modiloader | e2ea44103a510f3381b573b2082c029ca0e51411bf380c3fe02376c5114496e9

General

Target

89d8eb69709a093a463be1b96a13c34c_JaffaCakes118.exe
Size

521KB
MD5

89d8eb69709a093a463be1b96a13c34c
SHA1

0050623de9db92310232d016b7faf3ac4723682f
SHA256

e2ea44103a510f3381b573b2082c029ca0e51411bf380c3fe02376c5114496e9
SHA512

0a2c877c17ab9ef661cb3b5250bcc6a8daab0b4cc07ecf8b50acdac45aeda65dd7cc51453595b04181a7a29766b0f4b909a5adfa2918eb6907fb960ca636d670
SSDEEP

12288:hNVmFGuqxGXElwkcR9himlNXDlvq28mnkRaoUa1jlojcnaz9y:hfuGGXEWkG5xvaR/Ua1Wjc

Score

10^/10

modiloader discovery evasion trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/832-23-0x0000000000400000-0x0000000000451000-memory.dmp	modiloader_stage2
behavioral1/memory/832-26-0x0000000000400000-0x0000000000451000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2324	tmp.exe
832	tmp.exe

Loads dropped DLL 3 IoCs

pid	Process
2100	89d8eb69709a093a463be1b96a13c34c_JaffaCakes118.exe
2100	89d8eb69709a093a463be1b96a13c34c_JaffaCakes118.exe
2324	tmp.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tmp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2324 set thread context of 832	2324	tmp.exe	32

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/832-17-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral1/memory/832-21-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral1/memory/832-22-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral1/memory/832-23-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral1/memory/832-26-0x0000000000400000-0x0000000000451000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mstwain32.exe	tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89d8eb69709a093a463be1b96a13c34c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	832	tmp.exe
Token: SeBackupPrivilege	2812	vssvc.exe
Token: SeRestorePrivilege	2812	vssvc.exe
Token: SeAuditPrivilege	2812	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
832	tmp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2100	89d8eb69709a093a463be1b96a13c34c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2324	2100	89d8eb69709a093a463be1b96a13c34c_JaffaCakes118.exe	31
PID 2100 wrote to memory of 2324	2100	89d8eb69709a093a463be1b96a13c34c_JaffaCakes118.exe	31
PID 2100 wrote to memory of 2324	2100	89d8eb69709a093a463be1b96a13c34c_JaffaCakes118.exe	31
PID 2100 wrote to memory of 2324	2100	89d8eb69709a093a463be1b96a13c34c_JaffaCakes118.exe	31
PID 2324 wrote to memory of 832	2324	tmp.exe	32
PID 2324 wrote to memory of 832	2324	tmp.exe	32
PID 2324 wrote to memory of 832	2324	tmp.exe	32
PID 2324 wrote to memory of 832	2324	tmp.exe	32
PID 2324 wrote to memory of 832	2324	tmp.exe	32
PID 2324 wrote to memory of 832	2324	tmp.exe	32

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\89d8eb69709a093a463be1b96a13c34c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\89d8eb69709a093a463be1b96a13c34c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  C:\Users\Admin\AppData\Local\Temp\tmp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\tmp.exe
    C:\Users\Admin\AppData\Local\Temp\tmp.exe
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:832

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
509KB

MD5
41b66b1a8d604ea0fb82c870475d94de

SHA1
cf0b8db17c1c4b5d522bdb57d4b01a33ea0960ee

SHA256
8d977cd8dadb8c034768145ada24d3d99ff0b0cc8d72d54e048c4a63034e1f7b

SHA512
18b834daad401c94a2edae77c0b02ce4326f160ec0b434ad7ce1475d85dbda1b9ee44036160cdcd3de28923b0e0d678ced589dc80c4bd5f7c3398dd64d19b5ff

Download Submit
memory/832-17-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/832-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/832-13-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/832-21-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/832-22-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/832-23-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/832-24-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/832-25-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/832-26-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2324-10-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2324-19-0x0000000010000000-0x000000001008A000-memory.dmp

Filesize
552KB

Download

Analysis

Sharing