modiloader | 3775055c9d9621dcad2f62df51bd7792e66249d6321acc5aebf6b0b5fd77b66a

Analysis

max time kernel
141s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe
Size

711KB
MD5

185e71fc9ef71619e9d58b5f61808eb7
SHA1

4c43005754a0a93f8f8e7804d336c06ae5e30251
SHA256

3775055c9d9621dcad2f62df51bd7792e66249d6321acc5aebf6b0b5fd77b66a
SHA512

6f40a057093b7df229ef56ffbe93344adbecd5f4f415f3184d20baf93313554d6eba4ab317ffc874ee64bd4c315d5d109e4990b156e81a6a8214a84b32c16260
SSDEEP

12288:YUb/XsDwvZ6e3xdprcrRKOUcPlXg5YmtGCM1MTrTEFG/po5aT6fTScrD+RVfnVC+:pc0vIe5r+8ODPl/mt41MTjDT66x4

Score

10^/10

modiloader evasion persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

NETWORK.EXE

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NETWORK.EXE

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NETWORK.EXE

ModiLoader Second Stage 21 IoCs

Processes:

resource	yara_rule
behavioral2/memory/380-21-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/380-24-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/380-33-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/380-25-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/380-40-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/380-41-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/380-42-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/380-45-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/380-48-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/380-49-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/380-52-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/380-55-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/380-58-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/380-61-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/380-64-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/380-67-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/380-70-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/380-73-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/380-76-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/380-79-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2
behavioral2/memory/380-82-0x0000000000400000-0x000000000044B000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe
Executes dropped EXE 2 IoCs

Processes:

NETWORK.EXENETWORK.EXE

pid process

1580 NETWORK.EXE
380 NETWORK.EXE
Loads dropped DLL 4 IoCs

Processes:

NETWORK.EXE

pid process

380 NETWORK.EXE
380 NETWORK.EXE
380 NETWORK.EXE
380 NETWORK.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe

pid	process
1580	NETWORK.EXE
380	NETWORK.EXE

pid	process
380	NETWORK.EXE
380	NETWORK.EXE
380	NETWORK.EXE
380	NETWORK.EXE

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\NETWORK.EXE	upx
behavioral2/memory/1580-17-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral2/memory/1580-23-0x0000000000400000-0x00000000004A9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NETWORK.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\SysWOW64\\NETWORK.EXE"	NETWORK.EXE

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

NETWORK.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NETWORK.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NETWORK.EXE

AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.

Processes:

resource yara_rule

behavioral2/memory/1580-23-0x0000000000400000-0x00000000004A9000-memory.dmp autoit_exe

resource	yara_rule
behavioral2/memory/1580-23-0x0000000000400000-0x00000000004A9000-memory.dmp	autoit_exe

Drops file in System32 directory 4 IoCs

Processes:

NETWORK.EXE185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\cmsetac.dll	NETWORK.EXE
File created	C:\Windows\SysWOW64\CNETWORK.EXE	185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NETWORK.EXE	185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ntdtcstp.dll	NETWORK.EXE

Drops file in Windows directory 2 IoCs

Processes:

185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\CHOT-WOMEN-12.JPG	185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe
File created	C:\Windows\HOT-WOMEN-12.JPG	185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

NETWORK.EXE

description pid process

Token: SeDebugPrivilege 380 NETWORK.EXE
Token: SeDebugPrivilege 380 NETWORK.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

NETWORK.EXE

pid process

380 NETWORK.EXE
380 NETWORK.EXE

description	pid	process
Token: SeDebugPrivilege	380	NETWORK.EXE
Token: SeDebugPrivilege	380	NETWORK.EXE

pid	process
380	NETWORK.EXE
380	NETWORK.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exeNETWORK.EXE

description	pid	process	target process
PID 1652 wrote to memory of 1580	1652	185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe	NETWORK.EXE
PID 1652 wrote to memory of 1580	1652	185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe	NETWORK.EXE
PID 1652 wrote to memory of 1580	1652	185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe	NETWORK.EXE
PID 1580 wrote to memory of 380	1580	NETWORK.EXE	NETWORK.EXE
PID 1580 wrote to memory of 380	1580	NETWORK.EXE	NETWORK.EXE
PID 1580 wrote to memory of 380	1580	NETWORK.EXE	NETWORK.EXE
PID 1580 wrote to memory of 380	1580	NETWORK.EXE	NETWORK.EXE
PID 1580 wrote to memory of 380	1580	NETWORK.EXE	NETWORK.EXE
PID 1580 wrote to memory of 380	1580	NETWORK.EXE	NETWORK.EXE
PID 1580 wrote to memory of 380	1580	NETWORK.EXE	NETWORK.EXE
PID 1580 wrote to memory of 380	1580	NETWORK.EXE	NETWORK.EXE
PID 1580 wrote to memory of 380	1580	NETWORK.EXE	NETWORK.EXE
PID 1580 wrote to memory of 380	1580	NETWORK.EXE	NETWORK.EXE

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

NETWORK.EXE

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NETWORK.EXE

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NETWORK.EXE

C:\Users\Admin\AppData\Local\Temp\185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\185e71fc9ef71619e9d58b5f61808eb7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\NETWORK.EXE
"C:\Windows\system32\NETWORK.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\NETWORK.EXE
"C:\Windows\SysWOW64\NETWORK.EXE"
3⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4364,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=3856 /prefetch:8
1⤵
PID:3104

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\NETWORK.EXE
Filesize
532KB

MD5
56d696dac985a514549780b2e0333f4d

SHA1
a9106ed2916e892d1ad50c15a9258583fe8ed04a

SHA256
007c5c3fd08b78da7237638375eedd42993cb516206226439f4a253a301bc7b7

SHA512
dcd5f2a498202c64668085deb99fc81e9c0b9783d7be2d4b8e30e0b4c435c04eeb1eebee85c65182a1f3483c48dc8061845cbbfe730e9c0525e299fc784f7be0

Download Submit
C:\Windows\SysWOW64\cmsetac.dll
Filesize
33KB

MD5
4e1d9848139e02bc9459c33c543f2217

SHA1
346ca2e11efaf2cdd4c3cb1a8a5b56fd4a343d59

SHA256
4eee5030facd799af5e92a948ab7ab299f51d864696104f3f00b5a7bb89fa8f0

SHA512
272aff5956255fa3c6084abf6faf07196965feb54d01fc1e0bed7f0276854f216c70130ac0838efb1dbe5407abd5d0d8451922aafdeff9bc2fa0fdbdd3d9a8f6

Download Submit
C:\Windows\SysWOW64\ntdtcstp.dll
Filesize
7KB

MD5
67587e25a971a141628d7f07bd40ffa0

SHA1
76fcd014539a3bb247cc0b761225f68bd6055f6b

SHA256
e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

SHA512
6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

Download Submit
memory/380-44-0x00000000033E0000-0x00000000033EE000-memory.dmp

Filesize
56KB

Download
memory/380-64-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/380-43-0x0000000002420000-0x0000000002428000-memory.dmp

Filesize
32KB

Download
memory/380-24-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/380-45-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/380-82-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/380-33-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/380-25-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/380-37-0x00000000033E0000-0x00000000033EE000-memory.dmp

Filesize
56KB

Download
memory/380-40-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/380-79-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/380-48-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/380-42-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/380-76-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/380-21-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/380-73-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/380-41-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/380-49-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/380-52-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/380-55-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/380-58-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/380-61-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/380-70-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/380-67-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1580-23-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1580-17-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1652-19-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/1652-0-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/1652-2-0x00000000028E0000-0x00000000029D0000-memory.dmp

Filesize
960KB

Download