modiloader | 06299cc3c624492fc229b2a75f2d96c9209cd5051a1a8284e276c18c6e3a807e

General

Target

f514ba940d5021e1382409b211d12d61_JaffaCakes118.exe
Size

924KB
MD5

f514ba940d5021e1382409b211d12d61
SHA1

d397c7e5a13a8b7cf160da8cff77658ef5e0b2bf
SHA256

06299cc3c624492fc229b2a75f2d96c9209cd5051a1a8284e276c18c6e3a807e
SHA512

311267615b97cf1307371c354581b45f91e38e40a579a5e64d8efd2b5af134635d96e00e63c5084a1a0cc7ee2aaa8e9951904b1b0e23f8a9d5771aa9fa63fbb1
SSDEEP

24576:aObQ+KS7U1MoaPAiGszPJhqIlkNUnDU9PXMbGOuaUMMpXkN:aO4SbAKzWIlkA49sGOuRfG

Score

10^/10

modiloader discovery evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msngr.exe

ModiLoader Second Stage 16 IoCs

resource	yara_rule
behavioral1/memory/2352-42-0x0000000000400000-0x000000000059B000-memory.dmp	modiloader_stage2
behavioral1/memory/3012-52-0x0000000000400000-0x000000000059B000-memory.dmp	modiloader_stage2
behavioral1/memory/3012-54-0x0000000000400000-0x000000000059B000-memory.dmp	modiloader_stage2
behavioral1/memory/3012-57-0x0000000000400000-0x000000000059B000-memory.dmp	modiloader_stage2
behavioral1/memory/3012-60-0x0000000000400000-0x000000000059B000-memory.dmp	modiloader_stage2
behavioral1/memory/3012-63-0x0000000000400000-0x000000000059B000-memory.dmp	modiloader_stage2
behavioral1/memory/3012-66-0x0000000000400000-0x000000000059B000-memory.dmp	modiloader_stage2
behavioral1/memory/3012-70-0x0000000000400000-0x000000000059B000-memory.dmp	modiloader_stage2
behavioral1/memory/3012-73-0x0000000000400000-0x000000000059B000-memory.dmp	modiloader_stage2
behavioral1/memory/3012-76-0x0000000000400000-0x000000000059B000-memory.dmp	modiloader_stage2
behavioral1/memory/3012-79-0x0000000000400000-0x000000000059B000-memory.dmp	modiloader_stage2
behavioral1/memory/3012-82-0x0000000000400000-0x000000000059B000-memory.dmp	modiloader_stage2
behavioral1/memory/3012-85-0x0000000000400000-0x000000000059B000-memory.dmp	modiloader_stage2
behavioral1/memory/3012-88-0x0000000000400000-0x000000000059B000-memory.dmp	modiloader_stage2
behavioral1/memory/3012-91-0x0000000000400000-0x000000000059B000-memory.dmp	modiloader_stage2
behavioral1/memory/3012-94-0x0000000000400000-0x000000000059B000-memory.dmp	modiloader_stage2

Executes dropped EXE 3 IoCs

pid	Process
2352	Raw.exe
2096	Raw Mass Iggy V1.1.exe
3012	msngr.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	Raw.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	msngr.exe

Loads dropped DLL 11 IoCs

pid	Process
2084	f514ba940d5021e1382409b211d12d61_JaffaCakes118.exe
2084	f514ba940d5021e1382409b211d12d61_JaffaCakes118.exe
2352	Raw.exe
2352	Raw.exe
2352	Raw.exe
2084	f514ba940d5021e1382409b211d12d61_JaffaCakes118.exe
2084	f514ba940d5021e1382409b211d12d61_JaffaCakes118.exe
2096	Raw Mass Iggy V1.1.exe
2096	Raw Mass Iggy V1.1.exe
2096	Raw Mass Iggy V1.1.exe
2352	Raw.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\msngr = "C:\\Windows\\msngr.exe"	msngr.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msngr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Raw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msngr.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\msngr.exe	Raw.exe
File opened for modification	C:\Windows\msngr.exe	Raw.exe
File created	C:\Windows\ntdtcstp.dll	msngr.exe
File created	C:\Windows\cmsetac.dll	msngr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f514ba940d5021e1382409b211d12d61_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Raw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Raw Mass Iggy V1.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msngr.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2352	Raw.exe
Token: SeBackupPrivilege	2940	vssvc.exe
Token: SeRestorePrivilege	2940	vssvc.exe
Token: SeAuditPrivilege	2940	vssvc.exe
Token: SeDebugPrivilege	3012	msngr.exe
Token: SeDebugPrivilege	3012	msngr.exe
Token: SeDebugPrivilege	2096	Raw Mass Iggy V1.1.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2096	Raw Mass Iggy V1.1.exe
3012	msngr.exe
3012	msngr.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2352	2084	f514ba940d5021e1382409b211d12d61_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2352	2084	f514ba940d5021e1382409b211d12d61_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2352	2084	f514ba940d5021e1382409b211d12d61_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2352	2084	f514ba940d5021e1382409b211d12d61_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2352	2084	f514ba940d5021e1382409b211d12d61_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2352	2084	f514ba940d5021e1382409b211d12d61_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2352	2084	f514ba940d5021e1382409b211d12d61_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2096	2084	f514ba940d5021e1382409b211d12d61_JaffaCakes118.exe	31
PID 2084 wrote to memory of 2096	2084	f514ba940d5021e1382409b211d12d61_JaffaCakes118.exe	31
PID 2084 wrote to memory of 2096	2084	f514ba940d5021e1382409b211d12d61_JaffaCakes118.exe	31
PID 2084 wrote to memory of 2096	2084	f514ba940d5021e1382409b211d12d61_JaffaCakes118.exe	31
PID 2084 wrote to memory of 2096	2084	f514ba940d5021e1382409b211d12d61_JaffaCakes118.exe	31
PID 2084 wrote to memory of 2096	2084	f514ba940d5021e1382409b211d12d61_JaffaCakes118.exe	31
PID 2084 wrote to memory of 2096	2084	f514ba940d5021e1382409b211d12d61_JaffaCakes118.exe	31
PID 2352 wrote to memory of 3012	2352	Raw.exe	35
PID 2352 wrote to memory of 3012	2352	Raw.exe	35
PID 2352 wrote to memory of 3012	2352	Raw.exe	35
PID 2352 wrote to memory of 3012	2352	Raw.exe	35
PID 2352 wrote to memory of 3012	2352	Raw.exe	35
PID 2352 wrote to memory of 3012	2352	Raw.exe	35
PID 2352 wrote to memory of 3012	2352	Raw.exe	35

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msngr.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f514ba940d5021e1382409b211d12d61_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f514ba940d5021e1382409b211d12d61_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\Raw.exe
  "C:\Users\Admin\AppData\Local\Temp\Raw.exe"
  2⤵
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\msngr.exe
    "C:\Windows\msngr.exe" \melt "C:\Users\Admin\AppData\Local\Temp\Raw.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:3012
- C:\Users\Admin\AppData\Local\Temp\Raw Mass Iggy V1.1.exe
  "C:\Users\Admin\AppData\Local\Temp\Raw Mass Iggy V1.1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2096

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\cmsetac.dll

Filesize
33KB

MD5
c8df3e77901780736c3cfcc8f5065e1e

SHA1
56956030c3324e76dec91fd60de5bef6dc17c88b

SHA256
40ca7fb1b4c925a3fb6eb96ffa3ab08515b32d009813aaab582474c1d8bc9503

SHA512
5b01bde8fb7c6098bd2033304e8a9c3aad96e169bcb7dedd27eafb592eb4344a6313d8a3915ed5f3ee2574151d0471960a718a7b2ee4ec9afaa2553527503cca

Download Submit
\Users\Admin\AppData\Local\Temp\Raw Mass Iggy V1.1.exe

Filesize
552KB

MD5
a093b8f58814fcee37649848e5d08724

SHA1
9ac35b940ef19237f813f664394c5fcda547f352

SHA256
b931ef5fc13aec72ef0df1d4c044f21bd6235111ae0ec84f34d114eab2b73356

SHA512
94ff624c3d8860652919551d8434b789e10b274fbb6eaf32fb78523b6f7fc65b7b7640be58ff68ed5e28b8c48925f443df512b1f3946fa8c5c64ba48b644d05b

Download Submit
\Users\Admin\AppData\Local\Temp\Raw.exe

Filesize
716KB

MD5
032dcf7136f3cd91aae97db45b83da7c

SHA1
7ff937f3522585da02924e3e0389c0434ae900e6

SHA256
432abc572e1507932a0abbe9ee5533df97b5e7f96f5a11c7a820a251d93887f0

SHA512
0ea5c36ea6df323dbc7010ed51d079aecb953c77d9b0767fc2860680b42e3adb24cd6ea1a100b2a7ff5945db8be92cc938d27f3fe09b94b179017315c2afbf10

Download Submit
memory/2084-15-0x0000000002960000-0x0000000002AFB000-memory.dmp

Filesize
1.6MB

Download
memory/2084-10-0x0000000002960000-0x0000000002AFB000-memory.dmp

Filesize
1.6MB

Download
memory/2096-51-0x00000000003A0000-0x00000000003AE000-memory.dmp

Filesize
56KB

Download
memory/2096-53-0x00000000003A0000-0x00000000003AE000-memory.dmp

Filesize
56KB

Download
memory/2096-50-0x00000000003A0000-0x00000000003AE000-memory.dmp

Filesize
56KB

Download
memory/2352-16-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/2352-35-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/2352-42-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/3012-56-0x0000000004770000-0x000000000477E000-memory.dmp

Filesize
56KB

Download
memory/3012-66-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/3012-47-0x0000000004770000-0x000000000477E000-memory.dmp

Filesize
56KB

Download
memory/3012-43-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/3012-55-0x0000000004530000-0x0000000004538000-memory.dmp

Filesize
32KB

Download
memory/3012-54-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/3012-57-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/3012-60-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/3012-63-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/3012-52-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/3012-70-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/3012-73-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/3012-76-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/3012-79-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/3012-82-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/3012-85-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/3012-88-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/3012-91-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/3012-94-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads