modiloader | dc9b0fde10b71811649cacff9df5f4dd3ae6bdad9c0a15a61a08307b3ef85ae9

General

Target

0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
Size

735KB
MD5

0011ab6aa3a9e60818f1f9ed52ad2ba4
SHA1

2f02682435f4cca4db253ce5cf62681e1fcdaac4
SHA256

dc9b0fde10b71811649cacff9df5f4dd3ae6bdad9c0a15a61a08307b3ef85ae9
SHA512

6dca42276c2f2e4a5f572cb0ce99641a134a7b19f0a8bb4e319f23bf5aca7deccfcb5090a150f041b6b55324a590d29dc76e5a6b698c1e77cc6a52a67eda40d0
SSDEEP

12288:LmX53uzH4EDA3IVOT7kb66rQ8DOs+BPWx7u+88YwXThK:Lm5mH4HIVOT7y6n2KBqC3wXTs

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
F:\WINSYS.exe	modiloader_stage2
behavioral1/memory/2444-19-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2
behavioral1/memory/2924-27-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2628 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

WINSYS.exe

pid process

2444 WINSYS.exe
Loads dropped DLL 2 IoCs

Processes:

0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe

pid process

2924 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
2924 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe

pid	process
2628	cmd.exe

pid	process
2444	WINSYS.exe

pid	process
2924	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
2924	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe

description	ioc	process
File opened (read-only)	\??\H:	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
File opened (read-only)	\??\J:	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
File opened (read-only)	\??\K:	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
File opened (read-only)	\??\T:	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
File opened (read-only)	\??\U:	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
File opened (read-only)	\??\V:	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
File opened (read-only)	\??\L:	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
File opened (read-only)	\??\N:	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
File opened (read-only)	\??\Q:	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
File opened (read-only)	\??\R:	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
File opened (read-only)	\??\Z:	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
File opened (read-only)	\??\Y:	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
File opened (read-only)	\??\A:	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
File opened (read-only)	\??\E:	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
File opened (read-only)	\??\M:	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
File opened (read-only)	\??\P:	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
File opened (read-only)	\??\S:	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
File opened (read-only)	\??\W:	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
File opened (read-only)	\??\B:	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
File opened (read-only)	\??\G:	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
File opened (read-only)	\??\I:	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
File opened (read-only)	\??\O:	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
File opened (read-only)	\??\X:	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe

description	ioc	process
File created	C:\AutoRun.inf	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
File opened for modification	C:\AutoRun.inf	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
File created	F:\AutoRun.inf	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
File opened for modification	F:\AutoRun.inf	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

Processes:

0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exeWINSYS.exe

description	ioc	process
File created	C:\Windows\SysWOW64\SgotoDel.bat	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WINSYS.exe	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WINSYS.exe	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WINSYS.exe	WINSYS.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe

description	pid	process	target process
PID 2924 wrote to memory of 2444	2924	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe	WINSYS.exe
PID 2924 wrote to memory of 2444	2924	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe	WINSYS.exe
PID 2924 wrote to memory of 2444	2924	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe	WINSYS.exe
PID 2924 wrote to memory of 2444	2924	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe	WINSYS.exe
PID 2924 wrote to memory of 2628	2924	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe	cmd.exe
PID 2924 wrote to memory of 2628	2924	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe	cmd.exe
PID 2924 wrote to memory of 2628	2924	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe	cmd.exe
PID 2924 wrote to memory of 2628	2924	0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\SysWOW64\WINSYS.exe
C:\Windows\system32\WINSYS.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2444

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\SgotoDel.bat
2⤵
- Deletes itself
PID:2628

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\SgotoDel.bat
Filesize
212B

MD5
5b053b7070308a45bd73a0dec287e9a5

SHA1
e0d0d334e01600823acab55ba2a2fae361628222

SHA256
977cc3a8e8af5da50b463841f7b8ce81dd05b07ed7959b98dde00d70cd293097

SHA512
64c1778e97d4a3f39f26b5bd82d7e4bfbf038cd61a7a2c766d3a77c8872703b53619c7a70d9948416e899fd2845d22b9487f52e153f824942b599c5ed5171880

Download Submit
F:\WINSYS.exe
Filesize
735KB

MD5
0011ab6aa3a9e60818f1f9ed52ad2ba4

SHA1
2f02682435f4cca4db253ce5cf62681e1fcdaac4

SHA256
dc9b0fde10b71811649cacff9df5f4dd3ae6bdad9c0a15a61a08307b3ef85ae9

SHA512
6dca42276c2f2e4a5f572cb0ce99641a134a7b19f0a8bb4e319f23bf5aca7deccfcb5090a150f041b6b55324a590d29dc76e5a6b698c1e77cc6a52a67eda40d0

Download Submit
memory/2444-19-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2924-4-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2924-27-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads