modiloader | 44523c55625993a786873e2ff8fcec8a09733b1d62bb8bbe3ba70472630fc531

Analysis

max time kernel
148s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe
Size

271KB
MD5

18b9ffa8777c84994dd00d55d1d9f279
SHA1

67687a599890925fd59698e574b9f4d27b5ea33e
SHA256

44523c55625993a786873e2ff8fcec8a09733b1d62bb8bbe3ba70472630fc531
SHA512

92872fb6c9ce0e3ff12393c4e735f59c5edd4db2dd86980b58d021c499dfb0d0b8608f87493c4f169106501b48f2fb84f80cfac19d8fb87cbf8c0971247cd232
SSDEEP

6144:Wpq2BEEea7c8L7C7FB+P72WfxX2iGZTbIeLFLjs3glZ4Z:WgqEEea7tL7C7LxWffGvjeglZ4Z

Score

10^/10

modiloader evasion persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

msvcnu32.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msvcnu32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msvcnu32.exe

ModiLoader Second Stage 15 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2528-49-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2752-56-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2752-61-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2752-65-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2752-69-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2752-73-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2752-78-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2752-82-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2752-86-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2752-90-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2752-94-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2752-98-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2752-102-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2752-106-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral1/memory/2752-110-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2

Executes dropped EXE 4 IoCs

Processes:

57553.exe34979.exesvchost.exemsvcnu32.exe

pid process

2468 57553.exe
2528 34979.exe
2808 svchost.exe
2752 msvcnu32.exe
Loads dropped DLL 4 IoCs

Processes:

57553.exe34979.exe

pid process

2468 57553.exe
2468 57553.exe
2468 57553.exe
2528 34979.exe

pid	process
2468	57553.exe
2528	34979.exe
2808	svchost.exe
2752	msvcnu32.exe

pid	process
2468	57553.exe
2468	57553.exe
2468	57553.exe
2528	34979.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\34979.exe	upx
behavioral1/memory/2528-21-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2528-49-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2752-56-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2752-61-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2752-65-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2752-69-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2752-73-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2752-78-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2752-82-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2752-86-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2752-90-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2752-94-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2752-98-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2752-102-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2752-106-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral1/memory/2752-110-0x0000000000400000-0x0000000000450000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

57553.exemsvcnu32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchost.exe"	57553.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\msvcnu32 = "C:\\Windows\\msvcnu32.exe"	msvcnu32.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

34979.exemsvcnu32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	34979.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msvcnu32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msvcnu32.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe

Drops file in Windows directory 4 IoCs

Processes:

34979.exemsvcnu32.exe

description	ioc	process
File created	C:\Windows\msvcnu32.exe	34979.exe
File opened for modification	C:\Windows\msvcnu32.exe	34979.exe
File created	C:\Windows\ntdtcstp.dll	msvcnu32.exe
File created	C:\Windows\cmsetac.dll	msvcnu32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

34979.exevssvc.exemsvcnu32.exe

description	pid	process
Token: SeDebugPrivilege	2528	34979.exe
Token: SeBackupPrivilege	2624	vssvc.exe
Token: SeRestorePrivilege	2624	vssvc.exe
Token: SeAuditPrivilege	2624	vssvc.exe
Token: SeDebugPrivilege	2752	msvcnu32.exe
Token: SeDebugPrivilege	2752	msvcnu32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

msvcnu32.exe

pid process

2752 msvcnu32.exe
2752 msvcnu32.exe

pid	process
2752	msvcnu32.exe
2752	msvcnu32.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe57553.exe34979.exe

description	pid	process	target process
PID 3028 wrote to memory of 2468	3028	18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe	57553.exe
PID 3028 wrote to memory of 2468	3028	18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe	57553.exe
PID 3028 wrote to memory of 2468	3028	18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe	57553.exe
PID 3028 wrote to memory of 2468	3028	18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe	57553.exe
PID 3028 wrote to memory of 2528	3028	18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe	34979.exe
PID 3028 wrote to memory of 2528	3028	18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe	34979.exe
PID 3028 wrote to memory of 2528	3028	18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe	34979.exe
PID 3028 wrote to memory of 2528	3028	18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe	34979.exe
PID 2468 wrote to memory of 2808	2468	57553.exe	svchost.exe
PID 2468 wrote to memory of 2808	2468	57553.exe	svchost.exe
PID 2468 wrote to memory of 2808	2468	57553.exe	svchost.exe
PID 2468 wrote to memory of 2808	2468	57553.exe	svchost.exe
PID 2528 wrote to memory of 2752	2528	34979.exe	msvcnu32.exe
PID 2528 wrote to memory of 2752	2528	34979.exe	msvcnu32.exe
PID 2528 wrote to memory of 2752	2528	34979.exe	msvcnu32.exe
PID 2528 wrote to memory of 2752	2528	34979.exe	msvcnu32.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

msvcnu32.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msvcnu32.exe
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msvcnu32.exe

C:\Users\Admin\AppData\Local\Temp\18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3028

C:\Users\Admin\AppData\Local\Temp\57553.exe
"C:\Users\Admin\AppData\Local\Temp\57553.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2468

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
3⤵
- Executes dropped EXE
- Enumerates connected drives
PID:2808

C:\Users\Admin\AppData\Local\Temp\34979.exe
"C:\Users\Admin\AppData\Local\Temp\34979.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\msvcnu32.exe
"C:\Windows\msvcnu32.exe"
3⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2752

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2624

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\34979.exe
Filesize
109KB

MD5
3a1f155b71223ef8f617d73b2aad273b

SHA1
57df3e31536ac258e01c2f66c980468b83313f1f

SHA256
898250c781d1a65e41db8817d02f11955d28215c9d432c06260706863a1b4921

SHA512
56678ba5afc8e63884f3e568e9297b7f88e904376b2cafc763f9d01b544f1d1a6fa5cf18f33205fbffa1c65a8c9cfb49f251976903f20520ee43698f077e112c

Download Submit
C:\Users\Admin\AppData\Local\Temp\57553.exe
Filesize
142KB

MD5
35aff1b50d81dbcd833b6c23ee192894

SHA1
85ef9c2be6669a2ee8b52988b1ecc50cac5f7f3b

SHA256
8f2fa965e1ef653c1f2514d8a5a234ca7fb5a26d101f815f98adbf4307643e79

SHA512
1530072a370c3ceb3e0d9428feeb4eea342604911f2f1963c905a09aa53aaec5707bcf72f70b86f577e4d7834c4101c2377abd4e1d02fff91d5cf647e44faafb

Download Submit
memory/2468-34-0x0000000003400000-0x0000000003429000-memory.dmp

Filesize
164KB

Download
memory/2468-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2468-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2468-26-0x0000000003400000-0x0000000003410000-memory.dmp

Filesize
64KB

Download
memory/2468-35-0x0000000003400000-0x0000000003429000-memory.dmp

Filesize
164KB

Download
memory/2528-49-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2528-42-0x0000000000540000-0x0000000000550000-memory.dmp

Filesize
64KB

Download
memory/2528-21-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2752-86-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2752-73-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2752-110-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2752-106-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2752-102-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2752-53-0x0000000000500000-0x000000000050E000-memory.dmp

Filesize
56KB

Download
memory/2752-98-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2752-56-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2752-57-0x0000000000370000-0x0000000000378000-memory.dmp

Filesize
32KB

Download
memory/2752-58-0x0000000000500000-0x000000000050E000-memory.dmp

Filesize
56KB

Download
memory/2752-94-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2752-61-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2752-90-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2752-65-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2752-82-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2752-69-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2752-78-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2808-64-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2808-101-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2808-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2808-81-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2808-68-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2808-85-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2808-93-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2808-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2808-72-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2808-109-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2808-97-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2808-59-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2808-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2808-77-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2808-105-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3028-2-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/3028-8-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/3028-22-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/3028-0-0x000007FEF599E000-0x000007FEF599F000-memory.dmp

Filesize
4KB

Download