modiloader | b8b5adae1838a7475b96c23895a711785f2d7d1dc70509366f95009801b2de82

General

Target

8f435bc23b7ce73056b6736ffdbcf759_JaffaCakes118.exe
Size

358KB
MD5

8f435bc23b7ce73056b6736ffdbcf759
SHA1

5100e88c835fc31be44b83347e395e428e87b2ba
SHA256

b8b5adae1838a7475b96c23895a711785f2d7d1dc70509366f95009801b2de82
SHA512

19333c0c3b2508857bd73afa3895b7ec3f380680d0ab34171af0ee076fd5e5cfaadc52b053edd555cc9c535bc95831c7f95120bec1f3b101d6f915ede5a805ed
SSDEEP

6144:y1vQlFJve+rvWhoI6WTTSt4RLdEpRolTiXpuEIrGT:y1ozgYWhoIbTTSt4R6CCT

Score

10^/10

modiloader discovery evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

ModiLoader Second Stage 16 IoCs

resource	yara_rule
behavioral1/files/0x000800000001743a-10.dat	modiloader_stage2
behavioral1/memory/1856-23-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/2000-34-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/2000-38-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/2000-42-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/2000-46-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/2000-50-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/2000-54-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/2000-58-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/2000-62-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/2000-66-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/2000-70-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/2000-74-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/2000-78-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/2000-82-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral1/memory/2000-86-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
1856	jjjjj.exe
2000	mstwain32.exe

Loads dropped DLL 3 IoCs

pid	Process
2204	8f435bc23b7ce73056b6736ffdbcf759_JaffaCakes118.exe
2204	8f435bc23b7ce73056b6736ffdbcf759_JaffaCakes118.exe
1856	jjjjj.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe"	mstwain32.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jjjjj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstwain32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\cmsetac.dll	mstwain32.exe
File created	C:\Windows\mstwain32.exe	jjjjj.exe
File opened for modification	C:\Windows\mstwain32.exe	jjjjj.exe
File created	C:\Windows\ntdtcstp.dll	mstwain32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jjjjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstwain32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f435bc23b7ce73056b6736ffdbcf759_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1856	jjjjj.exe
Token: SeDebugPrivilege	2000	mstwain32.exe
Token: SeDebugPrivilege	2000	mstwain32.exe
Token: SeDebugPrivilege	2152	DllHost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2152	DllHost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2000	mstwain32.exe
2152	DllHost.exe
2152	DllHost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 1856	2204	8f435bc23b7ce73056b6736ffdbcf759_JaffaCakes118.exe	31
PID 2204 wrote to memory of 1856	2204	8f435bc23b7ce73056b6736ffdbcf759_JaffaCakes118.exe	31
PID 2204 wrote to memory of 1856	2204	8f435bc23b7ce73056b6736ffdbcf759_JaffaCakes118.exe	31
PID 2204 wrote to memory of 1856	2204	8f435bc23b7ce73056b6736ffdbcf759_JaffaCakes118.exe	31
PID 1856 wrote to memory of 2000	1856	jjjjj.exe	32
PID 1856 wrote to memory of 2000	1856	jjjjj.exe	32
PID 1856 wrote to memory of 2000	1856	jjjjj.exe	32
PID 1856 wrote to memory of 2000	1856	jjjjj.exe	32

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

C:\Users\Admin\AppData\Local\Temp\8f435bc23b7ce73056b6736ffdbcf759_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8f435bc23b7ce73056b6736ffdbcf759_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\jjjjj.exe
  "C:\Users\Admin\AppData\Local\Temp\jjjjj.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Windows\mstwain32.exe
    "C:\Windows\mstwain32.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2000

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Water lilies.jpg

Filesize
81KB

MD5
070cf6787aa56fbdaa1b2fd98708c34c

SHA1
fb662cbd45033e03f65e0f278f44f4206a3c4293

SHA256
e073f22bff5d22fdbf3665855d2f979d300c4e28421a7edf5d616dd92c71580f

SHA512
93adca8cd47db7fd07d1bb0834c92ef0460d86975ee17276573223eb378d3cc7bc8324c0cd62c024664159b0320501d37bbc97d266a40ed2a51fb3e8e163ba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\jjjjj.exe

Filesize
273KB

MD5
fded445cd6d03172ac06cf88d46a7abe

SHA1
6637f6749a867124c92a45aa4fd08d46554e3dec

SHA256
752a869b722ac3f849302bd2ae524f0a18b3efbc1a5ba1fcb4abf87951487eee

SHA512
addb458aa7a720ec9deb6da8c1f59ca9282274bd4ec7b0c00079d683870a9bf029e7f599578348c538f947dabe6e71420a33f0d63eda586739a43fcf27f6391e

Download Submit
C:\Windows\cmsetac.dll

Filesize
33KB

MD5
ecd1ec35f1a108caefb815244a0c0aaa

SHA1
65f97469c6a840c68c1055170e3c251f72124403

SHA256
7f26a2f6845092441f19ad22f0e15db14ee95c20c9ffac2a163bd8df6a827caf

SHA512
569ef656848d01ec9c3075eb889d107f6ff732964f848db681456fac2c50da1c5ef5ee75badacc4c71878c92822e94ff2f7cac23e21d7ecfdb47983c56053e78

Download Submit
memory/1856-23-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2000-54-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2000-62-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2000-86-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2000-82-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2000-78-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2000-74-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2000-70-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2000-34-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2000-36-0x0000000001F90000-0x0000000001F9E000-memory.dmp

Filesize
56KB

Download
memory/2000-35-0x0000000000370000-0x0000000000378000-memory.dmp

Filesize
32KB

Download
memory/2000-38-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2000-42-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2000-46-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2000-50-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2000-66-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2000-58-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2000-27-0x0000000001F90000-0x0000000001F9E000-memory.dmp

Filesize
56KB

Download
memory/2152-33-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2152-32-0x0000000000330000-0x000000000033E000-memory.dmp

Filesize
56KB

Download
memory/2152-2-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2152-5-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2152-30-0x0000000000330000-0x000000000033E000-memory.dmp

Filesize
56KB

Download
memory/2204-1-0x00000000005B0000-0x00000000005B2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads