modiloader | abe80b9c5f49e09d144924bac4b0749c4baff115b03fdd92714b73dfb9a5b8ca

General

Target

e7aa2e8db50feb7fefed4cc7e4bf3857_JaffaCakes118.exe
Size

616KB
MD5

e7aa2e8db50feb7fefed4cc7e4bf3857
SHA1

b487ec0d299893de79d5af0d01d68373448eb2ee
SHA256

abe80b9c5f49e09d144924bac4b0749c4baff115b03fdd92714b73dfb9a5b8ca
SHA512

98ae9fc26108b13aa9dfc434cbc09a7745143eb92e2c4286265502ddfe50949921627310c0fc8e573f3e8f784a9df6a3652f69997a75bb4ae22879a093c8b1aa
SSDEEP

12288:ku6fLjX3IcDTDlw4SsYOxIxwd0sKDvubuQdQOnDRavTsIvREP:kBjX3IiDl3SitqYkOnDuAIvREP

Score

10^/10

modiloader discovery evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

ModiLoader Second Stage 17 IoCs

resource	yara_rule
behavioral1/memory/2340-16-0x0000000000401000-0x000000000041C000-memory.dmp	modiloader_stage2
behavioral1/memory/2340-28-0x0000000000400000-0x00000000004DF000-memory.dmp	modiloader_stage2
behavioral1/memory/1288-40-0x0000000000400000-0x00000000004DF000-memory.dmp	modiloader_stage2
behavioral1/memory/1288-43-0x0000000000400000-0x00000000004DF000-memory.dmp	modiloader_stage2
behavioral1/memory/1288-44-0x0000000000400000-0x00000000004DF000-memory.dmp	modiloader_stage2
behavioral1/memory/1288-47-0x0000000000400000-0x00000000004DF000-memory.dmp	modiloader_stage2
behavioral1/memory/1288-50-0x0000000000400000-0x00000000004DF000-memory.dmp	modiloader_stage2
behavioral1/memory/1288-53-0x0000000000400000-0x00000000004DF000-memory.dmp	modiloader_stage2
behavioral1/memory/1288-57-0x0000000000400000-0x00000000004DF000-memory.dmp	modiloader_stage2
behavioral1/memory/1288-60-0x0000000000400000-0x00000000004DF000-memory.dmp	modiloader_stage2
behavioral1/memory/1288-63-0x0000000000400000-0x00000000004DF000-memory.dmp	modiloader_stage2
behavioral1/memory/1288-66-0x0000000000400000-0x00000000004DF000-memory.dmp	modiloader_stage2
behavioral1/memory/1288-69-0x0000000000400000-0x00000000004DF000-memory.dmp	modiloader_stage2
behavioral1/memory/1288-72-0x0000000000400000-0x00000000004DF000-memory.dmp	modiloader_stage2
behavioral1/memory/1288-75-0x0000000000400000-0x00000000004DF000-memory.dmp	modiloader_stage2
behavioral1/memory/1288-78-0x0000000000400000-0x00000000004DF000-memory.dmp	modiloader_stage2
behavioral1/memory/1288-81-0x0000000000400000-0x00000000004DF000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2340	SSSSSS~1.EXE
1288	mstwain32.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	SSSSSS~1.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	mstwain32.exe

Loads dropped DLL 4 IoCs

pid	Process
1920	e7aa2e8db50feb7fefed4cc7e4bf3857_JaffaCakes118.exe
1920	e7aa2e8db50feb7fefed4cc7e4bf3857_JaffaCakes118.exe
2340	SSSSSS~1.EXE
2340	SSSSSS~1.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e7aa2e8db50feb7fefed4cc7e4bf3857_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe"	mstwain32.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SSSSSS~1.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstwain32.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ntdtcstp.dll	mstwain32.exe
File created	C:\Windows\cmsetac.dll	mstwain32.exe
File created	C:\Windows\mstwain32.exe	SSSSSS~1.EXE
File opened for modification	C:\Windows\mstwain32.exe	SSSSSS~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7aa2e8db50feb7fefed4cc7e4bf3857_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SSSSSS~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstwain32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2340	SSSSSS~1.EXE
Token: SeBackupPrivilege	2728	vssvc.exe
Token: SeRestorePrivilege	2728	vssvc.exe
Token: SeAuditPrivilege	2728	vssvc.exe
Token: SeDebugPrivilege	1288	mstwain32.exe
Token: SeDebugPrivilege	1288	mstwain32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2340	SSSSSS~1.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1288	mstwain32.exe
1288	mstwain32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 2340	1920	e7aa2e8db50feb7fefed4cc7e4bf3857_JaffaCakes118.exe	31
PID 1920 wrote to memory of 2340	1920	e7aa2e8db50feb7fefed4cc7e4bf3857_JaffaCakes118.exe	31
PID 1920 wrote to memory of 2340	1920	e7aa2e8db50feb7fefed4cc7e4bf3857_JaffaCakes118.exe	31
PID 1920 wrote to memory of 2340	1920	e7aa2e8db50feb7fefed4cc7e4bf3857_JaffaCakes118.exe	31
PID 1920 wrote to memory of 2340	1920	e7aa2e8db50feb7fefed4cc7e4bf3857_JaffaCakes118.exe	31
PID 1920 wrote to memory of 2340	1920	e7aa2e8db50feb7fefed4cc7e4bf3857_JaffaCakes118.exe	31
PID 1920 wrote to memory of 2340	1920	e7aa2e8db50feb7fefed4cc7e4bf3857_JaffaCakes118.exe	31
PID 2340 wrote to memory of 1288	2340	SSSSSS~1.EXE	35
PID 2340 wrote to memory of 1288	2340	SSSSSS~1.EXE	35
PID 2340 wrote to memory of 1288	2340	SSSSSS~1.EXE	35
PID 2340 wrote to memory of 1288	2340	SSSSSS~1.EXE	35
PID 2340 wrote to memory of 1288	2340	SSSSSS~1.EXE	35
PID 2340 wrote to memory of 1288	2340	SSSSSS~1.EXE	35
PID 2340 wrote to memory of 1288	2340	SSSSSS~1.EXE	35

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e7aa2e8db50feb7fefed4cc7e4bf3857_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e7aa2e8db50feb7fefed4cc7e4bf3857_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SSSSSS~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SSSSSS~1.EXE
  2⤵
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\mstwain32.exe
    "C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SSSSSS~1.EXE"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1288

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\SSSSSS~1.EXE

Filesize
715KB

MD5
3f5046a702ba64f2da2121f15ba0d4b8

SHA1
4b04f02c42a15b6912fc408b472276b0c4fa6b2f

SHA256
33c96c976892e401e845938e92efc2491fdf11f6c7e621d1945982037054e75f

SHA512
89febf9291fa2774505c4e5ff87be86f05053db0ff5fd36bc404b308c0ceab5b7d2835103b60cda9cfadc2b61369d50925c8d5e057e5d13260c245abea9f20f8

Download Submit
memory/1288-41-0x0000000003C20000-0x0000000003C28000-memory.dmp

Filesize
32KB

Download
memory/1288-57-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1288-42-0x0000000004510000-0x000000000451E000-memory.dmp

Filesize
56KB

Download
memory/1288-78-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1288-75-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1288-72-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1288-69-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1288-32-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1288-66-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1288-63-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1288-60-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1288-40-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1288-37-0x0000000004510000-0x000000000451E000-memory.dmp

Filesize
56KB

Download
memory/1288-53-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1288-50-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1288-81-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1288-47-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1288-43-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1288-44-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1920-1-0x0000000001001000-0x0000000001002000-memory.dmp

Filesize
4KB

Download
memory/1920-7-0x0000000000D70000-0x0000000000E4F000-memory.dmp

Filesize
892KB

Download
memory/1920-31-0x0000000000D70000-0x0000000000E4F000-memory.dmp

Filesize
892KB

Download
memory/1920-33-0x0000000001000000-0x000000000109A000-memory.dmp

Filesize
616KB

Download
memory/1920-13-0x0000000000D70000-0x0000000000E4F000-memory.dmp

Filesize
892KB

Download
memory/1920-0-0x0000000001000000-0x000000000109A000-memory.dmp

Filesize
616KB

Download
memory/2340-39-0x0000000006090000-0x000000000616F000-memory.dmp

Filesize
892KB

Download
memory/2340-28-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2340-29-0x0000000006090000-0x000000000616F000-memory.dmp

Filesize
892KB

Download
memory/2340-22-0x0000000006090000-0x00000000060A0000-memory.dmp

Filesize
64KB

Download
memory/2340-16-0x0000000000401000-0x000000000041C000-memory.dmp

Filesize
108KB

Download
memory/2340-12-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads