modiloader | e348b57dade9e6b807052d51062a964fc9be6caa3425587125f7c8a796715858

General

Target

97abbf0b1ef33c7106388d4778bb1c48_JaffaCakes118.exe
Size

1.8MB
MD5

97abbf0b1ef33c7106388d4778bb1c48
SHA1

43c0d70f6d9f1b245b9d6d7d8900efd0efb9095a
SHA256

e348b57dade9e6b807052d51062a964fc9be6caa3425587125f7c8a796715858
SHA512

e976969329859638a46c87157e922740b4266a7d1ff535ca3978945e9a15b6288bb670df0f96c703199e5e4ef2718299133c499fb9f2e8d0d95cb5a78085d2df
SSDEEP

24576:QyZBTGF2mygtszkp3TXh5r9RzEws3BNjSYAHb8erClz1MaUevrX/6Q7X6ezrRnmf:BvG7szk3rZVY3H27mRfrXd4ZQe1z+q

Score

10^/10

modiloader discovery evasion persistence themida trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

ctfmom.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ctfmom.exe

ModiLoader Second Stage 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2592-44-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2592-40-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2460-54-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2460-57-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2460-64-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2460-68-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2460-72-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2460-76-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2460-81-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2460-85-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2460-89-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2460-93-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2460-97-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2460-101-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2460-105-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2460-109-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2460-113-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2

Executes dropped EXE 3 IoCs

Processes:

turko.exeducsetup.exectfmom.exe

pid	Process
2592	turko.exe
2568	ducsetup.exe
2460	ctfmom.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

97abbf0b1ef33c7106388d4778bb1c48_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	97abbf0b1ef33c7106388d4778bb1c48_JaffaCakes118.exe

Loads dropped DLL 5 IoCs

Processes:

97abbf0b1ef33c7106388d4778bb1c48_JaffaCakes118.exeturko.exeducsetup.exe

pid	Process
2676	97abbf0b1ef33c7106388d4778bb1c48_JaffaCakes118.exe
2676	97abbf0b1ef33c7106388d4778bb1c48_JaffaCakes118.exe
2676	97abbf0b1ef33c7106388d4778bb1c48_JaffaCakes118.exe
2592	turko.exe
2568	ducsetup.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/2676-0-0x0000000000400000-0x000000000056F000-memory.dmp	themida
behavioral1/memory/2676-4-0x0000000000400000-0x000000000056F000-memory.dmp	themida
behavioral1/memory/2676-6-0x0000000000400000-0x000000000056F000-memory.dmp	themida
behavioral1/memory/2676-24-0x0000000000400000-0x000000000056F000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ctfmom.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmom = "C:\\Windows\\ctfmom.exe"	ctfmom.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

turko.exectfmom.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	turko.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ctfmom.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ctfmom.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

97abbf0b1ef33c7106388d4778bb1c48_JaffaCakes118.exe

pid	Process
2676	97abbf0b1ef33c7106388d4778bb1c48_JaffaCakes118.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x000a0000000120d6-13.dat	upx
behavioral1/memory/2592-18-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2592-34-0x0000000002D70000-0x0000000002D80000-memory.dmp	upx
behavioral1/memory/2592-36-0x0000000002FF0000-0x0000000003040000-memory.dmp	upx
behavioral1/memory/2460-45-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2592-44-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2592-40-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2460-54-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2460-57-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2460-64-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2460-68-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2460-72-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2460-76-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2460-81-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2460-85-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2460-89-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2460-93-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2460-97-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2460-101-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2460-105-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2460-109-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2460-113-0x0000000000400000-0x0000000000450000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

Processes:

turko.exectfmom.exe

description	ioc	Process
File created	C:\Windows\ctfmom.exe	turko.exe
File opened for modification	C:\Windows\ctfmom.exe	turko.exe
File created	C:\Windows\ntdtcstp.dll	ctfmom.exe
File created	C:\Windows\cmsetac.dll	ctfmom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

97abbf0b1ef33c7106388d4778bb1c48_JaffaCakes118.exeturko.exeducsetup.exectfmom.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97abbf0b1ef33c7106388d4778bb1c48_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	turko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ducsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmom.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
behavioral1/files/0x0007000000019261-20.dat	nsis_installer_1
behavioral1/files/0x0007000000019261-20.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

97abbf0b1ef33c7106388d4778bb1c48_JaffaCakes118.exe

pid	Process
2676	97abbf0b1ef33c7106388d4778bb1c48_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ducsetup.exe

pid	Process
2568	ducsetup.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

turko.exevssvc.exectfmom.exeducsetup.exe

description	pid	Process
Token: SeDebugPrivilege	2592	turko.exe
Token: SeBackupPrivilege	2056	vssvc.exe
Token: SeRestorePrivilege	2056	vssvc.exe
Token: SeAuditPrivilege	2056	vssvc.exe
Token: SeDebugPrivilege	2460	ctfmom.exe
Token: SeDebugPrivilege	2460	ctfmom.exe
Token: SeDebugPrivilege	2568	ducsetup.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

97abbf0b1ef33c7106388d4778bb1c48_JaffaCakes118.exectfmom.exe

pid	Process
2676	97abbf0b1ef33c7106388d4778bb1c48_JaffaCakes118.exe
2460	ctfmom.exe
2460	ctfmom.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

97abbf0b1ef33c7106388d4778bb1c48_JaffaCakes118.exeturko.exe

description	pid	Process	procid_target
PID 2676 wrote to memory of 2592	2676	97abbf0b1ef33c7106388d4778bb1c48_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2592	2676	97abbf0b1ef33c7106388d4778bb1c48_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2592	2676	97abbf0b1ef33c7106388d4778bb1c48_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2592	2676	97abbf0b1ef33c7106388d4778bb1c48_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2568	2676	97abbf0b1ef33c7106388d4778bb1c48_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2568	2676	97abbf0b1ef33c7106388d4778bb1c48_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2568	2676	97abbf0b1ef33c7106388d4778bb1c48_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2568	2676	97abbf0b1ef33c7106388d4778bb1c48_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2568	2676	97abbf0b1ef33c7106388d4778bb1c48_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2568	2676	97abbf0b1ef33c7106388d4778bb1c48_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2568	2676	97abbf0b1ef33c7106388d4778bb1c48_JaffaCakes118.exe	31
PID 2592 wrote to memory of 2460	2592	turko.exe	35
PID 2592 wrote to memory of 2460	2592	turko.exe	35
PID 2592 wrote to memory of 2460	2592	turko.exe	35
PID 2592 wrote to memory of 2460	2592	turko.exe	35

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

ctfmom.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ctfmom.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\97abbf0b1ef33c7106388d4778bb1c48_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\97abbf0b1ef33c7106388d4778bb1c48_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\turko.exe
  "C:\Users\Admin\AppData\Local\Temp\turko.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\ctfmom.exe
    "C:\Windows\ctfmom.exe" \melt "C:\Users\Admin\AppData\Local\Temp\turko.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2460
- C:\Users\Admin\AppData\Local\Temp\ducsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\ducsetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2568

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\turko.exe

Filesize
112KB

MD5
5541eeec419ade4d4e8cc760f2bd144b

SHA1
a5263e4de342da4658fed98844e7dd5a69f9b4ee

SHA256
2192508bb8e9e0c4a759777bd5115b93500ee3a74fee458cfa5898629d50c576

SHA512
2421a4b16841d133fe78a51eb093bddfa3bc9751d651dceaddfd874652d35621ff6fa38c52399a55939a3ae80680ee9718e24e430edce7752ea5186fdb54d1e8

Download Submit
C:\Windows\cmsetac.dll

Filesize
33KB

MD5
8c96a09c3fe09e4a948d8240d313e227

SHA1
9f92327e675f9c14abb62f072a53593c1a69d053

SHA256
bcbcfed7837c29f63ec637e898a94d1b8fdf7a6e406bce55d30d578797dacbc4

SHA512
e6ba96ab77704db3fbfd655b4b3c3284d39a4aa703e882d5832f3c8e562476906c2a33229d2a4ec1ca2b8e3a4bc0a0ef95c3d951b2a297d7e69f5b4445ac2648

Download Submit
\Users\Admin\AppData\Local\Temp\ducsetup.exe

Filesize
1.1MB

MD5
1572340c8226f3fa6e7fb66e0c32d3b8

SHA1
499f9f39ed540959c959e8c18f4e2411d6fc24d6

SHA256
c592963191a06cf6a88f7375f3424d6bb94d21990a34074c2d7b7a7ce28cc8eb

SHA512
2469042806bdd91c2f04bc45e1fe0b36f3ad719f409d55bacbc496264a34fb70cced9ce73f8c63b3028ebc992f542ceff392711fb2a8f26b941468a80846154c

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2F8B.tmp\StartMenu.dll

Filesize
7KB

MD5
4e96f412a8cc653053d5d918df6b0836

SHA1
a3c7d59043feecb1603874b27c23d4166b341f2d

SHA256
e4a54bfc327986a89165bdef361069810aaa985c3abecd442c786725fabaf977

SHA512
2fec61b4ad31250bdbdbbfd551d831801790b96902c67200661e8f4f2753378bbf6c0c88b12e1be9173a29597827c1c4809511b6d52666dc3324bd7031c8229d

Download Submit
memory/2460-85-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2460-76-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2460-97-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2460-93-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2460-105-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2460-89-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2460-57-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2460-81-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2460-45-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2460-101-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2460-72-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2460-68-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2460-49-0x0000000001E20000-0x0000000001E2E000-memory.dmp

Filesize
56KB

Download
memory/2460-109-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2460-64-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2460-113-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2460-56-0x0000000001E20000-0x0000000001E2E000-memory.dmp

Filesize
56KB

Download
memory/2460-55-0x0000000000280000-0x0000000000288000-memory.dmp

Filesize
32KB

Download
memory/2460-54-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2568-52-0x00000000005F0000-0x00000000005FE000-memory.dmp

Filesize
56KB

Download
memory/2568-53-0x00000000005F0000-0x00000000005FE000-memory.dmp

Filesize
56KB

Download
memory/2592-34-0x0000000002D70000-0x0000000002D80000-memory.dmp

Filesize
64KB

Download
memory/2592-40-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2592-41-0x0000000002FF0000-0x0000000003040000-memory.dmp

Filesize
320KB

Download
memory/2592-44-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2592-36-0x0000000002FF0000-0x0000000003040000-memory.dmp

Filesize
320KB

Download
memory/2592-18-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2676-0-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2676-24-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2676-17-0x00000000059D0000-0x0000000005A20000-memory.dmp

Filesize
320KB

Download
memory/2676-19-0x00000000059D0000-0x0000000005A20000-memory.dmp

Filesize
320KB

Download
memory/2676-6-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2676-4-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2676-1-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads