modiloader | 1cf07e726eddce3d3866d6170b440e23b5e0cd867b41e3a4bc17c482a3f1ed63

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

178bfbc47f1a00b54b84d5d7212a9c1f_JaffaCakes118.exe
Size

139KB
MD5

178bfbc47f1a00b54b84d5d7212a9c1f
SHA1

3630547cd03382308ad3517220b5f7bf59be11c5
SHA256

1cf07e726eddce3d3866d6170b440e23b5e0cd867b41e3a4bc17c482a3f1ed63
SHA512

5bc71bbbb842bb94d272ed7f609c9ee13dcbb0da8ee0273d99e8e60e2cb731c947172c507b0b708f30cb636edbbac0d5f014f04deb8f252f632fec600974642d
SSDEEP

3072:qwpEg9z1MSU2l04B9SdZpa7QnYPLb+90j3YGgB/6W3Lqw:qy1MSjC4vS0EQ20jIGgF6W3Lqw

Score

10^/10

modiloader evasion trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

178bfbc47f1a00b54b84d5d7212a9c1f_JaffaCakes118.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 178bfbc47f1a00b54b84d5d7212a9c1f_JaffaCakes118.exe

ModiLoader Second Stage 17 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1368-1-0x0000000000400000-0x000000000046EAC7-memory.dmp	modiloader_stage2
behavioral2/memory/1368-2-0x0000000000400000-0x000000000046EAC7-memory.dmp	modiloader_stage2
behavioral2/memory/1368-18-0x0000000000400000-0x000000000046EAC7-memory.dmp	modiloader_stage2
behavioral2/memory/1368-21-0x0000000000400000-0x000000000046EAC7-memory.dmp	modiloader_stage2
behavioral2/memory/1368-23-0x0000000000400000-0x000000000046EAC7-memory.dmp	modiloader_stage2
behavioral2/memory/1368-26-0x0000000000400000-0x000000000046EAC7-memory.dmp	modiloader_stage2
behavioral2/memory/1368-29-0x0000000000400000-0x000000000046EAC7-memory.dmp	modiloader_stage2
behavioral2/memory/1368-32-0x0000000000400000-0x000000000046EAC7-memory.dmp	modiloader_stage2
behavioral2/memory/1368-35-0x0000000000400000-0x000000000046EAC7-memory.dmp	modiloader_stage2
behavioral2/memory/1368-38-0x0000000000400000-0x000000000046EAC7-memory.dmp	modiloader_stage2
behavioral2/memory/1368-41-0x0000000000400000-0x000000000046EAC7-memory.dmp	modiloader_stage2
behavioral2/memory/1368-44-0x0000000000400000-0x000000000046EAC7-memory.dmp	modiloader_stage2
behavioral2/memory/1368-47-0x0000000000400000-0x000000000046EAC7-memory.dmp	modiloader_stage2
behavioral2/memory/1368-50-0x0000000000400000-0x000000000046EAC7-memory.dmp	modiloader_stage2
behavioral2/memory/1368-53-0x0000000000400000-0x000000000046EAC7-memory.dmp	modiloader_stage2
behavioral2/memory/1368-56-0x0000000000400000-0x000000000046EAC7-memory.dmp	modiloader_stage2
behavioral2/memory/1368-59-0x0000000000400000-0x000000000046EAC7-memory.dmp	modiloader_stage2

Loads dropped DLL 4 IoCs

Processes:

178bfbc47f1a00b54b84d5d7212a9c1f_JaffaCakes118.exe

pid	process
1368	178bfbc47f1a00b54b84d5d7212a9c1f_JaffaCakes118.exe
1368	178bfbc47f1a00b54b84d5d7212a9c1f_JaffaCakes118.exe
1368	178bfbc47f1a00b54b84d5d7212a9c1f_JaffaCakes118.exe
1368	178bfbc47f1a00b54b84d5d7212a9c1f_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

178bfbc47f1a00b54b84d5d7212a9c1f_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	178bfbc47f1a00b54b84d5d7212a9c1f_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	178bfbc47f1a00b54b84d5d7212a9c1f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

178bfbc47f1a00b54b84d5d7212a9c1f_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 1368 178bfbc47f1a00b54b84d5d7212a9c1f_JaffaCakes118.exe
Token: SeDebugPrivilege 1368 178bfbc47f1a00b54b84d5d7212a9c1f_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

178bfbc47f1a00b54b84d5d7212a9c1f_JaffaCakes118.exe

pid process

1368 178bfbc47f1a00b54b84d5d7212a9c1f_JaffaCakes118.exe
1368 178bfbc47f1a00b54b84d5d7212a9c1f_JaffaCakes118.exe
System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

178bfbc47f1a00b54b84d5d7212a9c1f_JaffaCakes118.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 178bfbc47f1a00b54b84d5d7212a9c1f_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	1368	178bfbc47f1a00b54b84d5d7212a9c1f_JaffaCakes118.exe
Token: SeDebugPrivilege	1368	178bfbc47f1a00b54b84d5d7212a9c1f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\178bfbc47f1a00b54b84d5d7212a9c1f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\178bfbc47f1a00b54b84d5d7212a9c1f_JaffaCakes118.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1368

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cmsetac.dll
Filesize
33KB

MD5
b38c0f49c3785a9e75708aa1eb24d19f

SHA1
23e23ce0580ebac36475fcdaa20dd80e055b1823

SHA256
7a3b49657e632db1d19bd572272b42eb9c21c3d2ac2c61e5fd0078ed39e226e3

SHA512
b82859ef012909aef6306fc43ce78ba3ec04ff611eef84a473c85b154de8de8869c7c5cf69ea3601de24b2b07a41097a7955c0dcb61a873e7d8478d594c1fefc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntdtcstp.dll
Filesize
7KB

MD5
67587e25a971a141628d7f07bd40ffa0

SHA1
76fcd014539a3bb247cc0b761225f68bd6055f6b

SHA256
e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

SHA512
6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

Download Submit
memory/1368-21-0x0000000000400000-0x000000000046EAC7-memory.dmp

Filesize
442KB

Download
memory/1368-53-0x0000000000400000-0x000000000046EAC7-memory.dmp

Filesize
442KB

Download
memory/1368-4-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/1368-2-0x0000000000400000-0x000000000046EAC7-memory.dmp

Filesize
442KB

Download
memory/1368-0-0x0000000000400000-0x000000000046EAC7-memory.dmp

Filesize
442KB

Download
memory/1368-15-0x0000000004860000-0x000000000486E000-memory.dmp

Filesize
56KB

Download
memory/1368-18-0x0000000000400000-0x000000000046EAC7-memory.dmp

Filesize
442KB

Download
memory/1368-20-0x0000000004860000-0x000000000486E000-memory.dmp

Filesize
56KB

Download
memory/1368-19-0x0000000004700000-0x0000000004708000-memory.dmp

Filesize
32KB

Download
memory/1368-22-0x0000000004710000-0x0000000004711000-memory.dmp

Filesize
4KB

Download
memory/1368-59-0x0000000000400000-0x000000000046EAC7-memory.dmp

Filesize
442KB

Download
memory/1368-3-0x00000000020A0000-0x00000000020A2000-memory.dmp

Filesize
8KB

Download
memory/1368-32-0x0000000000400000-0x000000000046EAC7-memory.dmp

Filesize
442KB

Download
memory/1368-29-0x0000000000400000-0x000000000046EAC7-memory.dmp

Filesize
442KB

Download
memory/1368-26-0x0000000000400000-0x000000000046EAC7-memory.dmp

Filesize
442KB

Download
memory/1368-35-0x0000000000400000-0x000000000046EAC7-memory.dmp

Filesize
442KB

Download
memory/1368-38-0x0000000000400000-0x000000000046EAC7-memory.dmp

Filesize
442KB

Download
memory/1368-41-0x0000000000400000-0x000000000046EAC7-memory.dmp

Filesize
442KB

Download
memory/1368-44-0x0000000000400000-0x000000000046EAC7-memory.dmp

Filesize
442KB

Download
memory/1368-47-0x0000000000400000-0x000000000046EAC7-memory.dmp

Filesize
442KB

Download
memory/1368-50-0x0000000000400000-0x000000000046EAC7-memory.dmp

Filesize
442KB

Download
memory/1368-23-0x0000000000400000-0x000000000046EAC7-memory.dmp

Filesize
442KB

Download
memory/1368-56-0x0000000000400000-0x000000000046EAC7-memory.dmp

Filesize
442KB

Download
memory/1368-1-0x0000000000400000-0x000000000046EAC7-memory.dmp

Filesize
442KB

Download