modiloader | 4f56bb368527d96479d4e729281dd79ca5a578f07c6e2e1731c9e3a829ebed18

General

Target

e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe
Size

651KB
MD5

e876293a9810ec0ecfc601ea46085bcc
SHA1

66f49924fcd15d3abcf81fc5d2cf7892a6312cd7
SHA256

4f56bb368527d96479d4e729281dd79ca5a578f07c6e2e1731c9e3a829ebed18
SHA512

f2d0efcf16f3ac8701a1ab8ec1c1a7293ca3017f38fa2328e3a2feed6d18c9361d56c2bbab7c5e9e7ddec0d687e63edf79bc1973cf3d39e631938137d44fa926
SSDEEP

12288:1JT0tLyhfG2VwLkmoJtR1DNeLjctaiEqXOKF3Z4mxxC7sIcOa/Y91TVKFy:1JAtLEG2mImoJiItaij5QmXssINwr4

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/memory/1612-36-0x0000000000400000-0x0000000000516000-memory.dmp	modiloader_stage2
behavioral2/memory/3860-39-0x0000000000400000-0x0000000000516000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
3860	svhosv.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe
File opened (read-only)	\??\K:	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe
File opened (read-only)	\??\B:	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe
File opened (read-only)	\??\Q:	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe
File opened (read-only)	\??\S:	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe
File opened (read-only)	\??\W:	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe
File opened (read-only)	\??\T:	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe
File opened (read-only)	\??\G:	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe
File opened (read-only)	\??\I:	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe
File opened (read-only)	\??\L:	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe
File opened (read-only)	\??\M:	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe
File opened (read-only)	\??\N:	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe
File opened (read-only)	\??\O:	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe
File opened (read-only)	\??\R:	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe
File opened (read-only)	\??\Y:	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe
File opened (read-only)	\??\Z:	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe
File opened (read-only)	\??\A:	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe
File opened (read-only)	\??\H:	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe
File opened (read-only)	\??\J:	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe
File opened (read-only)	\??\P:	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe
File opened (read-only)	\??\U:	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe
File opened (read-only)	\??\V:	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe
File opened (read-only)	\??\X:	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\AutoRun.inf	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe
File opened for modification	C:\AutoRun.inf	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe
File created	F:\AutoRun.inf	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe
File opened for modification	F:\AutoRun.inf	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_svhosv.exe	svhosv.exe
File opened for modification	C:\Windows\SysWOW64\_svhosv.exe	svhosv.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\svhosv.exe	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe
File opened for modification	C:\Windows\svhosv.exe	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe
File created	C:\Windows\ReDelBat.bat	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1128	3860	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhosv.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 3860	1612	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe	82
PID 1612 wrote to memory of 3860	1612	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe	82
PID 1612 wrote to memory of 3860	1612	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe	82
PID 3860 wrote to memory of 4588	3860	svhosv.exe	83
PID 3860 wrote to memory of 4588	3860	svhosv.exe	83
PID 3860 wrote to memory of 4588	3860	svhosv.exe	83
PID 1612 wrote to memory of 856	1612	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe	89
PID 1612 wrote to memory of 856	1612	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe	89
PID 1612 wrote to memory of 856	1612	e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e876293a9810ec0ecfc601ea46085bcc_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\svhosv.exe
  C:\Windows\svhosv.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3860
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\system32\calc.exe"
    3⤵
    PID:4588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 696
    3⤵
    - Program crash
    PID:1128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\ReDelBat.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3860 -ip 3860
1⤵
PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ReDelBat.bat

Filesize
212B

MD5
0545be25bed9bc01900c984e8fe4ca11

SHA1
22efc551bd2b4795d2e42f1bd30051489b7b645c

SHA256
7472bb618c67988ecdd4e82eabff7fba776dce699d9cf7f75e97dad496f59edb

SHA512
e5d2759bf4b1e6798f6003baeaec5f316e16c3feda72e133c312233c993e9fda580a7b690f7f1b9e59417aab9b7063b5355721ed77df7e8b47934f01b1d4e30f

Download Submit
F:\svhosv.exe

Filesize
651KB

MD5
e876293a9810ec0ecfc601ea46085bcc

SHA1
66f49924fcd15d3abcf81fc5d2cf7892a6312cd7

SHA256
4f56bb368527d96479d4e729281dd79ca5a578f07c6e2e1731c9e3a829ebed18

SHA512
f2d0efcf16f3ac8701a1ab8ec1c1a7293ca3017f38fa2328e3a2feed6d18c9361d56c2bbab7c5e9e7ddec0d687e63edf79bc1973cf3d39e631938137d44fa926

Download Submit
memory/1612-11-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/1612-7-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/1612-17-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1612-16-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/1612-14-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/1612-15-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/1612-13-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/1612-12-0x00000000034C0000-0x00000000034C3000-memory.dmp

Filesize
12KB

Download
memory/1612-0-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/1612-10-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1612-9-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/1612-8-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/1612-3-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/1612-6-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/1612-5-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/1612-4-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/1612-2-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/1612-36-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/1612-37-0x00000000023A0000-0x00000000023F4000-memory.dmp

Filesize
336KB

Download
memory/1612-1-0x00000000023A0000-0x00000000023F4000-memory.dmp

Filesize
336KB

Download
memory/3860-39-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads