modiloader | e033d009fa9681b8513cf3c0534d8fb9621288050118ca8f11711a288e15719c

General

Target

f499dfb009455041674e21bd9e07b191_JaffaCakes118.exe
Size

685KB
MD5

f499dfb009455041674e21bd9e07b191
SHA1

832e58060660b484316a2a7872dee156ebc820ab
SHA256

e033d009fa9681b8513cf3c0534d8fb9621288050118ca8f11711a288e15719c
SHA512

e21290c4a14485ee58be4324c3f86cfbf1940468442016b77a8cab095ed35d00008960d0e53fc5d88c6d1999e1e488a3d0af4536046d20fdf534c746fb95bd11
SSDEEP

12288:YasLorqYAsFmRfGXEVKCD3vO/eMFxZwMxRQb6r3F3Z4mxxJ0MHoTAFb03:YasLorlzFmRKopDfO/Dbm63QmXJKL

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/2532-42-0x0000000000400000-0x0000000000571000-memory.dmp	modiloader_stage2
behavioral1/memory/2292-45-0x0000000000400000-0x0000000000571000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
2608	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2532	nod321.exe

Loads dropped DLL 2 IoCs

pid	Process
2292	f499dfb009455041674e21bd9e07b191_JaffaCakes118.exe
2292	f499dfb009455041674e21bd9e07b191_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_nod321.exe	nod321.exe
File opened for modification	C:\Windows\SysWOW64\_nod321.exe	nod321.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2532 set thread context of 2540	2532	nod321.exe	29

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\nod321.exe	f499dfb009455041674e21bd9e07b191_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\nod321.exe	f499dfb009455041674e21bd9e07b191_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2532	2292	f499dfb009455041674e21bd9e07b191_JaffaCakes118.exe	28
PID 2292 wrote to memory of 2532	2292	f499dfb009455041674e21bd9e07b191_JaffaCakes118.exe	28
PID 2292 wrote to memory of 2532	2292	f499dfb009455041674e21bd9e07b191_JaffaCakes118.exe	28
PID 2292 wrote to memory of 2532	2292	f499dfb009455041674e21bd9e07b191_JaffaCakes118.exe	28
PID 2532 wrote to memory of 2540	2532	nod321.exe	29
PID 2532 wrote to memory of 2540	2532	nod321.exe	29
PID 2532 wrote to memory of 2540	2532	nod321.exe	29
PID 2532 wrote to memory of 2540	2532	nod321.exe	29
PID 2532 wrote to memory of 2540	2532	nod321.exe	29
PID 2532 wrote to memory of 2540	2532	nod321.exe	29
PID 2532 wrote to memory of 2708	2532	nod321.exe	30
PID 2532 wrote to memory of 2708	2532	nod321.exe	30
PID 2532 wrote to memory of 2708	2532	nod321.exe	30
PID 2532 wrote to memory of 2708	2532	nod321.exe	30
PID 2292 wrote to memory of 2608	2292	f499dfb009455041674e21bd9e07b191_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2608	2292	f499dfb009455041674e21bd9e07b191_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2608	2292	f499dfb009455041674e21bd9e07b191_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2608	2292	f499dfb009455041674e21bd9e07b191_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\f499dfb009455041674e21bd9e07b191_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f499dfb009455041674e21bd9e07b191_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\nod321.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\nod321.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\system32\calc.exe"
    3⤵
    PID:2540
- - C:\program files\internet explorer\IEXPLORE.EXE
    "C:\program files\internet explorer\IEXPLORE.EXE"
    3⤵
    PID:2708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c erase /F "C:\Users\Admin\AppData\Local\Temp\f499dfb009455041674e21bd9e07b191_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  PID:2608

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\nod321.exe

Filesize
685KB

MD5
f499dfb009455041674e21bd9e07b191

SHA1
832e58060660b484316a2a7872dee156ebc820ab

SHA256
e033d009fa9681b8513cf3c0534d8fb9621288050118ca8f11711a288e15719c

SHA512
e21290c4a14485ee58be4324c3f86cfbf1940468442016b77a8cab095ed35d00008960d0e53fc5d88c6d1999e1e488a3d0af4536046d20fdf534c746fb95bd11

Download Submit
memory/2292-24-0x0000000004400000-0x0000000004571000-memory.dmp

Filesize
1.4MB

Download
memory/2292-4-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2292-13-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2292-12-0x0000000000600000-0x0000000000602000-memory.dmp

Filesize
8KB

Download
memory/2292-11-0x0000000000600000-0x0000000000602000-memory.dmp

Filesize
8KB

Download
memory/2292-10-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2292-7-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2292-6-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/2292-5-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2292-44-0x0000000004400000-0x0000000004571000-memory.dmp

Filesize
1.4MB

Download
memory/2292-3-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2292-2-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2292-1-0x0000000000300000-0x0000000000354000-memory.dmp

Filesize
336KB

Download
memory/2292-14-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/2292-9-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2292-0-0x0000000000400000-0x0000000000571000-memory.dmp

Filesize
1.4MB

Download
memory/2292-8-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2292-46-0x0000000000300000-0x0000000000354000-memory.dmp

Filesize
336KB

Download
memory/2292-45-0x0000000000400000-0x0000000000571000-memory.dmp

Filesize
1.4MB

Download
memory/2532-29-0x0000000003290000-0x0000000003390000-memory.dmp

Filesize
1024KB

Download
memory/2532-31-0x0000000003290000-0x0000000003390000-memory.dmp

Filesize
1024KB

Download
memory/2532-39-0x0000000003290000-0x0000000003390000-memory.dmp

Filesize
1024KB

Download
memory/2532-43-0x0000000003290000-0x0000000003390000-memory.dmp

Filesize
1024KB

Download
memory/2532-32-0x0000000003290000-0x0000000003390000-memory.dmp

Filesize
1024KB

Download
memory/2532-42-0x0000000000400000-0x0000000000571000-memory.dmp

Filesize
1.4MB

Download
memory/2532-47-0x0000000003290000-0x0000000003390000-memory.dmp

Filesize
1024KB

Download
memory/2532-30-0x0000000003290000-0x0000000003390000-memory.dmp

Filesize
1024KB

Download
memory/2532-36-0x0000000003290000-0x0000000003390000-memory.dmp

Filesize
1024KB

Download
memory/2532-28-0x0000000000330000-0x0000000000384000-memory.dmp

Filesize
336KB

Download
memory/2540-35-0x0000000000400000-0x0000000000571000-memory.dmp

Filesize
1.4MB

Download
memory/2540-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2540-38-0x0000000000400000-0x0000000000571000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing