modiloader | ed68d679c7ebc0a1b23b215cda2d370a0da53ca08a8d296ffda986a434ff6596

General

Target

03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
Size

279KB
MD5

03a2cf836e01c4bbda317dff5f0bc869
SHA1

9f0746dc4f9698b7b5916f4327bfb50e27ef73d8
SHA256

ed68d679c7ebc0a1b23b215cda2d370a0da53ca08a8d296ffda986a434ff6596
SHA512

aeb876ed448acd8a11d4d5da22fc92c1d755990bac4ac8935bfd52bd431d4c96a94c517c1d74f62be74a429c3eebc52e3d9d922919de66d8c7e1c0566e14c4db
SSDEEP

6144:nR0XMxh2JejPu6nDSCejtRbxZaBwoJjkE5Mx7xSw33V0dLOwm:OXMxhMebBDnSxE7jkIImFdm

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1960-30-0x0000000000400000-0x0000000000554000-memory.dmp	modiloader_stage2
behavioral1/memory/1684-31-0x0000000000400000-0x0000000000554000-memory.dmp	modiloader_stage2
behavioral1/memory/1960-39-0x0000000000400000-0x0000000000554000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2728 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

QQ.exe

pid process

1684 QQ.exe

pid	process
2728	cmd.exe

pid	process
1684	QQ.exe

Loads dropped DLL 5 IoCs

Processes:

03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exeWerFault.exe

pid	process
1960	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
1960	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
3040	WerFault.exe
3040	WerFault.exe
3040	WerFault.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe

description	ioc	process
File opened (read-only)	\??\G:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\P:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\S:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\J:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\N:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\Q:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\V:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\W:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\X:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\Y:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\A:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\B:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\E:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\H:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\M:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\T:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\Z:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\I:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\K:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\L:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\O:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\R:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\U:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe

description	ioc	process
File created	C:\AutoRun.inf	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened for modification	C:\AutoRun.inf	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File created	F:\AutoRun.inf	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened for modification	F:\AutoRun.inf	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe

Drops file in Program Files directory 5 IoCs

Processes:

QQ.exe03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\_QQ.exe	QQ.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\_QQ.exe	QQ.exe
File created	C:\Program Files\Delet.bat	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File created	C:\Program Files\QQ.exe	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened for modification	C:\Program Files\QQ.exe	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3040 1684 WerFault.exe QQ.exe

pid	pid_target	process	target process
3040	1684	WerFault.exe	QQ.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exeQQ.exe

description	pid	process	target process
PID 1960 wrote to memory of 1684	1960	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe	QQ.exe
PID 1960 wrote to memory of 1684	1960	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe	QQ.exe
PID 1960 wrote to memory of 1684	1960	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe	QQ.exe
PID 1960 wrote to memory of 1684	1960	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe	QQ.exe
PID 1684 wrote to memory of 3040	1684	QQ.exe	WerFault.exe
PID 1684 wrote to memory of 3040	1684	QQ.exe	WerFault.exe
PID 1684 wrote to memory of 3040	1684	QQ.exe	WerFault.exe
PID 1684 wrote to memory of 3040	1684	QQ.exe	WerFault.exe
PID 1960 wrote to memory of 2728	1960	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe	cmd.exe
PID 1960 wrote to memory of 2728	1960	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe	cmd.exe
PID 1960 wrote to memory of 2728	1960	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe	cmd.exe
PID 1960 wrote to memory of 2728	1960	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1960

C:\Program Files\QQ.exe
"C:\Program Files\QQ.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 280
3⤵
- Loads dropped DLL
- Program crash
PID:3040

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files\Delet.bat""
2⤵
- Deletes itself
PID:2728

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Delet.bat
Filesize
212B

MD5
3ddefddb59db6f68c8d4c1f85692098d

SHA1
83039aebf900ef91a7940615635804f29b5047e5

SHA256
c9b71afb94fd5ad66d8217f4b1702cce512539311c819b6fdd1834426f3662ca

SHA512
2432d2555549f02c6be07831b790c2818eed387eb1612c6cd7007b8908efd51524ea2b67f8b8c875329f1febdb57554598aedbbd35a933d8a146053f83b66cfc

Download Submit
F:\QQ.exe
Filesize
279KB

MD5
03a2cf836e01c4bbda317dff5f0bc869

SHA1
9f0746dc4f9698b7b5916f4327bfb50e27ef73d8

SHA256
ed68d679c7ebc0a1b23b215cda2d370a0da53ca08a8d296ffda986a434ff6596

SHA512
aeb876ed448acd8a11d4d5da22fc92c1d755990bac4ac8935bfd52bd431d4c96a94c517c1d74f62be74a429c3eebc52e3d9d922919de66d8c7e1c0566e14c4db

Download Submit
memory/1684-26-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1684-31-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1960-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1960-1-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1960-12-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1960-19-0x0000000003030000-0x0000000003184000-memory.dmp

Filesize
1.3MB

Download
memory/1960-20-0x0000000003030000-0x0000000003184000-memory.dmp

Filesize
1.3MB

Download
memory/1960-30-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1960-39-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads