modiloader | d5abac29597706744265cbbcb6f0bef3d286789d8fb0839b9d7f2eeb08da5e91

General

Target

ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe
Size

774KB
MD5

ffa27ed5781c3830aa6c54e94c042571
SHA1

c64c0a68900e9e7eeff9e39148a9c20bbdf7c98a
SHA256

d5abac29597706744265cbbcb6f0bef3d286789d8fb0839b9d7f2eeb08da5e91
SHA512

a87385f2bdcc76a64cd760e32878bec133377f4fea016c1462728ff045a4178efe099e7efde1939a8624c1bf76a906ac85639540ca7533ee5535be3f73a30b0f
SSDEEP

12288:KifzDQZpKIZSgJPqa/NA6zD5+bO2eJpTx8fbkP04SrLKDF3Z4mxxjBOL9h+r93K6:eZpKGialAUDz7VodjX8QmXjukr9cf6

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/memory/2040-39-0x0000000000400000-0x0000000000514000-memory.dmp	modiloader_stage2
behavioral1/memory/2732-62-0x0000000000400000-0x0000000000514000-memory.dmp	modiloader_stage2
behavioral1/memory/2040-74-0x0000000000400000-0x0000000000514000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
2260	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2732	rejoice47.exe

Loads dropped DLL 5 IoCs

pid	Process
2040	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe
2040	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe
2560	WerFault.exe
2560	WerFault.exe
2560	WerFault.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe
File opened (read-only)	\??\U:	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe
File opened (read-only)	\??\V:	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe
File opened (read-only)	\??\A:	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe
File opened (read-only)	\??\G:	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe
File opened (read-only)	\??\I:	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe
File opened (read-only)	\??\Q:	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe
File opened (read-only)	\??\R:	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe
File opened (read-only)	\??\W:	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe
File opened (read-only)	\??\Y:	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe
File opened (read-only)	\??\J:	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe
File opened (read-only)	\??\M:	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe
File opened (read-only)	\??\S:	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe
File opened (read-only)	\??\P:	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe
File opened (read-only)	\??\X:	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe
File opened (read-only)	\??\Z:	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe
File opened (read-only)	\??\B:	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe
File opened (read-only)	\??\E:	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe
File opened (read-only)	\??\L:	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe
File opened (read-only)	\??\N:	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe
File opened (read-only)	\??\O:	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe
File opened (read-only)	\??\H:	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe
File opened (read-only)	\??\K:	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\AutoRun.inf	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe
File opened for modification	C:\AutoRun.inf	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe
File created	F:\AutoRun.inf	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe
File opened for modification	F:\AutoRun.inf	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_rejoice47.exe	rejoice47.exe
File opened for modification	C:\Windows\SysWOW64\_rejoice47.exe	rejoice47.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2732 set thread context of 1724	2732	rejoice47.exe	31

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice47.exe	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice47.exe	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2560	2732	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rejoice47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2732	2040	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe	30
PID 2040 wrote to memory of 2732	2040	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe	30
PID 2040 wrote to memory of 2732	2040	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe	30
PID 2040 wrote to memory of 2732	2040	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe	30
PID 2732 wrote to memory of 1724	2732	rejoice47.exe	31
PID 2732 wrote to memory of 1724	2732	rejoice47.exe	31
PID 2732 wrote to memory of 1724	2732	rejoice47.exe	31
PID 2732 wrote to memory of 1724	2732	rejoice47.exe	31
PID 2732 wrote to memory of 1724	2732	rejoice47.exe	31
PID 2732 wrote to memory of 1724	2732	rejoice47.exe	31
PID 2732 wrote to memory of 2560	2732	rejoice47.exe	32
PID 2732 wrote to memory of 2560	2732	rejoice47.exe	32
PID 2732 wrote to memory of 2560	2732	rejoice47.exe	32
PID 2732 wrote to memory of 2560	2732	rejoice47.exe	32
PID 2040 wrote to memory of 2260	2040	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe	33
PID 2040 wrote to memory of 2260	2040	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe	33
PID 2040 wrote to memory of 2260	2040	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe	33
PID 2040 wrote to memory of 2260	2040	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe	33
PID 2040 wrote to memory of 2260	2040	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe	33
PID 2040 wrote to memory of 2260	2040	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe	33
PID 2040 wrote to memory of 2260	2040	ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ffa27ed5781c3830aa6c54e94c042571_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice47.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice47.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\system32\calc.exe"
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 320
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat""
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\SetupDel.bat

Filesize
212B

MD5
7f33e657405e480be781488fc9afb6e8

SHA1
505e800237c9381df73a2d1f5b20d2f4d5403658

SHA256
4a3325be21007e9c4cf83091a47cf95bef1d47a3e8d6c2a577112c4e39e51873

SHA512
b59d253e37ff1afbb33f05473ef6e74de3608271fa31c323e12ce5ad7d6b83813d8a72ea5aae7dec4d8c13b47d468cbbcf0adebe9c17d24fbc6c324fd067bcfc

Download Submit
C:\rejoice47.exe

Filesize
774KB

MD5
ffa27ed5781c3830aa6c54e94c042571

SHA1
c64c0a68900e9e7eeff9e39148a9c20bbdf7c98a

SHA256
d5abac29597706744265cbbcb6f0bef3d286789d8fb0839b9d7f2eeb08da5e91

SHA512
a87385f2bdcc76a64cd760e32878bec133377f4fea016c1462728ff045a4178efe099e7efde1939a8624c1bf76a906ac85639540ca7533ee5535be3f73a30b0f

Download Submit
memory/1724-48-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1724-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2040-8-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/2040-39-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2040-14-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/2040-13-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/2040-12-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/2040-11-0x0000000003360000-0x0000000003460000-memory.dmp

Filesize
1024KB

Download
memory/2040-10-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/2040-9-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/2040-7-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/2040-6-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2040-5-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/2040-4-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/2040-3-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/2040-2-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/2040-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2040-16-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/2040-74-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2040-15-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/2040-38-0x0000000003F60000-0x0000000004074000-memory.dmp

Filesize
1.1MB

Download
memory/2040-37-0x0000000003F60000-0x0000000004074000-memory.dmp

Filesize
1.1MB

Download
memory/2040-17-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/2040-18-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/2040-53-0x0000000000370000-0x00000000003C4000-memory.dmp

Filesize
336KB

Download
memory/2040-54-0x0000000003360000-0x0000000003460000-memory.dmp

Filesize
1024KB

Download
memory/2040-59-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/2040-58-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/2040-57-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/2040-56-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/2040-60-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/2040-55-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/2040-1-0x0000000000370000-0x00000000003C4000-memory.dmp

Filesize
336KB

Download
memory/2732-62-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2732-41-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads