modiloader | 5e41dc342bcdba4d3e085f52a35721c6b03d8f3ef95310214577d009817faf82

General

Target

dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe
Size

565KB
MD5

dc51e3c7fdf443110ef0b42251a74c5a
SHA1

96650ce61fb2f3aa18ac55b8782e6a4186027ea1
SHA256

5e41dc342bcdba4d3e085f52a35721c6b03d8f3ef95310214577d009817faf82
SHA512

84f9294d794ae29fdc2b65d54acd0e0f44cd8b3ce42bc01ef3c3c1dc1862fcbb043b7e22842add0586097c38120366dd06c21449ab455425e92a470807c26f5c
SSDEEP

12288:PCmBr+buJqVzYKj86swbdOVzYKj86sz6OaDDVzYKj86srv7Xxd:P9Br+bu8pYOepYOIPWpYOKvzxd

Score

10^/10

modiloader aspackv2 bootkit discovery evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/memory/1980-26-0x0000000000400000-0x00000000004ED000-memory.dmp	modiloader_stage2
behavioral1/memory/1980-28-0x0000000000400000-0x00000000004ED000-memory.dmp	modiloader_stage2
behavioral1/memory/1980-42-0x0000000000400000-0x00000000004ED000-memory.dmp	modiloader_stage2

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000d000000012281-21.dat	aspack_v212_v242
behavioral1/files/0x0008000000016875-24.dat	aspack_v212_v242

Loads dropped DLL 2 IoCs

pid	Process
1980	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe
1980	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1980	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2824	explorer.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1980	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe
Token: SeDebugPrivilege	1980	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe
Token: SeShutdownPrivilege	2824	explorer.exe
Token: SeShutdownPrivilege	2824	explorer.exe
Token: SeShutdownPrivilege	2824	explorer.exe
Token: SeShutdownPrivilege	2824	explorer.exe
Token: SeShutdownPrivilege	2824	explorer.exe
Token: SeShutdownPrivilege	2824	explorer.exe
Token: SeShutdownPrivilege	2824	explorer.exe
Token: SeShutdownPrivilege	2824	explorer.exe
Token: SeShutdownPrivilege	2824	explorer.exe
Token: SeShutdownPrivilege	2824	explorer.exe
Token: SeShutdownPrivilege	2824	explorer.exe
Token: SeShutdownPrivilege	2824	explorer.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe
2824	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1980	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe
1980	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 3044	1980	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe	32
PID 1980 wrote to memory of 3044	1980	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe	32
PID 1980 wrote to memory of 3044	1980	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe	32
PID 1980 wrote to memory of 3044	1980	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe	32
PID 1980 wrote to memory of 3044	1980	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe	32
PID 1980 wrote to memory of 3044	1980	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe	32
PID 1980 wrote to memory of 3044	1980	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe	32

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Uninstall.bat" C:\Users\Admin\AppData\Local\Temp\dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3044

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Pre-OS Boot

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Uninstall.bat

Filesize
207B

MD5
404745120599709daf7901f17c43a7e5

SHA1
247c9e558241de4415f383ada3b4198259e0b59e

SHA256
b8206f0dd8276874d88a69a3e9e79c914a6f9cb9bfa6de7bdf4f216f0f105d3b

SHA512
0c3d7295b5eef46dac8377485ecb1ff4423a2a4c414b50a0ed813ee6171499b172063c199e69788bf0c8f4909e5775d06d17bdac18f7dfaffe810639470ffc6b

Download Submit
\Users\Admin\AppData\Local\Temp\cmsetac.dll

Filesize
164KB

MD5
ea1abe49f7704d313a13bd8a7b348a64

SHA1
41b0e07da99f9dd4087f9e3e8369156d5994c78a

SHA256
592a7d7622833a627f898566d7cfdebf9f2655cc328c132e44b2c010f44c0a52

SHA512
9594971e293cfc11868901fd3fd5890f7f9403669b2b4736ead0ce828bc0f72b1d31207140e628250b788de233a1d17780359a86d0b36b0dbb371c2d73aea444

Download Submit
\Users\Admin\AppData\Local\Temp\ntdtcstp.dll

Filesize
145KB

MD5
174abe04b1a7b6c0197aa0789e8f66bb

SHA1
af84173fb7ec0a2d2000c98ef22ae6da170ff8e9

SHA256
6e8433d522920db97e52f8f67797f9d596347f7b19b56eb96d1f422617b5c4da

SHA512
b8555dce4ba2fea3345df8d85cc01c7f23a5673f1f840576ec9029b73d07f6029a3172a4467cdf7455850ee1a7586aa950dc464db8159a5e781ba8f164f33204

Download Submit
memory/1980-3-0x0000000001F90000-0x0000000001F91000-memory.dmp

Filesize
4KB

Download
memory/1980-31-0x0000000003260000-0x00000000032C3000-memory.dmp

Filesize
396KB

Download
memory/1980-2-0x0000000001F90000-0x0000000001F91000-memory.dmp

Filesize
4KB

Download
memory/1980-17-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

Filesize
4KB

Download
memory/1980-16-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1980-15-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/1980-14-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/1980-9-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/1980-8-0x0000000001F60000-0x0000000001F61000-memory.dmp

Filesize
4KB

Download
memory/1980-7-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1980-6-0x0000000001F50000-0x0000000001F51000-memory.dmp

Filesize
4KB

Download
memory/1980-5-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/1980-10-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/1980-0-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/1980-18-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/1980-1-0x0000000000610000-0x0000000000612000-memory.dmp

Filesize
8KB

Download
memory/1980-11-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1980-12-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/1980-13-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/1980-27-0x0000000003AD0000-0x0000000003B3A000-memory.dmp

Filesize
424KB

Download
memory/1980-26-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/1980-28-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/1980-23-0x0000000003260000-0x00000000032C3000-memory.dmp

Filesize
396KB

Download
memory/1980-30-0x0000000003AD0000-0x0000000003B3A000-memory.dmp

Filesize
424KB

Download
memory/1980-32-0x0000000003AD0000-0x0000000003B3A000-memory.dmp

Filesize
424KB

Download
memory/1980-4-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/1980-35-0x0000000004660000-0x0000000004670000-memory.dmp

Filesize
64KB

Download
memory/1980-44-0x0000000003AD0000-0x0000000003B3A000-memory.dmp

Filesize
424KB

Download
memory/1980-43-0x0000000003260000-0x00000000032C3000-memory.dmp

Filesize
396KB

Download
memory/1980-42-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2824-51-0x00000000025E0000-0x00000000025F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads