modiloader | b8b5adae1838a7475b96c23895a711785f2d7d1dc70509366f95009801b2de82

General

Target

8f435bc23b7ce73056b6736ffdbcf759_JaffaCakes118.exe
Size

358KB
MD5

8f435bc23b7ce73056b6736ffdbcf759
SHA1

5100e88c835fc31be44b83347e395e428e87b2ba
SHA256

b8b5adae1838a7475b96c23895a711785f2d7d1dc70509366f95009801b2de82
SHA512

19333c0c3b2508857bd73afa3895b7ec3f380680d0ab34171af0ee076fd5e5cfaadc52b053edd555cc9c535bc95831c7f95120bec1f3b101d6f915ede5a805ed
SSDEEP

6144:y1vQlFJve+rvWhoI6WTTSt4RLdEpRolTiXpuEIrGT:y1ozgYWhoIbTTSt4R6CCT

Score

10^/10

modiloader discovery evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

ModiLoader Second Stage 16 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c60-5.dat	modiloader_stage2
behavioral2/memory/4072-18-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral2/memory/4316-34-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral2/memory/4316-37-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral2/memory/4316-40-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral2/memory/4316-43-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral2/memory/4316-46-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral2/memory/4316-49-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral2/memory/4316-52-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral2/memory/4316-55-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral2/memory/4316-58-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral2/memory/4316-61-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral2/memory/4316-64-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral2/memory/4316-67-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral2/memory/4316-70-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2
behavioral2/memory/4316-73-0x0000000000400000-0x000000000044C000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	jjjjj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	8f435bc23b7ce73056b6736ffdbcf759_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4072	jjjjj.exe
4316	mstwain32.exe

Loads dropped DLL 4 IoCs

pid	Process
4316	mstwain32.exe
4316	mstwain32.exe
4316	mstwain32.exe
4316	mstwain32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe"	mstwain32.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jjjjj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstwain32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\cmsetac.dll	mstwain32.exe
File created	C:\Windows\mstwain32.exe	jjjjj.exe
File opened for modification	C:\Windows\mstwain32.exe	jjjjj.exe
File created	C:\Windows\ntdtcstp.dll	mstwain32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f435bc23b7ce73056b6736ffdbcf759_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jjjjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstwain32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4072	jjjjj.exe
Token: SeDebugPrivilege	4316	mstwain32.exe
Token: SeDebugPrivilege	4316	mstwain32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4316	mstwain32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 4072	2300	8f435bc23b7ce73056b6736ffdbcf759_JaffaCakes118.exe	85
PID 2300 wrote to memory of 4072	2300	8f435bc23b7ce73056b6736ffdbcf759_JaffaCakes118.exe	85
PID 2300 wrote to memory of 4072	2300	8f435bc23b7ce73056b6736ffdbcf759_JaffaCakes118.exe	85
PID 4072 wrote to memory of 4316	4072	jjjjj.exe	86
PID 4072 wrote to memory of 4316	4072	jjjjj.exe	86
PID 4072 wrote to memory of 4316	4072	jjjjj.exe	86

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

C:\Users\Admin\AppData\Local\Temp\8f435bc23b7ce73056b6736ffdbcf759_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8f435bc23b7ce73056b6736ffdbcf759_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Users\Admin\AppData\Local\Temp\jjjjj.exe
  "C:\Users\Admin\AppData\Local\Temp\jjjjj.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Windows\mstwain32.exe
    "C:\Windows\mstwain32.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jjjjj.exe

Filesize
273KB

MD5
fded445cd6d03172ac06cf88d46a7abe

SHA1
6637f6749a867124c92a45aa4fd08d46554e3dec

SHA256
752a869b722ac3f849302bd2ae524f0a18b3efbc1a5ba1fcb4abf87951487eee

SHA512
addb458aa7a720ec9deb6da8c1f59ca9282274bd4ec7b0c00079d683870a9bf029e7f599578348c538f947dabe6e71420a33f0d63eda586739a43fcf27f6391e

Download Submit
C:\Windows\cmsetac.dll

Filesize
33KB

MD5
ecd1ec35f1a108caefb815244a0c0aaa

SHA1
65f97469c6a840c68c1055170e3c251f72124403

SHA256
7f26a2f6845092441f19ad22f0e15db14ee95c20c9ffac2a163bd8df6a827caf

SHA512
569ef656848d01ec9c3075eb889d107f6ff732964f848db681456fac2c50da1c5ef5ee75badacc4c71878c92822e94ff2f7cac23e21d7ecfdb47983c56053e78

Download Submit
C:\Windows\ntdtcstp.dll

Filesize
7KB

MD5
72abc5c09a51bb623cf41dd747a6bb6d

SHA1
8451aa7900ce14b0f424e43fae9c3e45bb7634a4

SHA256
1ddbdf720a3ca19d4d23fc06d1506e5ee4bf894077f022ee18752d1cfabbec7b

SHA512
9e726073f841f4811edd7dc238dbc001ba1cbab48f1049994e10a442b459e148a32f690a4eaf2265d88a74312ccae0560c14fcb3995a786874745134d38560f5

Download Submit
memory/4072-18-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4316-37-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4316-46-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4316-33-0x0000000002F80000-0x0000000002F81000-memory.dmp

Filesize
4KB

Download
memory/4316-34-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4316-35-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/4316-36-0x00000000030D0000-0x00000000030DE000-memory.dmp

Filesize
56KB

Download
memory/4316-26-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/4316-40-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4316-43-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4316-30-0x00000000030D0000-0x00000000030DE000-memory.dmp

Filesize
56KB

Download
memory/4316-49-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4316-52-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4316-55-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4316-58-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4316-61-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4316-64-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4316-67-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4316-70-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4316-73-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads