modiloader | 80b3e72e4afc7b991d75c4856b3dda29af7e40c89359e7b785313433370af74f

General

Target

JaffaCakes118_0052736572d7fda392ee10163208ade6.exe
Size

2.0MB
MD5

0052736572d7fda392ee10163208ade6
SHA1

8e293b8fb835f147b9c26593203070d0120c41d2
SHA256

80b3e72e4afc7b991d75c4856b3dda29af7e40c89359e7b785313433370af74f
SHA512

1f9bf6d13796a9b07f6db6720a982f1a7b0457665709d1439bb8e954c584327fa9862f99a7c1d7db526be3d6041bc8d2cc124454ec01381f125557b75c6bcdde
SSDEEP

49152:gTqpChd62wwRSzHn8nv3Io8PU/F/9MMMMMMMMMMMMMMMMMMMsXrIqOLQ:KmS+H8nv3IjGFMMMMMMMMMMMMMMMMMMr

Score

10^/10

modiloader defense_evasion discovery themida trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/2356-38-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2356-40-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
2356	Teste.exe

Loads dropped DLL 2 IoCs

pid	Process
2304	JaffaCakes118_0052736572d7fda392ee10163208ade6.exe
2304	JaffaCakes118_0052736572d7fda392ee10163208ade6.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2304-4-0x0000000000400000-0x000000000060C000-memory.dmp	themida
behavioral1/memory/2304-8-0x0000000000400000-0x000000000060C000-memory.dmp	themida
behavioral1/memory/2304-9-0x0000000000400000-0x000000000060C000-memory.dmp	themida
behavioral1/memory/2304-23-0x0000000000400000-0x000000000060C000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Teste.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000001878c-11.dat	upx
behavioral1/memory/2356-21-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2356-38-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2356-40-0x0000000000400000-0x0000000000450000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\mstwain32.exe	Teste.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0052736572d7fda392ee10163208ade6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Teste.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2208	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2304	JaffaCakes118_0052736572d7fda392ee10163208ade6.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2356	Teste.exe
Token: SeBackupPrivilege	2788	vssvc.exe
Token: SeRestorePrivilege	2788	vssvc.exe
Token: SeAuditPrivilege	2788	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2356	Teste.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2208	WINWORD.EXE
2208	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2356	2304	JaffaCakes118_0052736572d7fda392ee10163208ade6.exe	30
PID 2304 wrote to memory of 2356	2304	JaffaCakes118_0052736572d7fda392ee10163208ade6.exe	30
PID 2304 wrote to memory of 2356	2304	JaffaCakes118_0052736572d7fda392ee10163208ade6.exe	30
PID 2304 wrote to memory of 2356	2304	JaffaCakes118_0052736572d7fda392ee10163208ade6.exe	30
PID 2304 wrote to memory of 2208	2304	JaffaCakes118_0052736572d7fda392ee10163208ade6.exe	33
PID 2304 wrote to memory of 2208	2304	JaffaCakes118_0052736572d7fda392ee10163208ade6.exe	33
PID 2304 wrote to memory of 2208	2304	JaffaCakes118_0052736572d7fda392ee10163208ade6.exe	33
PID 2304 wrote to memory of 2208	2304	JaffaCakes118_0052736572d7fda392ee10163208ade6.exe	33
PID 2208 wrote to memory of 1364	2208	WINWORD.EXE	37
PID 2208 wrote to memory of 1364	2208	WINWORD.EXE	37
PID 2208 wrote to memory of 1364	2208	WINWORD.EXE	37
PID 2208 wrote to memory of 1364	2208	WINWORD.EXE	37

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0052736572d7fda392ee10163208ade6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0052736572d7fda392ee10163208ade6.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\Teste.exe
  "C:\Users\Admin\AppData\Local\Temp\Teste.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2356
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Centrossomas.docx"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1364

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Centrossomas.docx

Filesize
221KB

MD5
f69066904aeb5def4b94d20ab2db76e4

SHA1
a728c9372634f4dcc663d7a3b46572278918a1e4

SHA256
36cb075de9584bb60ae9036de18383b10e1fb82d059a3aa69ddf7e4b5d3b914b

SHA512
3f1b2a22e35fc55293f6fee848ca922a333c437130f9a0f35ff4fad2c1d1268b9e89c799210beefd13f5d9b57f7c8bf203162043fea080eed86b8f898e2f938d

Download Submit
\Users\Admin\AppData\Local\Temp\Teste.exe

Filesize
107KB

MD5
ec73d500489956d2bec672cc244e0020

SHA1
27ce22b0f7037598cd9541dee7c092f14d41f940

SHA256
b87a3e94283a9537e57814d6dc48a01a7fc4c750f1ad1c4cb703ec41ff360332

SHA512
4f097b30d9b8d053edd26720e308de5c2133d3d6d5eb71532c13da68410e5c59721d4ff29aa43236f542eeec0360b1814f97d00014fb2aeca38fbbba7f2bca03

Download Submit
memory/2208-41-0x0000000070FAD000-0x0000000070FB8000-memory.dmp

Filesize
44KB

Download
memory/2208-26-0x0000000070FAD000-0x0000000070FB8000-memory.dmp

Filesize
44KB

Download
memory/2208-25-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2208-24-0x000000002F581000-0x000000002F582000-memory.dmp

Filesize
4KB

Download
memory/2304-8-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2304-17-0x0000000005290000-0x00000000052E0000-memory.dmp

Filesize
320KB

Download
memory/2304-20-0x0000000005290000-0x00000000052E0000-memory.dmp

Filesize
320KB

Download
memory/2304-23-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2304-9-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2304-1-0x0000000001E60000-0x0000000001F4C000-memory.dmp

Filesize
944KB

Download
memory/2304-4-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2304-2-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/2304-0-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2356-21-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2356-37-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2356-38-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2356-40-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing