modiloader | 1ee45a4e1b2d7a2f49858318ef228e834df6ba8808e73b0a9a0dd7a5d1b41286

Analysis

max time kernel
145s
max time network
134s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exe
Size

1.6MB
MD5

18ecedd05a561043f3a0a4722e8a2020
SHA1

5133b1b6c6c59a9d84333111bd7cb03681eedf26
SHA256

1ee45a4e1b2d7a2f49858318ef228e834df6ba8808e73b0a9a0dd7a5d1b41286
SHA512

d40d2a23662b34b61a45c63e0ec25fae4ac1ec39cfbeac78d92ee7c50417245cafbe28a31ab46262d46519e932137dbb0e5eec6361995ee2485dd83032f0c6e6
SSDEEP

24576:KpVS6LqavBMtOqBYubxNwWklFiaKWjZbOR8K38lujuXg4kbOQ2K8+FXp:KpXvvU6uPmVt9xK383g4kF2Y

Score

10^/10

modiloader evasion persistence themida trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

services.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe

ModiLoader Second Stage 24 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2052-3-0x0000000000400000-0x00000000005C9000-memory.dmp	modiloader_stage2
behavioral1/memory/2052-15-0x0000000000400000-0x00000000005C9000-memory.dmp	modiloader_stage2
behavioral1/memory/2608-19-0x0000000000400000-0x00000000005C9000-memory.dmp	modiloader_stage2
behavioral1/memory/2608-23-0x0000000000400000-0x00000000005C9000-memory.dmp	modiloader_stage2
behavioral1/memory/2608-26-0x0000000000400000-0x00000000005C9000-memory.dmp	modiloader_stage2
behavioral1/memory/2608-27-0x0000000000400000-0x00000000005C9000-memory.dmp	modiloader_stage2
behavioral1/memory/2608-28-0x0000000000400000-0x00000000005C9000-memory.dmp	modiloader_stage2
behavioral1/memory/2608-31-0x0000000000400000-0x00000000005C9000-memory.dmp	modiloader_stage2
behavioral1/memory/2608-32-0x0000000000400000-0x00000000005C9000-memory.dmp	modiloader_stage2
behavioral1/memory/2608-33-0x0000000000400000-0x00000000005C9000-memory.dmp	modiloader_stage2
behavioral1/memory/2608-34-0x0000000000400000-0x00000000005C9000-memory.dmp	modiloader_stage2
behavioral1/memory/2608-37-0x0000000000400000-0x00000000005C9000-memory.dmp	modiloader_stage2
behavioral1/memory/2608-38-0x0000000000400000-0x00000000005C9000-memory.dmp	modiloader_stage2
behavioral1/memory/2608-41-0x0000000000400000-0x00000000005C9000-memory.dmp	modiloader_stage2
behavioral1/memory/2608-44-0x0000000000400000-0x00000000005C9000-memory.dmp	modiloader_stage2
behavioral1/memory/2608-48-0x0000000000400000-0x00000000005C9000-memory.dmp	modiloader_stage2
behavioral1/memory/2608-51-0x0000000000400000-0x00000000005C9000-memory.dmp	modiloader_stage2
behavioral1/memory/2608-54-0x0000000000400000-0x00000000005C9000-memory.dmp	modiloader_stage2
behavioral1/memory/2608-57-0x0000000000400000-0x00000000005C9000-memory.dmp	modiloader_stage2
behavioral1/memory/2608-60-0x0000000000400000-0x00000000005C9000-memory.dmp	modiloader_stage2
behavioral1/memory/2608-63-0x0000000000400000-0x00000000005C9000-memory.dmp	modiloader_stage2
behavioral1/memory/2608-66-0x0000000000400000-0x00000000005C9000-memory.dmp	modiloader_stage2
behavioral1/memory/2608-69-0x0000000000400000-0x00000000005C9000-memory.dmp	modiloader_stage2
behavioral1/memory/2608-72-0x0000000000400000-0x00000000005C9000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

2608 services.exe

pid	process
2608	services.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exeservices.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine	18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine	services.exe

Themida packer 32 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/2052-0-0x0000000000400000-0x00000000005C9000-memory.dmp	themida
behavioral1/memory/2052-2-0x0000000000400000-0x00000000005C9000-memory.dmp	themida
behavioral1/memory/2052-1-0x0000000000400000-0x00000000005C9000-memory.dmp	themida
behavioral1/memory/2052-3-0x0000000000400000-0x00000000005C9000-memory.dmp	themida
C:\Windows\services.exe	themida
behavioral1/memory/2052-13-0x00000000051A0000-0x0000000005369000-memory.dmp	themida
behavioral1/memory/2608-18-0x0000000000400000-0x00000000005C9000-memory.dmp	themida
behavioral1/memory/2608-17-0x0000000000400000-0x00000000005C9000-memory.dmp	themida
behavioral1/memory/2608-16-0x0000000000400000-0x00000000005C9000-memory.dmp	themida
behavioral1/memory/2052-15-0x0000000000400000-0x00000000005C9000-memory.dmp	themida
behavioral1/memory/2608-19-0x0000000000400000-0x00000000005C9000-memory.dmp	themida
behavioral1/memory/2608-23-0x0000000000400000-0x00000000005C9000-memory.dmp	themida
behavioral1/memory/2608-26-0x0000000000400000-0x00000000005C9000-memory.dmp	themida
behavioral1/memory/2608-27-0x0000000000400000-0x00000000005C9000-memory.dmp	themida
behavioral1/memory/2608-28-0x0000000000400000-0x00000000005C9000-memory.dmp	themida
behavioral1/memory/2608-31-0x0000000000400000-0x00000000005C9000-memory.dmp	themida
behavioral1/memory/2608-32-0x0000000000400000-0x00000000005C9000-memory.dmp	themida
behavioral1/memory/2608-33-0x0000000000400000-0x00000000005C9000-memory.dmp	themida
behavioral1/memory/2608-34-0x0000000000400000-0x00000000005C9000-memory.dmp	themida
behavioral1/memory/2608-37-0x0000000000400000-0x00000000005C9000-memory.dmp	themida
behavioral1/memory/2608-38-0x0000000000400000-0x00000000005C9000-memory.dmp	themida
behavioral1/memory/2608-41-0x0000000000400000-0x00000000005C9000-memory.dmp	themida
behavioral1/memory/2608-44-0x0000000000400000-0x00000000005C9000-memory.dmp	themida
behavioral1/memory/2608-48-0x0000000000400000-0x00000000005C9000-memory.dmp	themida
behavioral1/memory/2608-51-0x0000000000400000-0x00000000005C9000-memory.dmp	themida
behavioral1/memory/2608-54-0x0000000000400000-0x00000000005C9000-memory.dmp	themida
behavioral1/memory/2608-57-0x0000000000400000-0x00000000005C9000-memory.dmp	themida
behavioral1/memory/2608-60-0x0000000000400000-0x00000000005C9000-memory.dmp	themida
behavioral1/memory/2608-63-0x0000000000400000-0x00000000005C9000-memory.dmp	themida
behavioral1/memory/2608-66-0x0000000000400000-0x00000000005C9000-memory.dmp	themida
behavioral1/memory/2608-69-0x0000000000400000-0x00000000005C9000-memory.dmp	themida
behavioral1/memory/2608-72-0x0000000000400000-0x00000000005C9000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

services.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\services.exe" services.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\services.exe"	services.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

services.exe18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe

Drops file in Windows directory 4 IoCs

Processes:

18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exeservices.exe

description	ioc	process
File opened for modification	C:\Windows\services.exe	18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exe
File created	C:\Windows\ntdtcstp.dll	services.exe
File created	C:\Windows\cmsetac.dll	services.exe
File created	C:\Windows\services.exe	18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exevssvc.exeservices.exe

description	pid	process
Token: SeDebugPrivilege	2052	18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exe
Token: SeBackupPrivilege	2624	vssvc.exe
Token: SeRestorePrivilege	2624	vssvc.exe
Token: SeAuditPrivilege	2624	vssvc.exe
Token: SeDebugPrivilege	2608	services.exe
Token: SeDebugPrivilege	2608	services.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

services.exe

pid process

2608 services.exe
2608 services.exe

pid	process
2608	services.exe
2608	services.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exe

description	pid	process	target process
PID 2052 wrote to memory of 2608	2052	18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exe	services.exe
PID 2052 wrote to memory of 2608	2052	18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exe	services.exe
PID 2052 wrote to memory of 2608	2052	18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exe	services.exe
PID 2052 wrote to memory of 2608	2052	18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exe	services.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

services.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18ecedd05a561043f3a0a4722e8a2020_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\services.exe
"C:\Windows\services.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2608

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2624

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\services.exe
Filesize
1.6MB

MD5
18ecedd05a561043f3a0a4722e8a2020

SHA1
5133b1b6c6c59a9d84333111bd7cb03681eedf26

SHA256
1ee45a4e1b2d7a2f49858318ef228e834df6ba8808e73b0a9a0dd7a5d1b41286

SHA512
d40d2a23662b34b61a45c63e0ec25fae4ac1ec39cfbeac78d92ee7c50417245cafbe28a31ab46262d46519e932137dbb0e5eec6361995ee2485dd83032f0c6e6

Download Submit
memory/2052-15-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2052-2-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2052-1-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2052-3-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2052-8-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/2052-13-0x00000000051A0000-0x0000000005369000-memory.dmp

Filesize
1.8MB

Download
memory/2052-0-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2608-28-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2608-33-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2608-17-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2608-19-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2608-24-0x0000000004650000-0x000000000465E000-memory.dmp

Filesize
56KB

Download
memory/2608-23-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2608-26-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2608-27-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2608-30-0x0000000004650000-0x000000000465E000-memory.dmp

Filesize
56KB

Download
memory/2608-29-0x0000000004500000-0x0000000004508000-memory.dmp

Filesize
32KB

Download
memory/2608-18-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2608-31-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2608-32-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2608-16-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2608-34-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2608-37-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2608-38-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2608-41-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2608-44-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2608-48-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2608-51-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2608-54-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2608-57-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2608-60-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2608-63-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2608-66-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2608-69-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2608-72-0x0000000000400000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download