modiloader | ed68d679c7ebc0a1b23b215cda2d370a0da53ca08a8d296ffda986a434ff6596

General

Target

03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
Size

279KB
MD5

03a2cf836e01c4bbda317dff5f0bc869
SHA1

9f0746dc4f9698b7b5916f4327bfb50e27ef73d8
SHA256

ed68d679c7ebc0a1b23b215cda2d370a0da53ca08a8d296ffda986a434ff6596
SHA512

aeb876ed448acd8a11d4d5da22fc92c1d755990bac4ac8935bfd52bd431d4c96a94c517c1d74f62be74a429c3eebc52e3d9d922919de66d8c7e1c0566e14c4db
SSDEEP

6144:nR0XMxh2JejPu6nDSCejtRbxZaBwoJjkE5Mx7xSw33V0dLOwm:OXMxhMebBDnSxE7jkIImFdm

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3700-25-0x0000000000400000-0x0000000000554000-memory.dmp	modiloader_stage2
behavioral2/memory/3516-26-0x0000000000400000-0x0000000000554000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1340 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

QQ.exe

pid process

3700 QQ.exe

pid	process
1340	cmd.exe

pid	process
3700	QQ.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe

description	ioc	process
File opened (read-only)	\??\Y:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\K:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\U:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\S:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\T:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\M:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\Q:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\J:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\L:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\O:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\P:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\V:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\Z:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\G:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\H:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\E:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\I:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\N:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\R:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\W:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\X:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\A:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened (read-only)	\??\B:	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe

description	ioc	process
File created	C:\AutoRun.inf	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened for modification	C:\AutoRun.inf	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File created	F:\AutoRun.inf	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened for modification	F:\AutoRun.inf	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe

Drops file in Program Files directory 5 IoCs

Processes:

03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exeQQ.exe

description	ioc	process
File created	C:\Program Files\QQ.exe	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File opened for modification	C:\Program Files\QQ.exe	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\_QQ.exe	QQ.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\_QQ.exe	QQ.exe
File created	C:\Program Files\Delet.bat	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe

description	pid	process	target process
PID 3516 wrote to memory of 3700	3516	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe	QQ.exe
PID 3516 wrote to memory of 3700	3516	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe	QQ.exe
PID 3516 wrote to memory of 3700	3516	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe	QQ.exe
PID 3516 wrote to memory of 1340	3516	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe	cmd.exe
PID 3516 wrote to memory of 1340	3516	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe	cmd.exe
PID 3516 wrote to memory of 1340	3516	03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03a2cf836e01c4bbda317dff5f0bc869_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3516

C:\Program Files\QQ.exe
"C:\Program Files\QQ.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files\Delet.bat""
2⤵
- Deletes itself
PID:1340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Delet.bat

Filesize
212B

MD5
3ddefddb59db6f68c8d4c1f85692098d

SHA1
83039aebf900ef91a7940615635804f29b5047e5

SHA256
c9b71afb94fd5ad66d8217f4b1702cce512539311c819b6fdd1834426f3662ca

SHA512
2432d2555549f02c6be07831b790c2818eed387eb1612c6cd7007b8908efd51524ea2b67f8b8c875329f1febdb57554598aedbbd35a933d8a146053f83b66cfc

Download Submit
F:\QQ.exe

Filesize
279KB

MD5
03a2cf836e01c4bbda317dff5f0bc869

SHA1
9f0746dc4f9698b7b5916f4327bfb50e27ef73d8

SHA256
ed68d679c7ebc0a1b23b215cda2d370a0da53ca08a8d296ffda986a434ff6596

SHA512
aeb876ed448acd8a11d4d5da22fc92c1d755990bac4ac8935bfd52bd431d4c96a94c517c1d74f62be74a429c3eebc52e3d9d922919de66d8c7e1c0566e14c4db

Download Submit
memory/3516-0-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3516-2-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/3516-1-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/3516-3-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/3516-26-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3700-17-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/3700-18-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/3700-24-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/3700-25-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads