modiloader | 65d13d2b5d3fb706d29acd79faeb3ba7180a07fb6f26035fd6ae15c6048cdc92

General

Target

a339ba528ddd0c3d91c52103fd12b143_JaffaCakes118.exe
Size

227KB
MD5

a339ba528ddd0c3d91c52103fd12b143
SHA1

2f0428dd455d3513783a91c5e4ffb273b9e6f1cf
SHA256

65d13d2b5d3fb706d29acd79faeb3ba7180a07fb6f26035fd6ae15c6048cdc92
SHA512

6acd7041f7fb188c31cf9b21880bfa18b22ac13f03fc003719ec39adbd2e1db79588ef9e2b15a6f7dbf7eabadd9bf8df4334e10f2005a8afdf97f2ac4f5152db
SSDEEP

6144:ZeYH3V2NRlPwWF6hhdnV7AJV69Uc23Gym7oQlyHnbSaBk:Zem387l4WI1VSI9UcNyF72Z

Score

10^/10

modiloader discovery evasion trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winupdcenter.exe

ModiLoader Second Stage 8 IoCs

resource	yara_rule
behavioral1/memory/1648-21-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/1648-24-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/1648-27-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/1648-33-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/1648-36-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/1648-37-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/1648-38-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/1648-39-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2340	winupdcenter.exe
1648	winupdcenter.exe

Loads dropped DLL 3 IoCs

pid	Process
2340	winupdcenter.exe
1648	winupdcenter.exe
1648	winupdcenter.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winupdcenter.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winupdcenter.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2340 set thread context of 1648	2340	winupdcenter.exe	32

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1648-16-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/1648-19-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/1648-21-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/1648-24-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/1648-27-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/1648-20-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/1648-33-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/1648-36-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/1648-37-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/1648-38-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/1648-39-0x0000000000400000-0x0000000000450000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\VMPipe32.dll	winupdcenter.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdcenter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdcenter.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1648	winupdcenter.exe
Token: SeDebugPrivilege	1648	winupdcenter.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2340	winupdcenter.exe
1648	winupdcenter.exe
1648	winupdcenter.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2340	2156	a339ba528ddd0c3d91c52103fd12b143_JaffaCakes118.exe	31
PID 2156 wrote to memory of 2340	2156	a339ba528ddd0c3d91c52103fd12b143_JaffaCakes118.exe	31
PID 2156 wrote to memory of 2340	2156	a339ba528ddd0c3d91c52103fd12b143_JaffaCakes118.exe	31
PID 2156 wrote to memory of 2340	2156	a339ba528ddd0c3d91c52103fd12b143_JaffaCakes118.exe	31
PID 2340 wrote to memory of 1648	2340	winupdcenter.exe	32
PID 2340 wrote to memory of 1648	2340	winupdcenter.exe	32
PID 2340 wrote to memory of 1648	2340	winupdcenter.exe	32
PID 2340 wrote to memory of 1648	2340	winupdcenter.exe	32
PID 2340 wrote to memory of 1648	2340	winupdcenter.exe	32
PID 2340 wrote to memory of 1648	2340	winupdcenter.exe	32
PID 2340 wrote to memory of 1648	2340	winupdcenter.exe	32
PID 2340 wrote to memory of 1648	2340	winupdcenter.exe	32
PID 2340 wrote to memory of 1648	2340	winupdcenter.exe	32

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winupdcenter.exe

C:\Users\Admin\AppData\Local\Temp\a339ba528ddd0c3d91c52103fd12b143_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a339ba528ddd0c3d91c52103fd12b143_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\winupdcenter.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\winupdcenter.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\winupdcenter.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\winupdcenter.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\winupdcenter.exe

Filesize
208KB

MD5
ebe0a383ad09480cb42c3852816e7d00

SHA1
972306525923de45d20e00f7538ed1d0591319a0

SHA256
c9d13e597fa013613cdb235f1a20a3d617cc6a74b4da9f2b87790bffc3b494f9

SHA512
400f8861c1e3d436df8d2d155b11f8c614921f54cceea00aa04a9237cb8658abd1c4de2d0db2460b067723f233b4889636852da48024a37d123c42f9304a05a6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cmsetac.dll

Filesize
33KB

MD5
d12f80819105bae5811221d33005618e

SHA1
7107f29727181a018150fc583ee1b89a3ee2aa5b

SHA256
210e3488f9493106bdeada58bb1b7abe5522d3559fe712ec21ba76fcae69d0a3

SHA512
f78fdbc3031db76802207373bff2ed44c51d38d9db6047f1c45fe5df1a5a2f4332b7a1cdc738ee29287f64ca4753ec6976d1d12b64cfed98d198dd4cc52c8f7e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ntdtcstp.dll

Filesize
7KB

MD5
67587e25a971a141628d7f07bd40ffa0

SHA1
76fcd014539a3bb247cc0b761225f68bd6055f6b

SHA256
e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

SHA512
6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

Download Submit
memory/1648-27-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1648-37-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1648-16-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1648-19-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1648-21-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1648-24-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1648-42-0x0000000001E10000-0x0000000001E1E000-memory.dmp

Filesize
56KB

Download
memory/1648-31-0x0000000001E10000-0x0000000001E1E000-memory.dmp

Filesize
56KB

Download
memory/1648-41-0x00000000003E0000-0x00000000003E8000-memory.dmp

Filesize
32KB

Download
memory/1648-39-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1648-22-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1648-20-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1648-38-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1648-36-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1648-33-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2156-34-0x000007FEF58BE000-0x000007FEF58BF000-memory.dmp

Filesize
4KB

Download
memory/2156-4-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp

Filesize
9.6MB

Download
memory/2156-35-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp

Filesize
9.6MB

Download
memory/2156-0-0x000007FEF58BE000-0x000007FEF58BF000-memory.dmp

Filesize
4KB

Download
memory/2156-1-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp

Filesize
9.6MB

Download
memory/2156-2-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads