modiloader | 3775055c9d9621dcad2f62df51bd7792e66249d6321acc5aebf6b0b5fd77b66a

Analysis

max time kernel
141s
max time network
119s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe
Size

711KB
MD5

185e71fc9ef71619e9d58b5f61808eb7
SHA1

4c43005754a0a93f8f8e7804d336c06ae5e30251
SHA256

3775055c9d9621dcad2f62df51bd7792e66249d6321acc5aebf6b0b5fd77b66a
SHA512

6f40a057093b7df229ef56ffbe93344adbecd5f4f415f3184d20baf93313554d6eba4ab317ffc874ee64bd4c315d5d109e4990b156e81a6a8214a84b32c16260
SSDEEP

12288:YUb/XsDwvZ6e3xdprcrRKOUcPlXg5YmtGCM1MTrTEFG/po5aT6fTScrD+RVfnVC+:pc0vIe5r+8ODPl/mt41MTjDT66x4

Score

10^/10

modiloader evasion persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

NETWORK.EXE

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NETWORK.EXE

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NETWORK.EXE

ModiLoader Second Stage 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2704-39-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2704-37-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2704-35-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2704-31-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2704-33-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2704-44-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2704-45-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2704-53-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2704-59-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2704-64-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2704-68-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2704-72-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2704-76-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2704-80-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2704-84-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2704-88-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2704-92-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2704-96-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral1/memory/2704-100-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

Processes:

NETWORK.EXENETWORK.EXE

pid process

2684 NETWORK.EXE
2704 NETWORK.EXE
Loads dropped DLL 6 IoCs

Processes:

185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exeNETWORK.EXENETWORK.EXEDllHost.exe

pid process

2484 185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe
2484 185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe
2684 NETWORK.EXE
2704 NETWORK.EXE
2704 NETWORK.EXE
2708 DllHost.exe

pid	process
2684	NETWORK.EXE
2704	NETWORK.EXE

pid	process
2484	185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe
2484	185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe
2684	NETWORK.EXE
2704	NETWORK.EXE
2704	NETWORK.EXE
2708	DllHost.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\SysWOW64\NETWORK.EXE	upx
behavioral1/memory/2484-16-0x0000000002D20000-0x0000000002DC9000-memory.dmp	upx
behavioral1/memory/2684-43-0x0000000000400000-0x00000000004A9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NETWORK.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\SysWOW64\\NETWORK.EXE"	NETWORK.EXE

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

NETWORK.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NETWORK.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NETWORK.EXE

AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.

Processes:

resource yara_rule

behavioral1/memory/2684-43-0x0000000000400000-0x00000000004A9000-memory.dmp autoit_exe

resource	yara_rule
behavioral1/memory/2684-43-0x0000000000400000-0x00000000004A9000-memory.dmp	autoit_exe

Drops file in System32 directory 4 IoCs

Processes:

NETWORK.EXE185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ntdtcstp.dll	NETWORK.EXE
File created	C:\Windows\SysWOW64\cmsetac.dll	NETWORK.EXE
File created	C:\Windows\SysWOW64\CNETWORK.EXE	185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NETWORK.EXE	185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

Processes:

185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exeDllHost.exe

description	ioc	process
File created	C:\Windows\CHOT-WOMEN-12.JPG	185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe
File created	C:\Windows\HOT-WOMEN-12.JPG	185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe
File opened for modification	C:\Windows\HOT-WOMEN-12.JPG	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

NETWORK.EXEDllHost.exe

description pid process

Token: SeDebugPrivilege 2704 NETWORK.EXE
Token: SeDebugPrivilege 2704 NETWORK.EXE
Token: SeDebugPrivilege 2708 DllHost.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

2708 DllHost.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

NETWORK.EXE

pid process

2704 NETWORK.EXE
2704 NETWORK.EXE

description	pid	process
Token: SeDebugPrivilege	2704	NETWORK.EXE
Token: SeDebugPrivilege	2704	NETWORK.EXE
Token: SeDebugPrivilege	2708	DllHost.exe

pid	process
2708	DllHost.exe

pid	process
2704	NETWORK.EXE
2704	NETWORK.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exeNETWORK.EXE

description	pid	process	target process
PID 2484 wrote to memory of 2684	2484	185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe	NETWORK.EXE
PID 2484 wrote to memory of 2684	2484	185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe	NETWORK.EXE
PID 2484 wrote to memory of 2684	2484	185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe	NETWORK.EXE
PID 2484 wrote to memory of 2684	2484	185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe	NETWORK.EXE
PID 2684 wrote to memory of 2704	2684	NETWORK.EXE	NETWORK.EXE
PID 2684 wrote to memory of 2704	2684	NETWORK.EXE	NETWORK.EXE
PID 2684 wrote to memory of 2704	2684	NETWORK.EXE	NETWORK.EXE
PID 2684 wrote to memory of 2704	2684	NETWORK.EXE	NETWORK.EXE
PID 2684 wrote to memory of 2704	2684	NETWORK.EXE	NETWORK.EXE
PID 2684 wrote to memory of 2704	2684	NETWORK.EXE	NETWORK.EXE
PID 2684 wrote to memory of 2704	2684	NETWORK.EXE	NETWORK.EXE
PID 2684 wrote to memory of 2704	2684	NETWORK.EXE	NETWORK.EXE
PID 2684 wrote to memory of 2704	2684	NETWORK.EXE	NETWORK.EXE
PID 2684 wrote to memory of 2704	2684	NETWORK.EXE	NETWORK.EXE
PID 2684 wrote to memory of 2704	2684	NETWORK.EXE	NETWORK.EXE

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

NETWORK.EXE

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NETWORK.EXE

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NETWORK.EXE

C:\Users\Admin\AppData\Local\Temp\185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\SysWOW64\NETWORK.EXE
"C:\Windows\system32\NETWORK.EXE"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\SysWOW64\NETWORK.EXE
"C:\Windows\SysWOW64\NETWORK.EXE"
3⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2704

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2708

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\HOT-WOMEN-12.JPG
Filesize
51KB

MD5
a1f44bc00ad5d480377d35696e031259

SHA1
4bb9e34d5101aa49384957ff24c1ac05427ee2a2

SHA256
ec9a9599526746fcf5e0676a4624e4bdf8f1ad9a63e5578bab4a33294cb2318e

SHA512
077f0209b947143aab166cd2e8ba9d9499ecfcd8959b0e819ea65d72690d5f6c6c5acabdad604482dd66945b64cc21d486818afee09673b04abf0bfbcd0112ec

Download Submit
\Windows\SysWOW64\NETWORK.EXE
Filesize
532KB

MD5
56d696dac985a514549780b2e0333f4d

SHA1
a9106ed2916e892d1ad50c15a9258583fe8ed04a

SHA256
007c5c3fd08b78da7237638375eedd42993cb516206226439f4a253a301bc7b7

SHA512
dcd5f2a498202c64668085deb99fc81e9c0b9783d7be2d4b8e30e0b4c435c04eeb1eebee85c65182a1f3483c48dc8061845cbbfe730e9c0525e299fc784f7be0

Download Submit
\Windows\SysWOW64\cmsetac.dll
Filesize
33KB

MD5
4e1d9848139e02bc9459c33c543f2217

SHA1
346ca2e11efaf2cdd4c3cb1a8a5b56fd4a343d59

SHA256
4eee5030facd799af5e92a948ab7ab299f51d864696104f3f00b5a7bb89fa8f0

SHA512
272aff5956255fa3c6084abf6faf07196965feb54d01fc1e0bed7f0276854f216c70130ac0838efb1dbe5407abd5d0d8451922aafdeff9bc2fa0fdbdd3d9a8f6

Download Submit
\Windows\SysWOW64\ntdtcstp.dll
Filesize
7KB

MD5
67587e25a971a141628d7f07bd40ffa0

SHA1
76fcd014539a3bb247cc0b761225f68bd6055f6b

SHA256
e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

SHA512
6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

Download Submit
memory/2484-0-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/2484-5-0x0000000002400000-0x0000000002510000-memory.dmp

Filesize
1.1MB

Download
memory/2484-6-0x00000000035A0000-0x00000000035A2000-memory.dmp

Filesize
8KB

Download
memory/2484-16-0x0000000002D20000-0x0000000002DC9000-memory.dmp

Filesize
676KB

Download
memory/2484-23-0x0000000002400000-0x0000000002510000-memory.dmp

Filesize
1.1MB

Download
memory/2484-24-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/2684-43-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2704-72-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2704-27-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2704-100-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2704-31-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2704-59-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2704-33-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2704-44-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2704-45-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2704-29-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2704-96-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2704-51-0x00000000022D0000-0x00000000022DE000-memory.dmp

Filesize
56KB

Download
memory/2704-61-0x00000000022D0000-0x00000000022DE000-memory.dmp

Filesize
56KB

Download
memory/2704-92-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2704-88-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2704-35-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2704-37-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2704-53-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2704-60-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/2704-84-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2704-64-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2704-68-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2704-39-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2704-76-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2704-80-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2708-62-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2708-7-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/2708-56-0x0000000000710000-0x000000000071E000-memory.dmp

Filesize
56KB

Download
memory/2708-13-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2708-58-0x0000000000710000-0x000000000071E000-memory.dmp

Filesize
56KB

Download