000560000-0x000000000056E000-memory.dmp

Filesize
56KB

Download
memory/2972-48-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2972-51-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2972-54-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2972-57-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2972-60-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2972-63-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2972-66-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2972-69-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2972-72-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2972-75-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2972-78-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2972-81-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads