modiloader | 1179dd347199681ce02d866318334c68f037bc724d07947e0e1d4cf9ccbb8570

General

Target

0245250c780e0ad87323a53648b73169_JaffaCakes118.exe
Size

653KB
MD5

0245250c780e0ad87323a53648b73169
SHA1

2a0f12a862636cf57e82efe866b17771d90dd1f7
SHA256

1179dd347199681ce02d866318334c68f037bc724d07947e0e1d4cf9ccbb8570
SHA512

eb2d7287dc8b9d2fca6adfc59216565d8cd4708b35267a077dbcd1b3cb727d5870d18c7dfe2210cebf65d296a1ee4843ea8bbde3f8f0b990ec9df22fc0f40b4f
SSDEEP

12288:veWsIzogM8CprD9Zok+Q2AI4ctF3Z4mxxTlSlJF7LAHhg5P+Ao:vSgM8U3/ok+PtQmXTGJlLAq5PZo

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/864-37-0x0000000000400000-0x000000000051D000-memory.dmp	modiloader_stage2
behavioral2/memory/864-45-0x0000000000400000-0x000000000051D000-memory.dmp	modiloader_stage2
behavioral2/memory/864-49-0x0000000000400000-0x000000000051D000-memory.dmp	modiloader_stage2
behavioral2/memory/4772-52-0x0000000000400000-0x000000000051D000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

gk123.exe

pid process

4772 gk123.exe

pid	process
4772	gk123.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0245250c780e0ad87323a53648b73169_JaffaCakes118.exe

description	ioc	process
File opened (read-only)	\??\B:	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe
File opened (read-only)	\??\L:	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe
File opened (read-only)	\??\N:	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe
File opened (read-only)	\??\Q:	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe
File opened (read-only)	\??\W:	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe
File opened (read-only)	\??\Y:	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe
File opened (read-only)	\??\I:	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe
File opened (read-only)	\??\J:	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe
File opened (read-only)	\??\M:	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe
File opened (read-only)	\??\S:	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe
File opened (read-only)	\??\X:	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe
File opened (read-only)	\??\U:	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe
File opened (read-only)	\??\V:	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe
File opened (read-only)	\??\Z:	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe
File opened (read-only)	\??\A:	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe
File opened (read-only)	\??\G:	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe
File opened (read-only)	\??\O:	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe
File opened (read-only)	\??\R:	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe
File opened (read-only)	\??\T:	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe
File opened (read-only)	\??\E:	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe
File opened (read-only)	\??\H:	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe
File opened (read-only)	\??\K:	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe
File opened (read-only)	\??\P:	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

0245250c780e0ad87323a53648b73169_JaffaCakes118.exe

description	ioc	process
File created	C:\AutoRun.inf	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe
File opened for modification	C:\AutoRun.inf	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe
File created	F:\AutoRun.inf	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe
File opened for modification	F:\AutoRun.inf	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

Processes:

gk123.exe

description ioc process

File created C:\Windows\SysWOW64\_gk123.exe gk123.exe
File opened for modification C:\Windows\SysWOW64\_gk123.exe gk123.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

gk123.exe

description pid process target process

PID 4772 set thread context of 4264 4772 gk123.exe calc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\_gk123.exe	gk123.exe
File opened for modification	C:\Windows\SysWOW64\_gk123.exe	gk123.exe

description	pid	process	target process
PID 4772 set thread context of 4264	4772	gk123.exe	calc.exe

Drops file in Program Files directory 3 IoCs

Processes:

0245250c780e0ad87323a53648b73169_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\gk123.exe	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\gk123.exe	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SxDel.bat	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5108 4264 WerFault.exe calc.exe
220 4772 WerFault.exe gk123.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

calc.exe

pid process

4264 calc.exe

pid	pid_target	process	target process
5108	4264	WerFault.exe	calc.exe
220	4772	WerFault.exe	gk123.exe

pid	process
4264	calc.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

0245250c780e0ad87323a53648b73169_JaffaCakes118.exegk123.exe

description	pid	process	target process
PID 864 wrote to memory of 4772	864	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe	gk123.exe
PID 864 wrote to memory of 4772	864	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe	gk123.exe
PID 864 wrote to memory of 4772	864	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe	gk123.exe
PID 4772 wrote to memory of 4264	4772	gk123.exe	calc.exe
PID 4772 wrote to memory of 4264	4772	gk123.exe	calc.exe
PID 4772 wrote to memory of 4264	4772	gk123.exe	calc.exe
PID 4772 wrote to memory of 4264	4772	gk123.exe	calc.exe
PID 4772 wrote to memory of 4264	4772	gk123.exe	calc.exe
PID 4772 wrote to memory of 3968	4772	gk123.exe	IEXPLORE.EXE
PID 4772 wrote to memory of 3968	4772	gk123.exe	IEXPLORE.EXE
PID 864 wrote to memory of 4408	864	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe	cmd.exe
PID 864 wrote to memory of 4408	864	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe	cmd.exe
PID 864 wrote to memory of 4408	864	0245250c780e0ad87323a53648b73169_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0245250c780e0ad87323a53648b73169_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0245250c780e0ad87323a53648b73169_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:864

C:\Program Files\Common Files\Microsoft Shared\MSINFO\gk123.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\gk123.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\SysWOW64\calc.exe
"C:\Windows\system32\calc.exe"
3⤵
- Suspicious use of UnmapMainImage
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 12
4⤵
- Program crash
PID:5108

C:\program files\internet explorer\IEXPLORE.EXE
"C:\program files\internet explorer\IEXPLORE.EXE"
3⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 688
3⤵
- Program crash
PID:220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SxDel.bat""
2⤵
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4264 -ip 4264
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4772 -ip 4772
1⤵
PID:5072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3988 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\SxDel.bat

Filesize
212B

MD5
f471bf8b55083128f5032f2d9716e4b3

SHA1
77b51dcfe5047b818ff5ded482bc6966242c609f

SHA256
7bf00b6e5397a3db6f0aa265ba2a3d196f6223a178e28941430b785af671beb8

SHA512
2e5e6fc6a07cda8701120491adfa1609030df65152166d310729a04eff59eebe1d10daa61d3262633119eac2720c9afa4c71b7b0219693b5ff8a53c62188b05d

Download Submit
F:\gk123.exe

Filesize
653KB

MD5
0245250c780e0ad87323a53648b73169

SHA1
2a0f12a862636cf57e82efe866b17771d90dd1f7

SHA256
1179dd347199681ce02d866318334c68f037bc724d07947e0e1d4cf9ccbb8570

SHA512
eb2d7287dc8b9d2fca6adfc59216565d8cd4708b35267a077dbcd1b3cb727d5870d18c7dfe2210cebf65d296a1ee4843ea8bbde3f8f0b990ec9df22fc0f40b4f

Download Submit
memory/864-18-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/864-11-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/864-12-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/864-19-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/864-15-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/864-22-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/864-9-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/864-8-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/864-7-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/864-6-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/864-5-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/864-4-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/864-3-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/864-2-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/864-17-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/864-16-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/864-0-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/864-14-0x00000000034C0000-0x00000000034C3000-memory.dmp

Filesize
12KB

Download
memory/864-10-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/864-21-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/864-20-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/864-23-0x0000000003550000-0x0000000003551000-memory.dmp

Filesize
4KB

Download
memory/864-24-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/864-13-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/864-1-0x00000000022F0000-0x0000000002344000-memory.dmp

Filesize
336KB

Download
memory/864-37-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/864-50-0x00000000022F0000-0x0000000002344000-memory.dmp

Filesize
336KB

Download
memory/864-49-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/864-45-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/864-46-0x00000000022F0000-0x0000000002344000-memory.dmp

Filesize
336KB

Download
memory/4264-43-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/4772-40-0x0000000000830000-0x0000000000884000-memory.dmp

Filesize
336KB

Download
memory/4772-39-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/4772-52-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/4772-53-0x0000000000830000-0x0000000000884000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads