modiloader | 49508a3ffd45f5dc5ca81655f0861ae8222329a7f7bf2f58efba1f8db5980160

Analysis

max time kernel
143s
max time network
145s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe
Size

781KB
MD5

25c023f3b929b3ea1267bc3369407c23
SHA1

ccdefda67f17b302a79a5215dd0aabe24af3eaab
SHA256

49508a3ffd45f5dc5ca81655f0861ae8222329a7f7bf2f58efba1f8db5980160
SHA512

bdc2b0b988b9a4d41cc1a8183ee5bd912c1cb16b6f661551c5f90d1fbdb5b1343b677ba419107141bc9c6f3205dc02fe1ee72e578f77158722b0df82abedac01
SSDEEP

24576:agIdOJwxcdy3IqhkU8CrO4WoSqiaEdThi0n1:pJwGyfRK4WoS5aEDi0n

Score

10^/10

modiloader evasion themida trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe

ModiLoader Second Stage 28 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2428-1-0x0000000000401000-0x000000000041C000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-2-0x0000000000400000-0x00000000005AC000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-10-0x0000000000400000-0x00000000005AC000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-9-0x0000000000400000-0x00000000005AC000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-8-0x0000000000400000-0x00000000005AC000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-15-0x0000000000400000-0x00000000005AC000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-14-0x0000000000400000-0x00000000005AC000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-16-0x0000000000400000-0x00000000005AC000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-5-0x0000000000400000-0x00000000005AC000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-17-0x0000000000400000-0x00000000005AC000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-18-0x0000000000400000-0x00000000005AC000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-21-0x0000000000400000-0x00000000005AC000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-22-0x0000000000400000-0x00000000005AC000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-23-0x0000000000400000-0x00000000005AC000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-26-0x0000000000400000-0x00000000005AC000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-27-0x0000000000400000-0x00000000005AC000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-28-0x0000000000400000-0x00000000005AC000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-31-0x0000000000400000-0x00000000005AC000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-34-0x0000000000400000-0x00000000005AC000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-37-0x0000000000400000-0x00000000005AC000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-40-0x0000000000400000-0x00000000005AC000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-43-0x0000000000400000-0x00000000005AC000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-46-0x0000000000400000-0x00000000005AC000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-49-0x0000000000400000-0x00000000005AC000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-52-0x0000000000400000-0x00000000005AC000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-55-0x0000000000400000-0x00000000005AC000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-58-0x0000000000400000-0x00000000005AC000-memory.dmp	modiloader_stage2
behavioral1/memory/2428-61-0x0000000000400000-0x00000000005AC000-memory.dmp	modiloader_stage2

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine 25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe
Loads dropped DLL 2 IoCs

Processes:

25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe

pid process

2428 25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe
2428 25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine	25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe

pid	process
2428	25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe
2428	25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe

Themida packer 28 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/2428-0-0x0000000000400000-0x00000000005AC000-memory.dmp	themida
behavioral1/memory/2428-2-0x0000000000400000-0x00000000005AC000-memory.dmp	themida
behavioral1/memory/2428-10-0x0000000000400000-0x00000000005AC000-memory.dmp	themida
behavioral1/memory/2428-9-0x0000000000400000-0x00000000005AC000-memory.dmp	themida
behavioral1/memory/2428-8-0x0000000000400000-0x00000000005AC000-memory.dmp	themida
behavioral1/memory/2428-15-0x0000000000400000-0x00000000005AC000-memory.dmp	themida
behavioral1/memory/2428-14-0x0000000000400000-0x00000000005AC000-memory.dmp	themida
behavioral1/memory/2428-16-0x0000000000400000-0x00000000005AC000-memory.dmp	themida
behavioral1/memory/2428-5-0x0000000000400000-0x00000000005AC000-memory.dmp	themida
behavioral1/memory/2428-17-0x0000000000400000-0x00000000005AC000-memory.dmp	themida
behavioral1/memory/2428-18-0x0000000000400000-0x00000000005AC000-memory.dmp	themida
behavioral1/memory/2428-21-0x0000000000400000-0x00000000005AC000-memory.dmp	themida
behavioral1/memory/2428-22-0x0000000000400000-0x00000000005AC000-memory.dmp	themida
behavioral1/memory/2428-23-0x0000000000400000-0x00000000005AC000-memory.dmp	themida
behavioral1/memory/2428-26-0x0000000000400000-0x00000000005AC000-memory.dmp	themida
behavioral1/memory/2428-27-0x0000000000400000-0x00000000005AC000-memory.dmp	themida
behavioral1/memory/2428-28-0x0000000000400000-0x00000000005AC000-memory.dmp	themida
behavioral1/memory/2428-31-0x0000000000400000-0x00000000005AC000-memory.dmp	themida
behavioral1/memory/2428-34-0x0000000000400000-0x00000000005AC000-memory.dmp	themida
behavioral1/memory/2428-37-0x0000000000400000-0x00000000005AC000-memory.dmp	themida
behavioral1/memory/2428-40-0x0000000000400000-0x00000000005AC000-memory.dmp	themida
behavioral1/memory/2428-43-0x0000000000400000-0x00000000005AC000-memory.dmp	themida
behavioral1/memory/2428-46-0x0000000000400000-0x00000000005AC000-memory.dmp	themida
behavioral1/memory/2428-49-0x0000000000400000-0x00000000005AC000-memory.dmp	themida
behavioral1/memory/2428-52-0x0000000000400000-0x00000000005AC000-memory.dmp	themida
behavioral1/memory/2428-55-0x0000000000400000-0x00000000005AC000-memory.dmp	themida
behavioral1/memory/2428-58-0x0000000000400000-0x00000000005AC000-memory.dmp	themida
behavioral1/memory/2428-61-0x0000000000400000-0x00000000005AC000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe

pid process

2428 25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe

pid process

2428 25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2428 25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe
Token: SeDebugPrivilege 2428 25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe

pid process

2428 25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe
2428 25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe
System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe

pid	process
2428	25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe

pid	process
2428	25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2428	25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe
Token: SeDebugPrivilege	2428	25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe

pid	process
2428	25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe
2428	25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\25c023f3b929b3ea1267bc3369407c23_JaffaCakes118.exe"
1⤵
- UAC bypass
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2428

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\cmsetac.dll
Filesize
33KB

MD5
9c0ad1429e55318e88240a75519e4e30

SHA1
54a4111663a00a481897f73b5d9fc1efae18399e

SHA256
0cf71000596776eb07d652bd33060aa887b904b09b8d5dcf7aea03b9719e8686

SHA512
e6d775de0527125a2269202fb69c528ec0e4bfa7cdebf408fa7b0668504657d2c386587c66bcde8484a5302169f0effc318d31c10824e721be40df7deb2c37de

Download Submit
\Users\Admin\AppData\Local\Temp\ntdtcstp.dll
Filesize
7KB

MD5
67587e25a971a141628d7f07bd40ffa0

SHA1
76fcd014539a3bb247cc0b761225f68bd6055f6b

SHA256
e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

SHA512
6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

Download Submit
memory/2428-19-0x0000000000690000-0x0000000000698000-memory.dmp

Filesize
32KB

Download
memory/2428-55-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2428-10-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2428-9-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2428-8-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2428-12-0x0000000004770000-0x000000000477E000-memory.dmp

Filesize
56KB

Download
memory/2428-22-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2428-15-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2428-14-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2428-16-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2428-5-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2428-17-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2428-18-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2428-20-0x0000000004770000-0x000000000477E000-memory.dmp

Filesize
56KB

Download
memory/2428-61-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2428-2-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2428-1-0x0000000000401000-0x000000000041C000-memory.dmp

Filesize
108KB

Download
memory/2428-23-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2428-26-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2428-27-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2428-28-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2428-31-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2428-34-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2428-37-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2428-40-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2428-43-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2428-46-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2428-49-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2428-52-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2428-21-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2428-58-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2428-0-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download