modiloader | c04ae2f8f7d73c30bf171ca8514774c78ab54f011be925b574ea3af5d45c9658

General

Target

d397e089ee9f0f752a5c13dfe4f2d143_JaffaCakes118.exe
Size

5.6MB
MD5

d397e089ee9f0f752a5c13dfe4f2d143
SHA1

c3977823f7ccf638f63cdb390acb628fb4d6f9f6
SHA256

c04ae2f8f7d73c30bf171ca8514774c78ab54f011be925b574ea3af5d45c9658
SHA512

32c634360665f4f90953f84313fc4d8f8fe60e3a59c5eaa13c1a81b03b0114e26d3b8aa20757f3acb6a9bd6f952c5232557742aa7bcfad921e7f4386a001aea4
SSDEEP

98304:MaC4+JOoJKFVlJvLrtg6NwO1+Dgm6nffxo2tQhye89NFS27CCySzX0Lp5tFb4w5q:N1oYVlltg7qbtQhyeINFS2b0lFJ

Score

10^/10

modiloader discovery evasion persistence themida trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "userinit.exe\"C:\\Windows\\guiiserver.exe\","	d397e089ee9f0f752a5c13dfe4f2d143_JaffaCakes118.exe

Modiloader family
modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

ModiLoader Second Stage 25 IoCs

resource	yara_rule
behavioral1/memory/628-4-0x0000000000400000-0x0000000000A2B000-memory.dmp	modiloader_stage2
behavioral1/memory/628-10-0x0000000000400000-0x0000000000A2B000-memory.dmp	modiloader_stage2
behavioral1/files/0x0010000000013439-7.dat	modiloader_stage2
behavioral1/memory/2816-20-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2744-24-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2744-27-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2744-28-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/628-29-0x0000000000400000-0x0000000000A2B000-memory.dmp	modiloader_stage2
behavioral1/memory/2744-30-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2744-31-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2744-32-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2744-35-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2744-36-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2744-39-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2744-42-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2744-45-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2744-48-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2744-51-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2744-54-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2744-57-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2744-60-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2744-63-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2744-66-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2744-69-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2744-72-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2816	guiiserver.exe
2744	mstwain32.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	d397e089ee9f0f752a5c13dfe4f2d143_JaffaCakes118.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/628-0-0x0000000000400000-0x0000000000A2B000-memory.dmp	themida
behavioral1/memory/628-4-0x0000000000400000-0x0000000000A2B000-memory.dmp	themida
behavioral1/memory/628-10-0x0000000000400000-0x0000000000A2B000-memory.dmp	themida
behavioral1/memory/628-29-0x0000000000400000-0x0000000000A2B000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe"	mstwain32.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	guiiserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstwain32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
628	d397e089ee9f0f752a5c13dfe4f2d143_JaffaCakes118.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\guiiserver.exe	d397e089ee9f0f752a5c13dfe4f2d143_JaffaCakes118.exe
File created	C:\Windows\mstwain32.exe	guiiserver.exe
File opened for modification	C:\Windows\mstwain32.exe	guiiserver.exe
File created	C:\Windows\ntdtcstp.dll	mstwain32.exe
File created	C:\Windows\cmsetac.dll	mstwain32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d397e089ee9f0f752a5c13dfe4f2d143_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guiiserver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstwain32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
628	d397e089ee9f0f752a5c13dfe4f2d143_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	guiiserver.exe
Token: SeDebugPrivilege	2744	mstwain32.exe
Token: SeDebugPrivilege	2744	mstwain32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2744	mstwain32.exe
2744	mstwain32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 2816	628	d397e089ee9f0f752a5c13dfe4f2d143_JaffaCakes118.exe	31
PID 628 wrote to memory of 2816	628	d397e089ee9f0f752a5c13dfe4f2d143_JaffaCakes118.exe	31
PID 628 wrote to memory of 2816	628	d397e089ee9f0f752a5c13dfe4f2d143_JaffaCakes118.exe	31
PID 628 wrote to memory of 2816	628	d397e089ee9f0f752a5c13dfe4f2d143_JaffaCakes118.exe	31
PID 2816 wrote to memory of 2744	2816	guiiserver.exe	32
PID 2816 wrote to memory of 2744	2816	guiiserver.exe	32
PID 2816 wrote to memory of 2744	2816	guiiserver.exe	32
PID 2816 wrote to memory of 2744	2816	guiiserver.exe	32

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

C:\Users\Admin\AppData\Local\Temp\d397e089ee9f0f752a5c13dfe4f2d143_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d397e089ee9f0f752a5c13dfe4f2d143_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:628
- C:\Windows\guiiserver.exe
  "C:\Windows\guiiserver.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\mstwain32.exe
    "C:\Windows\mstwain32.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\guiiserver.exe

Filesize
270KB

MD5
4e5388a4a29272519960f8a024c5eba9

SHA1
7b847707b8920d4e036e09e972e0b5f552836bb0

SHA256
95ba9b1b846149a2433bf45c0a01bf6f114456944c9d2a1c41b7591c8dee0953

SHA512
ab7e637ac522184854c3a001a95ec8d265fbb4aba09d3a41b0f719d21f40e801cc3d0f8a3ee19036adc33a6530f0b40524becedfcdf8a2305181776d640f4f88

Download Submit
memory/628-29-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/628-2-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/628-4-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/628-10-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/628-0-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/2744-34-0x0000000002290000-0x000000000229E000-memory.dmp

Filesize
56KB

Download
memory/2744-36-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2744-27-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2744-28-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2744-24-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2744-30-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2744-31-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2744-32-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2744-72-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2744-33-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download
memory/2744-35-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2744-25-0x0000000002290000-0x000000000229E000-memory.dmp

Filesize
56KB

Download
memory/2744-39-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2744-42-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2744-45-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2744-48-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2744-51-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2744-54-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2744-57-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2744-60-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2744-63-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2744-66-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2744-69-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2816-20-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads