modiloader | e033d009fa9681b8513cf3c0534d8fb9621288050118ca8f11711a288e15719c

General

Target

f499dfb009455041674e21bd9e07b191_JaffaCakes118.exe
Size

685KB
MD5

f499dfb009455041674e21bd9e07b191
SHA1

832e58060660b484316a2a7872dee156ebc820ab
SHA256

e033d009fa9681b8513cf3c0534d8fb9621288050118ca8f11711a288e15719c
SHA512

e21290c4a14485ee58be4324c3f86cfbf1940468442016b77a8cab095ed35d00008960d0e53fc5d88c6d1999e1e488a3d0af4536046d20fdf534c746fb95bd11
SSDEEP

12288:YasLorqYAsFmRfGXEVKCD3vO/eMFxZwMxRQb6r3F3Z4mxxJ0MHoTAFb03:YasLorlzFmRKopDfO/Dbm63QmXJKL

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/memory/1004-31-0x0000000000400000-0x0000000000571000-memory.dmp	modiloader_stage2
behavioral2/memory/2108-33-0x0000000000400000-0x0000000000571000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
1004	nod321.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_nod321.exe	nod321.exe
File opened for modification	C:\Windows\SysWOW64\_nod321.exe	nod321.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1004 set thread context of 2440	1004	nod321.exe	93

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\nod321.exe	f499dfb009455041674e21bd9e07b191_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\nod321.exe	f499dfb009455041674e21bd9e07b191_JaffaCakes118.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1376	2108	WerFault.exe	83
4444	1004	WerFault.exe	90
3960	2440	WerFault.exe	93

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 1004	2108	f499dfb009455041674e21bd9e07b191_JaffaCakes118.exe	90
PID 2108 wrote to memory of 1004	2108	f499dfb009455041674e21bd9e07b191_JaffaCakes118.exe	90
PID 2108 wrote to memory of 1004	2108	f499dfb009455041674e21bd9e07b191_JaffaCakes118.exe	90
PID 1004 wrote to memory of 2440	1004	nod321.exe	93
PID 1004 wrote to memory of 2440	1004	nod321.exe	93
PID 1004 wrote to memory of 2440	1004	nod321.exe	93
PID 1004 wrote to memory of 2440	1004	nod321.exe	93
PID 1004 wrote to memory of 2440	1004	nod321.exe	93
PID 1004 wrote to memory of 2060	1004	nod321.exe	94
PID 1004 wrote to memory of 2060	1004	nod321.exe	94
PID 2108 wrote to memory of 440	2108	f499dfb009455041674e21bd9e07b191_JaffaCakes118.exe	96
PID 2108 wrote to memory of 440	2108	f499dfb009455041674e21bd9e07b191_JaffaCakes118.exe	96
PID 2108 wrote to memory of 440	2108	f499dfb009455041674e21bd9e07b191_JaffaCakes118.exe	96

C:\Users\Admin\AppData\Local\Temp\f499dfb009455041674e21bd9e07b191_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f499dfb009455041674e21bd9e07b191_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 324
  2⤵
  - Program crash
  PID:1376
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\nod321.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\nod321.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 324
    3⤵
    - Program crash
    PID:4444
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\system32\calc.exe"
    3⤵
    PID:2440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 12
      4⤵
      Program crash
      PID:3960
- - C:\program files\internet explorer\IEXPLORE.EXE
    "C:\program files\internet explorer\IEXPLORE.EXE"
    3⤵
    PID:2060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c erase /F "C:\Users\Admin\AppData\Local\Temp\f499dfb009455041674e21bd9e07b191_JaffaCakes118.exe"
  2⤵
  PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2108 -ip 2108
1⤵
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1004 -ip 1004
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2440 -ip 2440
1⤵
PID:1344

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\MSInfo\nod321.exe

Filesize
685KB

MD5
f499dfb009455041674e21bd9e07b191

SHA1
832e58060660b484316a2a7872dee156ebc820ab

SHA256
e033d009fa9681b8513cf3c0534d8fb9621288050118ca8f11711a288e15719c

SHA512
e21290c4a14485ee58be4324c3f86cfbf1940468442016b77a8cab095ed35d00008960d0e53fc5d88c6d1999e1e488a3d0af4536046d20fdf534c746fb95bd11

Download Submit
memory/1004-38-0x00000000033F0000-0x000000000340B000-memory.dmp

Filesize
108KB

Download
memory/1004-34-0x0000000000A80000-0x0000000000AD4000-memory.dmp

Filesize
336KB

Download
memory/1004-35-0x00000000033F0000-0x000000000340B000-memory.dmp

Filesize
108KB

Download
memory/1004-32-0x00000000033F0000-0x000000000340B000-memory.dmp

Filesize
108KB

Download
memory/1004-26-0x00000000033F0000-0x000000000340B000-memory.dmp

Filesize
108KB

Download
memory/1004-29-0x00000000033F0000-0x000000000340B000-memory.dmp

Filesize
108KB

Download
memory/1004-31-0x0000000000400000-0x0000000000571000-memory.dmp

Filesize
1.4MB

Download
memory/1004-30-0x00000000033F0000-0x000000000340B000-memory.dmp

Filesize
108KB

Download
memory/1004-23-0x0000000003400000-0x0000000003401000-memory.dmp

Filesize
4KB

Download
memory/1004-22-0x0000000000A80000-0x0000000000AD4000-memory.dmp

Filesize
336KB

Download
memory/1004-21-0x0000000000400000-0x0000000000571000-memory.dmp

Filesize
1.4MB

Download
memory/2108-7-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/2108-8-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/2108-14-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/2108-17-0x0000000003710000-0x0000000003711000-memory.dmp

Filesize
4KB

Download
memory/2108-12-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/2108-11-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/2108-10-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/2108-9-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/2108-0-0x0000000000400000-0x0000000000571000-memory.dmp

Filesize
1.4MB

Download
memory/2108-13-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/2108-5-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/2108-6-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/2108-1-0x0000000000A30000-0x0000000000A84000-memory.dmp

Filesize
336KB

Download
memory/2108-4-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/2108-3-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/2108-36-0x0000000000A30000-0x0000000000A84000-memory.dmp

Filesize
336KB

Download
memory/2108-2-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/2108-33-0x0000000000400000-0x0000000000571000-memory.dmp

Filesize
1.4MB

Download
memory/2440-27-0x0000000000400000-0x0000000000571000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing