modiloader | ca8e1a906664033cb29d998d053c86d9299f30929abcad4fb565c7c62a3e6e0b

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe
Size

485KB
MD5

19cecf434d6510005f4ef4ffd07489a7
SHA1

f2c75b32409b9e1edea4894637904cabd56de728
SHA256

ca8e1a906664033cb29d998d053c86d9299f30929abcad4fb565c7c62a3e6e0b
SHA512

bb52b987b4421a2e982aaaea8f49fc9a394820263c9027924f3574c9dad69ca457c64e30f41fb3622f8389eb95673d72efa6019b2dd2325b7a0a12ece694799f
SSDEEP

12288:0vwf5Vn6gSpWlHpr2yhe/zXFYGq60eVh1bCRREg:15VnSp0pr/+1YyVVh1eRRz

Score

10^/10

modiloader evasion persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

_D54D~1.EXE

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" _D54D~1.EXE
ModiLoader Second Stage 1 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\_D54D~1.EXE modiloader_stage2
Executes dropped EXE 2 IoCs

Processes:

مشفر من الافاست+الكاسبر2.exe_D54D~1.EXE

pid process

1804 مشفر من الافاست+الكاسبر2.exe
2320 _D54D~1.EXE

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	_D54D~1.EXE

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\_D54D~1.EXE	modiloader_stage2

pid	process
1804	مشفر من الافاست+الكاسبر2.exe
2320	_D54D~1.EXE

Loads dropped DLL 6 IoCs

Processes:

19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exeمشفر من الافاست+الكاسبر2.exe_D54D~1.EXE

pid	process
3040	19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe
1804	مشفر من الافاست+الكاسبر2.exe
1804	مشفر من الافاست+الكاسبر2.exe
2320	_D54D~1.EXE
2320	_D54D~1.EXE
2320	_D54D~1.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

مشفر من الافاست+الكاسبر2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	مشفر من الافاست+الكاسبر2.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

_D54D~1.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	_D54D~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	_D54D~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exeمشفر من الافاست+الكاسبر2.exe_D54D~1.EXE

description	pid	process
Token: 33	3040	19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3040	19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe
Token: 33	3040	19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3040	19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe
Token: 33	3040	19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3040	19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe
Token: 33	1804	مشفر من الافاست+الكاسبر2.exe
Token: SeIncBasePriorityPrivilege	1804	مشفر من الافاست+الكاسبر2.exe
Token: SeDebugPrivilege	2320	_D54D~1.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exeمشفر من الافاست+الكاسبر2.exe

description	pid	process	target process
PID 3040 wrote to memory of 1804	3040	19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe	مشفر من الافاست+الكاسبر2.exe
PID 3040 wrote to memory of 1804	3040	19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe	مشفر من الافاست+الكاسبر2.exe
PID 3040 wrote to memory of 1804	3040	19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe	مشفر من الافاست+الكاسبر2.exe
PID 3040 wrote to memory of 1804	3040	19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe	مشفر من الافاست+الكاسبر2.exe
PID 3040 wrote to memory of 1804	3040	19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe	مشفر من الافاست+الكاسبر2.exe
PID 3040 wrote to memory of 1804	3040	19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe	مشفر من الافاست+الكاسبر2.exe
PID 3040 wrote to memory of 1804	3040	19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe	مشفر من الافاست+الكاسبر2.exe
PID 1804 wrote to memory of 2320	1804	مشفر من الافاست+الكاسبر2.exe	_D54D~1.EXE
PID 1804 wrote to memory of 2320	1804	مشفر من الافاست+الكاسبر2.exe	_D54D~1.EXE
PID 1804 wrote to memory of 2320	1804	مشفر من الافاست+الكاسبر2.exe	_D54D~1.EXE
PID 1804 wrote to memory of 2320	1804	مشفر من الافاست+الكاسبر2.exe	_D54D~1.EXE
PID 1804 wrote to memory of 2320	1804	مشفر من الافاست+الكاسبر2.exe	_D54D~1.EXE
PID 1804 wrote to memory of 2320	1804	مشفر من الافاست+الكاسبر2.exe	_D54D~1.EXE
PID 1804 wrote to memory of 2320	1804	مشفر من الافاست+الكاسبر2.exe	_D54D~1.EXE

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

_D54D~1.EXE

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" _D54D~1.EXE

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	_D54D~1.EXE

C:\Users\Admin\AppData\Local\Temp\19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19cecf434d6510005f4ef4ffd07489a7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040

C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Microsoft® Windows® Operating System\6.00.2900.2180\1432.01.22T20.53\Virtual\STUBEXE\@APPDATALOCAL@\Temp\مشفر من الافاست+الكاسبر2.exe
"C:\Users\Admin\AppData\Local\Temp\مشفر من الافاست+الكاسبر2.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804

C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Microsoft® Windows® Operating System\6.00.2900.2180\1432.01.22T20.53\Native\STUBEXE\@APPDATALOCAL@\Temp\IXP000.TMP\_D54D~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\_D54D~1.EXE
3⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2320

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\_D54D~1.EXE
Filesize
270KB

MD5
2d1b254f668f1debac0c359db4967727

SHA1
1fd3c82da7dcf2dfc60b4cca190d98f1e9bcdaec

SHA256
e640d3e43c0c0eab65ea0dd9b61a7f7dd05a1e398331f70770ae6251e8ca1d9b

SHA512
533389c088840c9607e5dc7f1a3ec61bdd06ee7ceb472000d58c3ddcc88b6e00dc93c8b0659cd472d93528b1ffc39255b83408ff1ef8f21832879f0c9ff136eb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\cmsetac.dll
Filesize
32KB

MD5
50f88fa1912c53e81e96300561bdc04f

SHA1
353c5218e53ebbc72fff5ec7e438fd2c35d343ae

SHA256
ca9efee52822b8ae28fff5571eadd37d32b5e16741083873aa8353697d7dd3e4

SHA512
9572884bc583988e7c17968058e27176e8f9dad2189fa76e4c86527997703bfa10aaee54e75d403b89b131bda6bf6af89a81af9d9ec9a93958d4d57110234a89

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ntdtcstp.dll
Filesize
7KB

MD5
4f5f71f478d62934e70e3e6f7d186f01

SHA1
211475c13aa59e5dfed87e351a4607824ba6b46a

SHA256
38da43c83c1aefcd095a6938ab55a79a00b1bab46e6955988a4dd33f0b784347

SHA512
f207597e271f9397c411e2046ce431a70c64500186f05b911261c5c338d5ff0cdf68294d912995ea5595df2af7e66fae9c61fdf9b8cf837cb85268877cc98295

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\Microsoft® Windows® Operating System\6.00.2900.2180\1432.01.22T20.53\Native\STUBEXE\@APPDATALOCAL@\Temp\IXP000.TMP\_D54D~1.EXE
Filesize
17KB

MD5
1bf583f51e952cebc47b79120dc74bbb

SHA1
e3816da53a88e86fe891cac2ecc492d807a6b68e

SHA256
64f317d52dfb9946884ade0c94e6e7ac20f0b56f55875f63d3930f34566483fc

SHA512
66af90f709dcf92b1b121b15ce6a54dc5bb2395c4e814ec40d4fc663d1318ea1f361f0416e32b749ec49b6718077357617dff382df19c1d98a3fd55d8b578d62

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\Microsoft® Windows® Operating System\6.00.2900.2180\1432.01.22T20.53\Virtual\STUBEXE\@APPDATALOCAL@\Temp\مشفر من الافاست+الكاسبر2.exe
Filesize
17KB

MD5
fb15206c0c0cc44af35506ea5243f403

SHA1
cf681accc8c189a4cc84a66ce1174c4279306ffa

SHA256
20495fe63dceda8532557f499a83ab7c9375d398341156dddedadae7fe4e792c

SHA512
295308ac36759a6c4ab80c68a030e371e7a438673732271281b6048a4f770197f50f24f5cca6f69a7ebf4dddd78671b307d348c5777a05d1dcae89052e88325c

Download Submit
memory/3040-36-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-193-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-1-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-0-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-16-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-18-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-46-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-20-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-22-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-24-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-26-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-28-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-30-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-32-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-38-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-14-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-34-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-3-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-64-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-62-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-60-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-58-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-56-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-54-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-52-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-50-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-48-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-44-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-42-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-40-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-6-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-5-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-8-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-10-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-12-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/3040-946-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download