modiloader | 2c274ef3bea34e0756c2836888d093b3c52c6da2e440d4a017493ee1b79e4aa4

General

Target

fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe
Size

648KB
MD5

fd28e6f968efaff2170f76262e7dd86b
SHA1

80dee08f414e41cba7de218b6948f4fa9025224c
SHA256

2c274ef3bea34e0756c2836888d093b3c52c6da2e440d4a017493ee1b79e4aa4
SHA512

6b607ca66ef6746d67010e03f60612f6390ba1774da8020c5d9c304bb613676a22a24ebe5b1120d0513e588db50fa490a5b7cb4a00ad8743eaece147ec970190
SSDEEP

12288:mwIEEcTZ81hP5Y/VMPVGjvj9HLcAFuK8YF3Z4mxxZnI3A6oMSiim0n:muBTy3m/VEGjvjtLDvQmXFI1Si8n

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral2/memory/2956-47-0x0000000000400000-0x0000000000516000-memory.dmp	modiloader_stage2
behavioral2/memory/2956-46-0x0000000000400000-0x0000000000516000-memory.dmp	modiloader_stage2
behavioral2/memory/2360-53-0x0000000000400000-0x0000000000516000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
2360	rejoice101.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe
File opened (read-only)	\??\Q:	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe
File opened (read-only)	\??\W:	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe
File opened (read-only)	\??\Z:	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe
File opened (read-only)	\??\M:	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe
File opened (read-only)	\??\T:	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe
File opened (read-only)	\??\X:	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe
File opened (read-only)	\??\A:	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe
File opened (read-only)	\??\E:	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe
File opened (read-only)	\??\K:	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe
File opened (read-only)	\??\L:	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe
File opened (read-only)	\??\V:	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe
File opened (read-only)	\??\B:	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe
File opened (read-only)	\??\G:	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe
File opened (read-only)	\??\O:	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe
File opened (read-only)	\??\S:	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe
File opened (read-only)	\??\R:	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe
File opened (read-only)	\??\U:	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe
File opened (read-only)	\??\Y:	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe
File opened (read-only)	\??\H:	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe
File opened (read-only)	\??\I:	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe
File opened (read-only)	\??\J:	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe
File opened (read-only)	\??\P:	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\AutoRun.inf	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe
File opened for modification	C:\AutoRun.inf	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe
File created	F:\AutoRun.inf	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe
File opened for modification	F:\AutoRun.inf	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_rejoice101.exe	rejoice101.exe
File opened for modification	C:\Windows\SysWOW64\_rejoice101.exe	rejoice101.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2360 set thread context of 3652	2360	rejoice101.exe	90

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SxingDel.bat	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3140	2360	WerFault.exe	89
1816	3652	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rejoice101.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2360	2956	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe	89
PID 2956 wrote to memory of 2360	2956	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe	89
PID 2956 wrote to memory of 2360	2956	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe	89
PID 2360 wrote to memory of 3652	2360	rejoice101.exe	90
PID 2360 wrote to memory of 3652	2360	rejoice101.exe	90
PID 2360 wrote to memory of 3652	2360	rejoice101.exe	90
PID 2360 wrote to memory of 3652	2360	rejoice101.exe	90
PID 2360 wrote to memory of 3652	2360	rejoice101.exe	90
PID 2360 wrote to memory of 4148	2360	rejoice101.exe	92
PID 2360 wrote to memory of 4148	2360	rejoice101.exe	92
PID 2956 wrote to memory of 4544	2956	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe	97
PID 2956 wrote to memory of 4544	2956	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe	97
PID 2956 wrote to memory of 4544	2956	fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe	97

C:\Users\Admin\AppData\Local\Temp\fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd28e6f968efaff2170f76262e7dd86b_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\system32\calc.exe"
    3⤵
    PID:3652
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 12
      4⤵
      Program crash
      PID:1816
- - C:\program files\internet explorer\IEXPLORE.EXE
    "C:\program files\internet explorer\IEXPLORE.EXE"
    3⤵
    PID:4148
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 688
    3⤵
    - Program crash
    PID:3140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SxingDel.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2360 -ip 2360
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3652 -ip 3652
1⤵
PID:3996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4148,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=4180 /prefetch:8
1⤵
PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\SxingDel.bat

Filesize
212B

MD5
e100b27a4f791001e09cd4d6c28be83e

SHA1
7bcab57802093c4bb745916c5a8d618aeafbc940

SHA256
61cb209b84d5ec868ba0154803b62809fd375d3288e7f25d5cf60a1a6a85d935

SHA512
41c5d1efaac91b410843e5bbcd8ebcac2dd45e2854c85639a03815813635c4f859aa6d34c938e0d507057e3bacc3f4ac901614c1984ba17690e3e5f8c39343a9

Download Submit
F:\rejoice101.exe

Filesize
648KB

MD5
fd28e6f968efaff2170f76262e7dd86b

SHA1
80dee08f414e41cba7de218b6948f4fa9025224c

SHA256
2c274ef3bea34e0756c2836888d093b3c52c6da2e440d4a017493ee1b79e4aa4

SHA512
6b607ca66ef6746d67010e03f60612f6390ba1774da8020c5d9c304bb613676a22a24ebe5b1120d0513e588db50fa490a5b7cb4a00ad8743eaece147ec970190

Download Submit
memory/2360-54-0x00000000021A0000-0x00000000021F4000-memory.dmp

Filesize
336KB

Download
memory/2360-53-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2360-39-0x00000000021A0000-0x00000000021F4000-memory.dmp

Filesize
336KB

Download
memory/2360-38-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2956-20-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/2956-4-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/2956-21-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/2956-0-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2956-19-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/2956-18-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/2956-17-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2956-14-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/2956-13-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/2956-11-0x00000000034C0000-0x00000000035C0000-memory.dmp

Filesize
1024KB

Download
memory/2956-9-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/2956-8-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/2956-7-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/2956-6-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/2956-5-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/2956-22-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/2956-24-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/2956-3-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/2956-12-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/2956-23-0x0000000003550000-0x0000000003551000-memory.dmp

Filesize
4KB

Download
memory/2956-15-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/2956-16-0x00000000034C0000-0x00000000034C3000-memory.dmp

Filesize
12KB

Download
memory/2956-1-0x0000000002300000-0x0000000002354000-memory.dmp

Filesize
336KB

Download
memory/2956-49-0x0000000003530000-0x0000000003531000-memory.dmp

Filesize
4KB

Download
memory/2956-50-0x0000000002300000-0x0000000002354000-memory.dmp

Filesize
336KB

Download
memory/2956-51-0x00000000034C0000-0x00000000035C0000-memory.dmp

Filesize
1024KB

Download
memory/2956-47-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2956-46-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2956-48-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/2956-10-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/2956-2-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/3652-42-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads