modiloader | 98dd55247254be517c10e47adecce26cbefb200e49e48a5f5cba19a3230bc746

General

Target

ff51ecffc9f998fb6c8f4eb1832e1207_JaffaCakes118.exe
Size

641KB
MD5

ff51ecffc9f998fb6c8f4eb1832e1207
SHA1

0897e00df3db3a90721f2abc2eff039cead75263
SHA256

98dd55247254be517c10e47adecce26cbefb200e49e48a5f5cba19a3230bc746
SHA512

77d650430eabee7a54cd22b98609e0335c3c9512e3c09b9d980fc81a48c29e545ec70791ce535f3639a066f9f772bbeb38405765c283c8c36768906b06b41181
SSDEEP

12288:+GtuKgMUhjPbHPGZ3IvFJ32Pn/ZzvvF3Z4mxx2DqVTVOCGr:TtZUhjP7rFd+BDvQmXVVTzGr

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1488-63-0x0000000000400000-0x0000000000519000-memory.dmp	modiloader_stage2
behavioral2/memory/3452-69-0x0000000000400000-0x0000000000519000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

UDP.exe

pid process

3452 UDP.exe
Drops file in System32 directory 2 IoCs

Processes:

UDP.exe

description ioc process

File created C:\Windows\SysWOW64\_UDP.exe UDP.exe
File opened for modification C:\Windows\SysWOW64\_UDP.exe UDP.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

UDP.exe

description pid process target process

PID 3452 set thread context of 4060 3452 UDP.exe mstsc.exe

pid	process
3452	UDP.exe

description	ioc	process
File created	C:\Windows\SysWOW64\_UDP.exe	UDP.exe
File opened for modification	C:\Windows\SysWOW64\_UDP.exe	UDP.exe

description	pid	process	target process
PID 3452 set thread context of 4060	3452	UDP.exe	mstsc.exe

Drops file in Program Files directory 3 IoCs

Processes:

ff51ecffc9f998fb6c8f4eb1832e1207_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\UDP.exe	ff51ecffc9f998fb6c8f4eb1832e1207_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\UDP.exe	ff51ecffc9f998fb6c8f4eb1832e1207_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat	ff51ecffc9f998fb6c8f4eb1832e1207_JaffaCakes118.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3248 4060 WerFault.exe mstsc.exe
3268 3452 WerFault.exe UDP.exe

pid	pid_target	process	target process
3248	4060	WerFault.exe	mstsc.exe
3268	3452	WerFault.exe	UDP.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

ff51ecffc9f998fb6c8f4eb1832e1207_JaffaCakes118.exeUDP.exe

description	pid	process	target process
PID 1488 wrote to memory of 3452	1488	ff51ecffc9f998fb6c8f4eb1832e1207_JaffaCakes118.exe	UDP.exe
PID 1488 wrote to memory of 3452	1488	ff51ecffc9f998fb6c8f4eb1832e1207_JaffaCakes118.exe	UDP.exe
PID 1488 wrote to memory of 3452	1488	ff51ecffc9f998fb6c8f4eb1832e1207_JaffaCakes118.exe	UDP.exe
PID 3452 wrote to memory of 4060	3452	UDP.exe	mstsc.exe
PID 3452 wrote to memory of 4060	3452	UDP.exe	mstsc.exe
PID 3452 wrote to memory of 4060	3452	UDP.exe	mstsc.exe
PID 3452 wrote to memory of 4060	3452	UDP.exe	mstsc.exe
PID 3452 wrote to memory of 4060	3452	UDP.exe	mstsc.exe
PID 3452 wrote to memory of 3152	3452	UDP.exe	IEXPLORE.EXE
PID 3452 wrote to memory of 3152	3452	UDP.exe	IEXPLORE.EXE
PID 1488 wrote to memory of 3828	1488	ff51ecffc9f998fb6c8f4eb1832e1207_JaffaCakes118.exe	cmd.exe
PID 1488 wrote to memory of 3828	1488	ff51ecffc9f998fb6c8f4eb1832e1207_JaffaCakes118.exe	cmd.exe
PID 1488 wrote to memory of 3828	1488	ff51ecffc9f998fb6c8f4eb1832e1207_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ff51ecffc9f998fb6c8f4eb1832e1207_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff51ecffc9f998fb6c8f4eb1832e1207_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1488

C:\Program Files\Common Files\Microsoft Shared\MSINFO\UDP.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\UDP.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3452

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\system32\mstsc.exe"
3⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 12
4⤵
- Program crash
PID:3248

C:\program files\internet explorer\IEXPLORE.EXE
"C:\program files\internet explorer\IEXPLORE.EXE"
3⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 688
3⤵
- Program crash
PID:3268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat""
2⤵
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3452 -ip 3452
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4060 -ip 4060
1⤵
PID:4116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat
Filesize
212B

MD5
30171f6f114e7259db3f1dc9f83f387d

SHA1
301825570c4ca7b476bee29973cf3e3afb14a828

SHA256
90702606a3d1a92d765749318f56ede5c244c4ba4c5f2cb4292611bc787a447b

SHA512
34ef7dda756ad45ae0079bb9d50a9997c929b94d1301393bf5eddf97e30d01b399f13cfb4fea7474738d4f24ad41e9b3f3b72b2d27b60c0d2d0b34087379b99a

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\UDP.exe
Filesize
641KB

MD5
ff51ecffc9f998fb6c8f4eb1832e1207

SHA1
0897e00df3db3a90721f2abc2eff039cead75263

SHA256
98dd55247254be517c10e47adecce26cbefb200e49e48a5f5cba19a3230bc746

SHA512
77d650430eabee7a54cd22b98609e0335c3c9512e3c09b9d980fc81a48c29e545ec70791ce535f3639a066f9f772bbeb38405765c283c8c36768906b06b41181

Download Submit
memory/1488-34-0x0000000003530000-0x0000000003531000-memory.dmp

Filesize
4KB

Download
memory/1488-6-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/1488-0-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/1488-5-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/1488-36-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/1488-7-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/1488-9-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/1488-8-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/1488-13-0x00000000034C0000-0x00000000034C3000-memory.dmp

Filesize
12KB

Download
memory/1488-12-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/1488-15-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/1488-14-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/1488-16-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/1488-17-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/1488-18-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/1488-19-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/1488-20-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/1488-21-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/1488-22-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/1488-23-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/1488-24-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/1488-25-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/1488-26-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/1488-27-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/1488-28-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/1488-29-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/1488-30-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1488-31-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/1488-32-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1488-33-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/1488-2-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/1488-72-0x00000000035B0000-0x00000000035B1000-memory.dmp

Filesize
4KB

Download
memory/1488-4-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/1488-37-0x00000000034B0000-0x00000000034B3000-memory.dmp

Filesize
12KB

Download
memory/1488-38-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/1488-39-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/1488-40-0x0000000003600000-0x0000000003601000-memory.dmp

Filesize
4KB

Download
memory/1488-3-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/1488-35-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/1488-1-0x00000000022E0000-0x0000000002334000-memory.dmp

Filesize
336KB

Download
memory/1488-66-0x00000000035B0000-0x00000000035B1000-memory.dmp

Filesize
4KB

Download
memory/1488-64-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/1488-65-0x00000000022E0000-0x0000000002334000-memory.dmp

Filesize
336KB

Download
memory/1488-63-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/3452-45-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/3452-44-0x00000000020C0000-0x0000000002114000-memory.dmp

Filesize
336KB

Download
memory/3452-48-0x00000000033B0000-0x00000000033B3000-memory.dmp

Filesize
12KB

Download
memory/3452-47-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/3452-57-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/3452-58-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/3452-59-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/3452-53-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/3452-54-0x00000000033E0000-0x00000000033E1000-memory.dmp

Filesize
4KB

Download
memory/3452-71-0x00000000020C0000-0x0000000002114000-memory.dmp

Filesize
336KB

Download
memory/3452-51-0x0000000003400000-0x0000000003401000-memory.dmp

Filesize
4KB

Download
memory/3452-46-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/3452-56-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/3452-60-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/3452-69-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/3452-70-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/4060-52-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/4060-68-0x00000000002D0000-0x00000000002D0000-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads