modiloader | 4baa31b982caf138fe41ad2549fe661103b3115a9834eb83d608713067f17e98

General

Target

JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe
Size

316KB
MD5

82769264acdda208929c9ca2dfcfa756
SHA1

1258576fb14376229c37b9bee584014757228405
SHA256

4baa31b982caf138fe41ad2549fe661103b3115a9834eb83d608713067f17e98
SHA512

632c1708a45614e4b17bbab08d504ccf3f3ecd10a32debb98ec916de63f2a49a7493f6dc560994cd0a004de50ef69e63557f5b37e7b0e8318c490f5448e26e91
SSDEEP

6144:b/0uoof1debxrOo4Ap3Ft7cacLOdrc4WgW76F3iaCp/C:bJj1debxrOO/gacLOdrctgK6Nup/C

Score

10^/10

modiloader discovery evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msn23.exe

ModiLoader Second Stage 16 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023cd9-21.dat	modiloader_stage2
behavioral2/memory/3528-32-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/1452-52-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/1452-55-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/1452-58-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/1452-61-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/1452-64-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/1452-67-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/1452-70-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/1452-73-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/1452-76-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/1452-79-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/1452-82-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/1452-85-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/1452-88-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/1452-91-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	ArquivoSecundario.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	foto3.bat

Executes dropped EXE 5 IoCs

pid	Process
2024	ARQUIVO.EXE
212	ArquivoPrimario.exe
4520	ArquivoSecundario.exe
3528	foto3.bat
1452	msn23.exe

Loads dropped DLL 6 IoCs

pid	Process
1452	msn23.exe
1452	msn23.exe
1452	msn23.exe
1452	msn23.exe
212	ArquivoPrimario.exe
212	ArquivoPrimario.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msn23 = "C:\\Windows\\msn23.exe"	msn23.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	foto3.bat
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msn23.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msn23.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\cmsetac.dll	msn23.exe
File created	C:\Windows\msn23.exe	foto3.bat
File opened for modification	C:\Windows\msn23.exe	foto3.bat
File created	C:\Windows\ntdtcstp.dll	msn23.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ArquivoSecundario.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	foto3.bat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msn23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ARQUIVO.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ArquivoPrimario.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3528	foto3.bat
Token: SeBackupPrivilege	4352	vssvc.exe
Token: SeRestorePrivilege	4352	vssvc.exe
Token: SeAuditPrivilege	4352	vssvc.exe
Token: SeDebugPrivilege	1452	msn23.exe
Token: SeDebugPrivilege	1452	msn23.exe
Token: SeDebugPrivilege	212	ArquivoPrimario.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2024	ARQUIVO.EXE
1452	msn23.exe
1452	msn23.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 2024	3108	JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe	83
PID 3108 wrote to memory of 2024	3108	JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe	83
PID 3108 wrote to memory of 2024	3108	JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe	83
PID 2024 wrote to memory of 212	2024	ARQUIVO.EXE	84
PID 2024 wrote to memory of 212	2024	ARQUIVO.EXE	84
PID 2024 wrote to memory of 212	2024	ARQUIVO.EXE	84
PID 2024 wrote to memory of 4520	2024	ARQUIVO.EXE	85
PID 2024 wrote to memory of 4520	2024	ARQUIVO.EXE	85
PID 2024 wrote to memory of 4520	2024	ARQUIVO.EXE	85
PID 4520 wrote to memory of 3528	4520	ArquivoSecundario.exe	86
PID 4520 wrote to memory of 3528	4520	ArquivoSecundario.exe	86
PID 4520 wrote to memory of 3528	4520	ArquivoSecundario.exe	86
PID 3528 wrote to memory of 1452	3528	foto3.bat	90
PID 3528 wrote to memory of 1452	3528	foto3.bat	90
PID 3528 wrote to memory of 1452	3528	foto3.bat	90

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msn23.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82769264acdda208929c9ca2dfcfa756.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ARQUIVO.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ARQUIVO.EXE
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ArquivoPrimario.exe
    ArquivoPrimario.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:212
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ArquivoSecundario.exe
    ArquivoSecundario.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Users\Admin\AppData\Local\Temp\foto3.bat
      "C:\Users\Admin\AppData\Local\Temp\foto3.bat"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3528
    - - C:\Windows\msn23.exe
        
        "C:\Windows\msn23.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1452

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ARQUIVO.EXE

Filesize
365KB

MD5
7f50c824cab4b27167e02bde0fa935b0

SHA1
043d77d7f08cbb57c1e306f8c9b6f208a6bbe11f

SHA256
1e5f801f8e58dbde81c35f7dea66f71f2a719cf803faa83c280702b4ff003f31

SHA512
5b854607b6f66a2806b9af1df042757a541a8bb9370725ebb5ec151cca19fbeac8c5fc83380b95df5b52f419b509fc810f2dba1e68d3258ba5a360d5d78d8ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ArquivoPrimario.exe

Filesize
129KB

MD5
6cea0342972a909df2b23d29776fc929

SHA1
b6e9164dd667d396ef37b060f57b73f1422571c0

SHA256
5dc5a8e071ac99f6c65ac7c6a817d890be231eb138aa027e40bc8cb842714b9f

SHA512
3ee621e4e96b93340185c7ccde1fbce58eab982bb7a23d84ba17dcb9919b70760f73c2926d264da26858433bd50611a5d801e34cde32c8b52197f53bdfcd49c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ArquivoSecundario.exe

Filesize
211KB

MD5
66bd28e4234d2a4608e10218c7338ab5

SHA1
2b442d3342027f8755380010852620a385eb4769

SHA256
bd0e22518bc19fc6ec597d45107c977a62af85bf8600df6793704d4f563d5e3e

SHA512
cae7d56e991a161be0b023a231ba335d002aae7c2f17456e1c4720a026684bc1a9ca40f246a04eafe13ee3b2be974788f855c3f83265f0758c374dd25d548a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\foto3.bat

Filesize
270KB

MD5
7b5f1429485222465b36c6246828ecde

SHA1
2985afffd049285e4ada0711f196a046565fa6db

SHA256
f338625fef25ee0551000bf67c01971839a7e2c056c4dcf68be290e64ee31e1e

SHA512
ad2d9d029547349acdf2236277697b2da68826cf9cb661de2640666df1fafcf359f8957583e5e6553b69ba8731b06de02dab25c6a92e82225bcc1c3fca568435

Download Submit
C:\Windows\cmsetac.dll

Filesize
33KB

MD5
a9d635b572166225b5da25979837923d

SHA1
c37bec1b3f69077ce9d95745e3b9bb7c2ff5a4db

SHA256
3d354eb117b25a7e53f5507e18601b474b7f6e5ecfb27b3c1c8c744180bca644

SHA512
d943a36f188bfb03b6afd1f27fa06d7dbce2c10f65f820b7b110a714af806c1b0cb60620ae6f28b070ed0f9955635f5640964f323216543514613afd953215c2

Download Submit
C:\Windows\ntdtcstp.dll

Filesize
7KB

MD5
67587e25a971a141628d7f07bd40ffa0

SHA1
76fcd014539a3bb247cc0b761225f68bd6055f6b

SHA256
e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

SHA512
6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

Download Submit
memory/212-49-0x0000000003430000-0x000000000343E000-memory.dmp

Filesize
56KB

Download
memory/212-51-0x0000000003430000-0x000000000343E000-memory.dmp

Filesize
56KB

Download
memory/212-50-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/212-47-0x0000000003430000-0x000000000343E000-memory.dmp

Filesize
56KB

Download
memory/212-48-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1452-52-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1452-64-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1452-91-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1452-88-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1452-53-0x0000000000780000-0x0000000000788000-memory.dmp

Filesize
32KB

Download
memory/1452-54-0x00000000030E0000-0x00000000030EE000-memory.dmp

Filesize
56KB

Download
memory/1452-55-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1452-58-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1452-61-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1452-42-0x00000000030E0000-0x00000000030EE000-memory.dmp

Filesize
56KB

Download
memory/1452-67-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1452-70-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1452-73-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1452-76-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1452-79-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1452-82-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1452-85-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3528-32-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4520-23-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads