modiloader | 22845910e8d8e988c6a40f5d583af3eaeb21419e92026623e930150c9c7c9a5c

General

Target

JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe
Size

542KB
MD5

9626cfb220a4d6d3be387187e9b66638
SHA1

b88508a9a4f6f75e720c1f5a3af8e0200a40c7fc
SHA256

22845910e8d8e988c6a40f5d583af3eaeb21419e92026623e930150c9c7c9a5c
SHA512

03a7d86bfc8beea8b46102b6cf23de6c4fdabb4a08631669e5718896fcae76f490ffc97e58765177c8124e38d32ee522d0da8624f97a1b09cb3c69864a7ce14b
SSDEEP

12288:Qvx24F0U/9wAosmYRJmRhewxqD3rUfXaDNaqZ/9T+sjEtrwh6dOPD:q9Ft6/x8JCmUCRfZVT+sYWgd

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 6 IoCs

resource	yara_rule
behavioral1/memory/2808-2-0x0000000000400000-0x000000000054C4EC-memory.dmp	modiloader_stage2
behavioral1/memory/2840-37-0x0000000000400000-0x000000000054C4EC-memory.dmp	modiloader_stage2
behavioral1/memory/2808-47-0x0000000000400000-0x000000000054C4EC-memory.dmp	modiloader_stage2
behavioral1/memory/2808-55-0x0000000000400000-0x000000000054C4EC-memory.dmp	modiloader_stage2
behavioral1/memory/2840-57-0x0000000000400000-0x000000000054C4EC-memory.dmp	modiloader_stage2
behavioral1/memory/2840-58-0x0000000000400000-0x000000000054C4EC-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
2884	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2840	Server.exe

Loads dropped DLL 5 IoCs

pid	Process
2808	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe
2808	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe
3000	WerFault.exe
3000	WerFault.exe
3000	WerFault.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe
File opened (read-only)	\??\H:	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe
File opened (read-only)	\??\Q:	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe
File opened (read-only)	\??\X:	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe
File opened (read-only)	\??\Z:	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe
File opened (read-only)	\??\I:	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe
File opened (read-only)	\??\K:	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe
File opened (read-only)	\??\R:	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe
File opened (read-only)	\??\Y:	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe
File opened (read-only)	\??\G:	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe
File opened (read-only)	\??\L:	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe
File opened (read-only)	\??\P:	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe
File opened (read-only)	\??\S:	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe
File opened (read-only)	\??\T:	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe
File opened (read-only)	\??\W:	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe
File opened (read-only)	\??\A:	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe
File opened (read-only)	\??\J:	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe
File opened (read-only)	\??\M:	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe
File opened (read-only)	\??\N:	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe
File opened (read-only)	\??\O:	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe
File opened (read-only)	\??\U:	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe
File opened (read-only)	\??\V:	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe
File opened (read-only)	\??\B:	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AutoRun.inf	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe
File opened for modification	F:\AutoRun.inf	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\_Server.exe	Server.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2840 set thread context of 2744	2840	Server.exe	30

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server.exe	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server.exe	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3000	2840	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2840	2808	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe	29
PID 2808 wrote to memory of 2840	2808	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe	29
PID 2808 wrote to memory of 2840	2808	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe	29
PID 2808 wrote to memory of 2840	2808	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe	29
PID 2840 wrote to memory of 2744	2840	Server.exe	30
PID 2840 wrote to memory of 2744	2840	Server.exe	30
PID 2840 wrote to memory of 2744	2840	Server.exe	30
PID 2840 wrote to memory of 2744	2840	Server.exe	30
PID 2840 wrote to memory of 2744	2840	Server.exe	30
PID 2840 wrote to memory of 2744	2840	Server.exe	30
PID 2840 wrote to memory of 3000	2840	Server.exe	31
PID 2840 wrote to memory of 3000	2840	Server.exe	31
PID 2840 wrote to memory of 3000	2840	Server.exe	31
PID 2840 wrote to memory of 3000	2840	Server.exe	31
PID 2808 wrote to memory of 2884	2808	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe	32
PID 2808 wrote to memory of 2884	2808	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe	32
PID 2808 wrote to memory of 2884	2808	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe	32
PID 2808 wrote to memory of 2884	2808	JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9626cfb220a4d6d3be387187e9b66638.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\system32\calc.exe"
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 300
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:3000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat""
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AutoRun.inf

Filesize
166B

MD5
42e6ddc67c0c51a3e39780a99988f551

SHA1
3422a8dde772d662217339179f81ccb3686780d4

SHA256
f9c0462fff3f51f85aa116b2d0f38fd2a8e7263284a3bb1cde9b87a92abfaf01

SHA512
e1a316110a286ce72a8948e67b1c38e29cec73720780886873f00f0082ddee21557d8c7eb8106531f4cf0d3bf5b7945b60fe11f792e3ba70879e6a7063acea5b

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\ReDelBat.bat

Filesize
212B

MD5
589dedae304885508f0559f4c1628fb3

SHA1
c31a8f81c26dce244c1dc932c86921b98245fef4

SHA256
5f7d21cb11eca48634056841c2d95e4f318164cd0adf4e6fd07b3fd5fa8ba226

SHA512
703e264c520aafd660216d07338fce01636d226059931eee9f532ed9dfe3f04be1af8e29f3b0e9bdf39983054596644895279b30a8601f51a7875b41b98d636a

Download Submit
F:\Server.exe

Filesize
542KB

MD5
9626cfb220a4d6d3be387187e9b66638

SHA1
b88508a9a4f6f75e720c1f5a3af8e0200a40c7fc

SHA256
22845910e8d8e988c6a40f5d583af3eaeb21419e92026623e930150c9c7c9a5c

SHA512
03a7d86bfc8beea8b46102b6cf23de6c4fdabb4a08631669e5718896fcae76f490ffc97e58765177c8124e38d32ee522d0da8624f97a1b09cb3c69864a7ce14b

Download Submit
memory/2744-38-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2744-42-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/2808-47-0x0000000000400000-0x000000000054C4EC-memory.dmp

Filesize
1.3MB

Download
memory/2808-30-0x0000000002B90000-0x0000000002CDD000-memory.dmp

Filesize
1.3MB

Download
memory/2808-25-0x0000000002B90000-0x0000000002CDD000-memory.dmp

Filesize
1.3MB

Download
memory/2808-2-0x0000000000400000-0x000000000054C4EC-memory.dmp

Filesize
1.3MB

Download
memory/2808-0-0x0000000000400000-0x000000000054C4EC-memory.dmp

Filesize
1.3MB

Download
memory/2808-1-0x00000000004C4000-0x00000000004C5000-memory.dmp

Filesize
4KB

Download
memory/2808-55-0x0000000000400000-0x000000000054C4EC-memory.dmp

Filesize
1.3MB

Download
memory/2840-32-0x0000000000400000-0x000000000054C4EC-memory.dmp

Filesize
1.3MB

Download
memory/2840-33-0x0000000000400000-0x000000000054C4EC-memory.dmp

Filesize
1.3MB

Download
memory/2840-37-0x0000000000400000-0x000000000054C4EC-memory.dmp

Filesize
1.3MB

Download
memory/2840-57-0x0000000000400000-0x000000000054C4EC-memory.dmp

Filesize
1.3MB

Download
memory/2840-58-0x0000000000400000-0x000000000054C4EC-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.