modiloader | 024e0e516b1113bfccdb6716c19cba1ffb87a14410c44eef6f5b66fd42124a71

General

Target

8bfb2bb98a1688892398e83c001047a0_JaffaCakes118.exe
Size

642KB
MD5

8bfb2bb98a1688892398e83c001047a0
SHA1

2d6439dabfaa1d66731a1839c931f2964c63def9
SHA256

024e0e516b1113bfccdb6716c19cba1ffb87a14410c44eef6f5b66fd42124a71
SHA512

c2ba1d855342ea0c320965e6e3bc1e160d542f4f63776d99fec56cbccad81ddd90d64f35f2271ed354aa5773824543f3e311d5a34dc6881643509c4849fa7def
SSDEEP

12288:ZvYnBSkuVUeZdYGwT10Q3L47gFhd8fzKXThxvDRth1HB6c:ZcSkuiGwTKYLogM23LHcc

Score

10^/10

modiloader discovery evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

msnmsgr.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msnmsgr.exe

ModiLoader Second Stage 17 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000b000000023c7f-4.dat	modiloader_stage2
behavioral2/memory/4768-20-0x0000000000400000-0x00000000004A7000-memory.dmp	modiloader_stage2
behavioral2/memory/3620-31-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/3764-62-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/3764-66-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/3764-70-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/3764-74-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/3764-78-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/3764-83-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/3764-87-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/3764-91-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/3764-95-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/3764-99-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/3764-103-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/3764-107-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/3764-111-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/3764-115-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8bfb2bb98a1688892398e83c001047a0_JaffaCakes118.exeLOADER.EXE

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	8bfb2bb98a1688892398e83c001047a0_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	LOADER.EXE

Executes dropped EXE 3 IoCs

Processes:

LOADER.EXELOADER1.EXEmsnmsgr.exe

pid	Process
3620	LOADER.EXE
3076	LOADER1.EXE
3764	msnmsgr.exe

Loads dropped DLL 6 IoCs

Processes:

msnmsgr.exeLOADER1.EXE

pid	Process
3764	msnmsgr.exe
3764	msnmsgr.exe
3764	msnmsgr.exe
3764	msnmsgr.exe
3076	LOADER1.EXE
3076	LOADER1.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msnmsgr.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msnmsgr = "C:\\Windows\\msnmsgr.exe"	msnmsgr.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

LOADER.EXEmsnmsgr.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LOADER.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msnmsgr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msnmsgr.exe

Drops file in Windows directory 4 IoCs

Processes:

msnmsgr.exeLOADER.EXE

description	ioc	Process
File created	C:\Windows\cmsetac.dll	msnmsgr.exe
File created	C:\Windows\msnmsgr.exe	LOADER.EXE
File opened for modification	C:\Windows\msnmsgr.exe	LOADER.EXE
File created	C:\Windows\ntdtcstp.dll	msnmsgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

LOADER1.EXEmsnmsgr.exe8bfb2bb98a1688892398e83c001047a0_JaffaCakes118.exeLOADER.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LOADER1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnmsgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8bfb2bb98a1688892398e83c001047a0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LOADER.EXE

Modifies registry class 20 IoCs

Processes:

LOADER1.EXE

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	LOADER1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	LOADER1.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	LOADER1.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	LOADER1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	LOADER1.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	LOADER1.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	LOADER1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	LOADER1.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	LOADER1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	LOADER1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	LOADER1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	LOADER1.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	LOADER1.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	LOADER1.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	LOADER1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	LOADER1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	LOADER1.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	LOADER1.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	LOADER1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	LOADER1.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

LOADER.EXEvssvc.exemsnmsgr.exeLOADER1.EXE

description	pid	Process
Token: SeDebugPrivilege	3620	LOADER.EXE
Token: SeBackupPrivilege	216	vssvc.exe
Token: SeRestorePrivilege	216	vssvc.exe
Token: SeAuditPrivilege	216	vssvc.exe
Token: SeDebugPrivilege	3764	msnmsgr.exe
Token: SeDebugPrivilege	3764	msnmsgr.exe
Token: SeDebugPrivilege	3076	LOADER1.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

msnmsgr.exeLOADER1.EXE

pid	Process
3764	msnmsgr.exe
3764	msnmsgr.exe
3076	LOADER1.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

8bfb2bb98a1688892398e83c001047a0_JaffaCakes118.exeLOADER.EXE

description	pid	Process	procid_target
PID 4768 wrote to memory of 3620	4768	8bfb2bb98a1688892398e83c001047a0_JaffaCakes118.exe	86
PID 4768 wrote to memory of 3620	4768	8bfb2bb98a1688892398e83c001047a0_JaffaCakes118.exe	86
PID 4768 wrote to memory of 3620	4768	8bfb2bb98a1688892398e83c001047a0_JaffaCakes118.exe	86
PID 4768 wrote to memory of 3076	4768	8bfb2bb98a1688892398e83c001047a0_JaffaCakes118.exe	87
PID 4768 wrote to memory of 3076	4768	8bfb2bb98a1688892398e83c001047a0_JaffaCakes118.exe	87
PID 4768 wrote to memory of 3076	4768	8bfb2bb98a1688892398e83c001047a0_JaffaCakes118.exe	87
PID 3620 wrote to memory of 3764	3620	LOADER.EXE	92
PID 3620 wrote to memory of 3764	3620	LOADER.EXE	92
PID 3620 wrote to memory of 3764	3620	LOADER.EXE	92

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

msnmsgr.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msnmsgr.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8bfb2bb98a1688892398e83c001047a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8bfb2bb98a1688892398e83c001047a0_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4768
- C:\LOADER.EXE
  "C:\LOADER.EXE"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Windows\msnmsgr.exe
    "C:\Windows\msnmsgr.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:3764
- C:\LOADER1.EXE
  "C:\LOADER1.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3076

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LOADER.EXE

Filesize
270KB

MD5
c9000eda33f7e8c22343e23c4bd958e7

SHA1
47f3c3dde5102c1aec509ea196da1269c1b38cd0

SHA256
adbaf1b266a3ab4f2ab477d87c5abe79c1a5c76e618482bbd56aa481496f60aa

SHA512
2167a62f1bf86f0cce82a01c970fbddab24f6ec2c0d72f094ba3c93ce8bd61e6f974cb4a8a1885e57bb659edcaea193adb32c7f94e0d3782cbee2802e8e82c7a

Download Submit
C:\LOADER1.EXE

Filesize
362KB

MD5
13305082605949d491d5aca4c85b4bc2

SHA1
46f43f090a5127a24f9c84833964e24b3a6dfa96

SHA256
572f4654931bbe77c45a3fff1cdefc62386ffc7fa41343755cba58aa364b83c9

SHA512
a84919608b3f6f979b102a37d32c3440f1260b62225fac7932444831d91dba6aea9fd3c7126a9dc83f1a2b58e599525040f52f83e4644a174c51c96acca92c47

Download Submit
C:\Windows\cmsetac.dll

Filesize
32KB

MD5
667bd6bb0abf879c9aee751e67f13101

SHA1
f1e8bacb0dcd18089e5db4bc30f0ec05a03383de

SHA256
0ce18b6ec174252a66955e97360fd2214158a7b575b0e3dc1a10e1b6d038c595

SHA512
e407a9373559331d99554a9f60652a0d960d469425d0afa4cfa27c8d1b394de83a2b97af54dee5d5a730e5d6bd0e82603595a15d0bda3b03385dd6e12ecec643

Download Submit
C:\Windows\ntdtcstp.dll

Filesize
7KB

MD5
67587e25a971a141628d7f07bd40ffa0

SHA1
76fcd014539a3bb247cc0b761225f68bd6055f6b

SHA256
e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

SHA512
6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

Download Submit
memory/3076-60-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3076-19-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3076-61-0x0000000002350000-0x000000000235E000-memory.dmp

Filesize
56KB

Download
memory/3076-49-0x0000000002350000-0x000000000235E000-memory.dmp

Filesize
56KB

Download
memory/3620-21-0x0000000002070000-0x0000000002071000-memory.dmp

Filesize
4KB

Download
memory/3620-31-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3764-64-0x0000000002A10000-0x0000000002A1E000-memory.dmp

Filesize
56KB

Download
memory/3764-83-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3764-62-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3764-63-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/3764-115-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3764-66-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3764-70-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3764-74-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3764-78-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3764-43-0x0000000002A10000-0x0000000002A1E000-memory.dmp

Filesize
56KB

Download
memory/3764-87-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3764-91-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3764-95-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3764-99-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3764-103-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3764-107-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3764-111-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4768-20-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads