modiloader | 5e41dc342bcdba4d3e085f52a35721c6b03d8f3ef95310214577d009817faf82

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe
Size

565KB
MD5

dc51e3c7fdf443110ef0b42251a74c5a
SHA1

96650ce61fb2f3aa18ac55b8782e6a4186027ea1
SHA256

5e41dc342bcdba4d3e085f52a35721c6b03d8f3ef95310214577d009817faf82
SHA512

84f9294d794ae29fdc2b65d54acd0e0f44cd8b3ce42bc01ef3c3c1dc1862fcbb043b7e22842add0586097c38120366dd06c21449ab455425e92a470807c26f5c
SSDEEP

12288:PCmBr+buJqVzYKj86swbdOVzYKj86sz6OaDDVzYKj86srv7Xxd:P9Br+bu8pYOepYOIPWpYOKvzxd

Score

10^/10

modiloader aspackv2 discovery evasion trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/memory/4376-59-0x0000000000400000-0x00000000004ED000-memory.dmp	modiloader_stage2
behavioral2/memory/4376-62-0x0000000000400000-0x00000000004ED000-memory.dmp	modiloader_stage2

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000c000000023b11-45.dat	aspack_v212_v242
behavioral2/files/0x000b000000023b62-54.dat	aspack_v212_v242

Loads dropped DLL 4 IoCs

pid	Process
4376	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe
4376	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe
4376	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe
4376	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4376	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe
Token: SeDebugPrivilege	4376	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4376	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe
4376	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc51e3c7fdf443110ef0b42251a74c5a_JaffaCakes118.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cmsetac.dll

Filesize
164KB

MD5
ea1abe49f7704d313a13bd8a7b348a64

SHA1
41b0e07da99f9dd4087f9e3e8369156d5994c78a

SHA256
592a7d7622833a627f898566d7cfdebf9f2655cc328c132e44b2c010f44c0a52

SHA512
9594971e293cfc11868901fd3fd5890f7f9403669b2b4736ead0ce828bc0f72b1d31207140e628250b788de233a1d17780359a86d0b36b0dbb371c2d73aea444

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntdtcstp.dll

Filesize
145KB

MD5
174abe04b1a7b6c0197aa0789e8f66bb

SHA1
af84173fb7ec0a2d2000c98ef22ae6da170ff8e9

SHA256
6e8433d522920db97e52f8f67797f9d596347f7b19b56eb96d1f422617b5c4da

SHA512
b8555dce4ba2fea3345df8d85cc01c7f23a5673f1f840576ec9029b73d07f6029a3172a4467cdf7455850ee1a7586aa950dc464db8159a5e781ba8f164f33204

Download Submit
memory/4376-0-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/4376-1-0x0000000000A60000-0x0000000000A62000-memory.dmp

Filesize
8KB

Download
memory/4376-2-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/4376-6-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/4376-33-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/4376-32-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/4376-31-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/4376-30-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/4376-42-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/4376-41-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/4376-40-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/4376-39-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/4376-38-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/4376-37-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/4376-36-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/4376-35-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/4376-34-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/4376-29-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/4376-28-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/4376-27-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/4376-26-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/4376-25-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/4376-24-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/4376-23-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/4376-22-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/4376-21-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/4376-20-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/4376-19-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/4376-18-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/4376-17-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/4376-16-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/4376-15-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/4376-14-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/4376-13-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/4376-12-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/4376-11-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/4376-10-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/4376-9-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/4376-8-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/4376-7-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/4376-5-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/4376-4-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/4376-3-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/4376-51-0x00000000049C0000-0x0000000004A23000-memory.dmp

Filesize
396KB

Download
memory/4376-50-0x00000000049C0000-0x0000000004A23000-memory.dmp

Filesize
396KB

Download
memory/4376-58-0x0000000004E70000-0x0000000004EDA000-memory.dmp

Filesize
424KB

Download
memory/4376-57-0x0000000004E70000-0x0000000004EDA000-memory.dmp

Filesize
424KB

Download
memory/4376-59-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/4376-60-0x00000000049C0000-0x0000000004A23000-memory.dmp

Filesize
396KB

Download
memory/4376-61-0x0000000004E70000-0x0000000004EDA000-memory.dmp

Filesize
424KB

Download
memory/4376-62-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads