modiloader | 9c80bee3bca435101cc652d586be910cd184c50bc21f6878172920131746cc6e

General

Target

01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe
Size

732KB
MD5

01139652e060fbb029975fd04ad7dd9a
SHA1

a223c3bbce74a84529f5d2915e7483c5e51af6bf
SHA256

9c80bee3bca435101cc652d586be910cd184c50bc21f6878172920131746cc6e
SHA512

811121028991d763807588a2b663af1a34fbe2ab66de888948cafefefed1f672a3eeb55c440d05f37ccb45d71af2b68839aefe311e82c67b34f98d085f4b8d81
SSDEEP

12288:Ywufr94lxtC98bESLuBWgMzRkV9yC7r/hL33Kb7D1sNStYtF3Z4mxx2LeP6MzEUX:Ifr94lxtCaAqnNidRnKbqxtQmX2Cyq2y

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2636-38-0x0000000000400000-0x00000000004C9000-memory.dmp	modiloader_stage2
behavioral1/memory/2636-34-0x0000000000400000-0x00000000004C9000-memory.dmp	modiloader_stage2
behavioral1/memory/2636-48-0x0000000002020000-0x00000000020E3000-memory.dmp	modiloader_stage2
behavioral1/memory/2636-65-0x0000000000400000-0x00000000004C9000-memory.dmp	modiloader_stage2
behavioral1/memory/2612-67-0x0000000000400000-0x00000000004C9000-memory.dmp	modiloader_stage2
behavioral1/memory/2612-76-0x0000000000400000-0x00000000004C9000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2416 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

rejoice101.exerejoice101.exe

pid process

2492 rejoice101.exe
2612 rejoice101.exe
Loads dropped DLL 2 IoCs

Processes:

01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe

pid process

2636 01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe
2636 01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe

pid	process
2416	cmd.exe

pid	process
2492	rejoice101.exe
2612	rejoice101.exe

pid	process
2636	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe
2636	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

Processes:

rejoice101.exe

description	ioc	process
File created	C:\Windows\SysWOW64\_rejoice101.exe	rejoice101.exe
File opened for modification	C:\Windows\SysWOW64\_rejoice101.exe	rejoice101.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exerejoice101.exerejoice101.exe

description	pid	process	target process
PID 2188 set thread context of 2636	2188	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe
PID 2492 set thread context of 2612	2492	rejoice101.exe	rejoice101.exe
PID 2612 set thread context of 2932	2612	rejoice101.exe	calc.exe

Drops file in Program Files directory 3 IoCs

Processes:

01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SxingDel.bat	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1580 2612 WerFault.exe rejoice101.exe

pid	pid_target	process	target process
1580	2612	WerFault.exe	rejoice101.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exerejoice101.exerejoice101.exe

description	pid	process	target process
PID 2188 wrote to memory of 2636	2188	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe
PID 2188 wrote to memory of 2636	2188	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe
PID 2188 wrote to memory of 2636	2188	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe
PID 2188 wrote to memory of 2636	2188	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe
PID 2188 wrote to memory of 2636	2188	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe
PID 2188 wrote to memory of 2636	2188	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe
PID 2636 wrote to memory of 2492	2636	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe	rejoice101.exe
PID 2636 wrote to memory of 2492	2636	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe	rejoice101.exe
PID 2636 wrote to memory of 2492	2636	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe	rejoice101.exe
PID 2636 wrote to memory of 2492	2636	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe	rejoice101.exe
PID 2492 wrote to memory of 2612	2492	rejoice101.exe	rejoice101.exe
PID 2492 wrote to memory of 2612	2492	rejoice101.exe	rejoice101.exe
PID 2492 wrote to memory of 2612	2492	rejoice101.exe	rejoice101.exe
PID 2492 wrote to memory of 2612	2492	rejoice101.exe	rejoice101.exe
PID 2492 wrote to memory of 2612	2492	rejoice101.exe	rejoice101.exe
PID 2492 wrote to memory of 2612	2492	rejoice101.exe	rejoice101.exe
PID 2636 wrote to memory of 2416	2636	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe	cmd.exe
PID 2636 wrote to memory of 2416	2636	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe	cmd.exe
PID 2636 wrote to memory of 2416	2636	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe	cmd.exe
PID 2636 wrote to memory of 2416	2636	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe	cmd.exe
PID 2612 wrote to memory of 2932	2612	rejoice101.exe	calc.exe
PID 2612 wrote to memory of 2932	2612	rejoice101.exe	calc.exe
PID 2612 wrote to memory of 2932	2612	rejoice101.exe	calc.exe
PID 2612 wrote to memory of 2932	2612	rejoice101.exe	calc.exe
PID 2612 wrote to memory of 2932	2612	rejoice101.exe	calc.exe
PID 2612 wrote to memory of 2932	2612	rejoice101.exe	calc.exe
PID 2612 wrote to memory of 2900	2612	rejoice101.exe	IEXPLORE.EXE
PID 2612 wrote to memory of 2900	2612	rejoice101.exe	IEXPLORE.EXE
PID 2612 wrote to memory of 2900	2612	rejoice101.exe	IEXPLORE.EXE
PID 2612 wrote to memory of 2900	2612	rejoice101.exe	IEXPLORE.EXE
PID 2612 wrote to memory of 1580	2612	rejoice101.exe	WerFault.exe
PID 2612 wrote to memory of 1580	2612	rejoice101.exe	WerFault.exe
PID 2612 wrote to memory of 1580	2612	rejoice101.exe	WerFault.exe
PID 2612 wrote to memory of 1580	2612	rejoice101.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2188

C:\Users\Admin\AppData\Local\Temp\01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe
2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2636

C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2492

C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\calc.exe
"C:\Windows\system32\calc.exe"
5⤵
PID:2932

C:\program files\internet explorer\IEXPLORE.EXE
"C:\program files\internet explorer\IEXPLORE.EXE"
5⤵
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 292
5⤵
- Program crash
PID:1580

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SxingDel.bat""
3⤵
- Deletes itself
PID:2416

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\SxingDel.bat
Filesize
212B

MD5
cab676573a11803a2b4f4f43728a59ab

SHA1
b76d2e9c874dd1ad3b31ba9d9c211c8450e6b774

SHA256
705b08c734bfe667ee49ea446829bf9b0d655bda22ec4696db3585ccc881b858

SHA512
5538a8482d314ee81ece52482032cf9d1d3db122e0b234a8fd888cef37a4cd489c18e3dd49bd6a37b907ec4d1ac655d337ecc89e64a7a24447d34216955548a6

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice101.exe
Filesize
732KB

MD5
01139652e060fbb029975fd04ad7dd9a

SHA1
a223c3bbce74a84529f5d2915e7483c5e51af6bf

SHA256
9c80bee3bca435101cc652d586be910cd184c50bc21f6878172920131746cc6e

SHA512
811121028991d763807588a2b663af1a34fbe2ab66de888948cafefefed1f672a3eeb55c440d05f37ccb45d71af2b68839aefe311e82c67b34f98d085f4b8d81

Download Submit
memory/2188-7-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2188-10-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/2188-27-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

Filesize
4KB

Download
memory/2188-26-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/2188-25-0x0000000001F60000-0x0000000001F61000-memory.dmp

Filesize
4KB

Download
memory/2188-24-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/2188-23-0x0000000001F90000-0x0000000001F91000-memory.dmp

Filesize
4KB

Download
memory/2188-22-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

Filesize
4KB

Download
memory/2188-21-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2188-20-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download
memory/2188-19-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/2188-18-0x0000000001F20000-0x0000000001F21000-memory.dmp

Filesize
4KB

Download
memory/2188-17-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2188-16-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2188-15-0x0000000001F30000-0x0000000001F31000-memory.dmp

Filesize
4KB

Download
memory/2188-14-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

Filesize
4KB

Download
memory/2188-1-0x0000000000310000-0x0000000000364000-memory.dmp

Filesize
336KB

Download
memory/2188-12-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/2188-11-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2188-29-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2188-9-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/2188-8-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2188-5-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2188-28-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2188-13-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/2188-4-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2188-3-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2188-2-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2188-37-0x0000000000310000-0x0000000000364000-memory.dmp

Filesize
336KB

Download
memory/2188-36-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2188-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2188-0-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2188-30-0x0000000003A10000-0x0000000003AD3000-memory.dmp

Filesize
780KB

Download
memory/2492-50-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2492-64-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2612-67-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2612-76-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2636-34-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2636-65-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2636-48-0x0000000002020000-0x00000000020E3000-memory.dmp

Filesize
780KB

Download
memory/2636-38-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2636-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2636-32-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2932-71-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2932-72-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2932-74-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads