modiloader | 285583228a9e072db82596fa638112f176bd8e18431d89dbe7ce71fac7327eea

General

Target

02690209598094f7456576472f275353_JaffaCakes118.exe
Size

714KB
MD5

02690209598094f7456576472f275353
SHA1

25b6e41dd50b092db750ed0367aecbf3572e7dd8
SHA256

285583228a9e072db82596fa638112f176bd8e18431d89dbe7ce71fac7327eea
SHA512

3877968ae4510b540f22796510c932e2cb027b77d44802023ca00c8f29c0577caafd39fba652abf33be132a2eb8293f236258ebdd89bb22d2229d87a7e7be405
SSDEEP

12288:Q1GzKgUNf3b+DZXgQ1ItATME9zzJXeJ6cjy0CTFq54gxePdfD1piOe6XOWjlZkI:MgGyXb1DzzJQeiaVfr8WjlmI

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2976-28-0x0000000000400000-0x00000000004BA200-memory.dmp	modiloader_stage2
behavioral2/memory/960-29-0x0000000000400000-0x00000000004BA200-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

Windovs.exe

pid process

2976 Windovs.exe

pid	process
2976	Windovs.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

02690209598094f7456576472f275353_JaffaCakes118.exe

description	ioc	process
File opened (read-only)	\??\Z:	02690209598094f7456576472f275353_JaffaCakes118.exe
File opened (read-only)	\??\B:	02690209598094f7456576472f275353_JaffaCakes118.exe
File opened (read-only)	\??\I:	02690209598094f7456576472f275353_JaffaCakes118.exe
File opened (read-only)	\??\U:	02690209598094f7456576472f275353_JaffaCakes118.exe
File opened (read-only)	\??\L:	02690209598094f7456576472f275353_JaffaCakes118.exe
File opened (read-only)	\??\N:	02690209598094f7456576472f275353_JaffaCakes118.exe
File opened (read-only)	\??\O:	02690209598094f7456576472f275353_JaffaCakes118.exe
File opened (read-only)	\??\P:	02690209598094f7456576472f275353_JaffaCakes118.exe
File opened (read-only)	\??\R:	02690209598094f7456576472f275353_JaffaCakes118.exe
File opened (read-only)	\??\H:	02690209598094f7456576472f275353_JaffaCakes118.exe
File opened (read-only)	\??\J:	02690209598094f7456576472f275353_JaffaCakes118.exe
File opened (read-only)	\??\K:	02690209598094f7456576472f275353_JaffaCakes118.exe
File opened (read-only)	\??\X:	02690209598094f7456576472f275353_JaffaCakes118.exe
File opened (read-only)	\??\Y:	02690209598094f7456576472f275353_JaffaCakes118.exe
File opened (read-only)	\??\Q:	02690209598094f7456576472f275353_JaffaCakes118.exe
File opened (read-only)	\??\S:	02690209598094f7456576472f275353_JaffaCakes118.exe
File opened (read-only)	\??\W:	02690209598094f7456576472f275353_JaffaCakes118.exe
File opened (read-only)	\??\A:	02690209598094f7456576472f275353_JaffaCakes118.exe
File opened (read-only)	\??\E:	02690209598094f7456576472f275353_JaffaCakes118.exe
File opened (read-only)	\??\M:	02690209598094f7456576472f275353_JaffaCakes118.exe
File opened (read-only)	\??\G:	02690209598094f7456576472f275353_JaffaCakes118.exe
File opened (read-only)	\??\T:	02690209598094f7456576472f275353_JaffaCakes118.exe
File opened (read-only)	\??\V:	02690209598094f7456576472f275353_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

02690209598094f7456576472f275353_JaffaCakes118.exe

description	ioc	process
File created	C:\AutoRun.inf	02690209598094f7456576472f275353_JaffaCakes118.exe
File opened for modification	C:\AutoRun.inf	02690209598094f7456576472f275353_JaffaCakes118.exe
File created	F:\AutoRun.inf	02690209598094f7456576472f275353_JaffaCakes118.exe
File opened for modification	F:\AutoRun.inf	02690209598094f7456576472f275353_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

Processes:

Windovs.exe

description ioc process

File created C:\Windows\SysWOW64\_Windovs.exe Windovs.exe
File opened for modification C:\Windows\SysWOW64\_Windovs.exe Windovs.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Windovs.exe

description pid process target process

PID 2976 set thread context of 3728 2976 Windovs.exe calc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\_Windovs.exe	Windovs.exe
File opened for modification	C:\Windows\SysWOW64\_Windovs.exe	Windovs.exe

description	pid	process	target process
PID 2976 set thread context of 3728	2976	Windovs.exe	calc.exe

Drops file in Program Files directory 3 IoCs

Processes:

02690209598094f7456576472f275353_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Windovs.exe	02690209598094f7456576472f275353_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Windovs.exe	02690209598094f7456576472f275353_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat	02690209598094f7456576472f275353_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4556 3728 WerFault.exe calc.exe

pid	pid_target	process	target process
4556	3728	WerFault.exe	calc.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

02690209598094f7456576472f275353_JaffaCakes118.exeWindovs.exe

description	pid	process	target process
PID 960 wrote to memory of 2976	960	02690209598094f7456576472f275353_JaffaCakes118.exe	Windovs.exe
PID 960 wrote to memory of 2976	960	02690209598094f7456576472f275353_JaffaCakes118.exe	Windovs.exe
PID 960 wrote to memory of 2976	960	02690209598094f7456576472f275353_JaffaCakes118.exe	Windovs.exe
PID 2976 wrote to memory of 3728	2976	Windovs.exe	calc.exe
PID 2976 wrote to memory of 3728	2976	Windovs.exe	calc.exe
PID 2976 wrote to memory of 3728	2976	Windovs.exe	calc.exe
PID 2976 wrote to memory of 3728	2976	Windovs.exe	calc.exe
PID 2976 wrote to memory of 3728	2976	Windovs.exe	calc.exe
PID 2976 wrote to memory of 1212	2976	Windovs.exe	IEXPLORE.EXE
PID 2976 wrote to memory of 1212	2976	Windovs.exe	IEXPLORE.EXE
PID 960 wrote to memory of 2472	960	02690209598094f7456576472f275353_JaffaCakes118.exe	cmd.exe
PID 960 wrote to memory of 2472	960	02690209598094f7456576472f275353_JaffaCakes118.exe	cmd.exe
PID 960 wrote to memory of 2472	960	02690209598094f7456576472f275353_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\02690209598094f7456576472f275353_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02690209598094f7456576472f275353_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:960

C:\Program Files\Common Files\Microsoft Shared\MSINFO\Windovs.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\Windovs.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\SysWOW64\calc.exe
"C:\Windows\system32\calc.exe"
3⤵
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 12
4⤵
- Program crash
PID:4556

C:\program files\internet explorer\IEXPLORE.EXE
"C:\program files\internet explorer\IEXPLORE.EXE"
3⤵
PID:1212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat""
2⤵
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3728 -ip 3728
1⤵
PID:3152

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat
Filesize
212B

MD5
29e27cf2a153083f1f229e481aef8185

SHA1
651bec91e5e72c4c2001dd694905edd5c19bc76f

SHA256
5faa3b4f5a756cad780cec7bf87301a50217d9ee35331bec2258e4ff86e31d9d

SHA512
674d00461bb000c92dc08b5223d2a632b7b02ab223b7fdafe0bda2a05541bd31892f9a4e85c358b5bdeefb67230dd49c41929a48d655e423e0e7130bba47e7f5

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\Windovs.exe
Filesize
714KB

MD5
02690209598094f7456576472f275353

SHA1
25b6e41dd50b092db750ed0367aecbf3572e7dd8

SHA256
285583228a9e072db82596fa638112f176bd8e18431d89dbe7ce71fac7327eea

SHA512
3877968ae4510b540f22796510c932e2cb027b77d44802023ca00c8f29c0577caafd39fba652abf33be132a2eb8293f236258ebdd89bb22d2229d87a7e7be405

Download Submit
memory/960-0-0x0000000000400000-0x00000000004BA200-memory.dmp

Filesize
744KB

Download
memory/960-15-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/960-29-0x0000000000400000-0x00000000004BA200-memory.dmp

Filesize
744KB

Download
memory/2976-18-0x0000000000400000-0x00000000004BA200-memory.dmp

Filesize
744KB

Download
memory/2976-20-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/2976-28-0x0000000000400000-0x00000000004BA200-memory.dmp

Filesize
744KB

Download
memory/3728-23-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads