modiloader | 9c80bee3bca435101cc652d586be910cd184c50bc21f6878172920131746cc6e

General

Target

01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe
Size

732KB
MD5

01139652e060fbb029975fd04ad7dd9a
SHA1

a223c3bbce74a84529f5d2915e7483c5e51af6bf
SHA256

9c80bee3bca435101cc652d586be910cd184c50bc21f6878172920131746cc6e
SHA512

811121028991d763807588a2b663af1a34fbe2ab66de888948cafefefed1f672a3eeb55c440d05f37ccb45d71af2b68839aefe311e82c67b34f98d085f4b8d81
SSDEEP

12288:Ywufr94lxtC98bESLuBWgMzRkV9yC7r/hL33Kb7D1sNStYtF3Z4mxx2LeP6MzEUX:Ifr94lxtCaAqnNidRnKbqxtQmX2Cyq2y

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/716-28-0x0000000000400000-0x00000000004C9000-memory.dmp	modiloader_stage2
behavioral2/memory/716-32-0x0000000000400000-0x00000000004C9000-memory.dmp	modiloader_stage2
behavioral2/memory/716-46-0x0000000000400000-0x00000000004C9000-memory.dmp	modiloader_stage2
behavioral2/memory/4112-53-0x0000000000400000-0x00000000004C9000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

Processes:

rejoice101.exerejoice101.exe

pid process

3992 rejoice101.exe
4112 rejoice101.exe

pid	process
3992	rejoice101.exe
4112	rejoice101.exe

Drops file in System32 directory 2 IoCs

Processes:

rejoice101.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\_rejoice101.exe	rejoice101.exe
File created	C:\Windows\SysWOW64\_rejoice101.exe	rejoice101.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exerejoice101.exerejoice101.exe

description	pid	process	target process
PID 3984 set thread context of 716	3984	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe
PID 3992 set thread context of 4112	3992	rejoice101.exe	rejoice101.exe
PID 4112 set thread context of 3184	4112	rejoice101.exe	calc.exe

Drops file in Program Files directory 3 IoCs

Processes:

01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SxingDel.bat	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3344 3184 WerFault.exe calc.exe
2176 4112 WerFault.exe rejoice101.exe

pid	pid_target	process	target process
3344	3184	WerFault.exe	calc.exe
2176	4112	WerFault.exe	rejoice101.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exerejoice101.exerejoice101.exe

description	pid	process	target process
PID 3984 wrote to memory of 716	3984	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe
PID 3984 wrote to memory of 716	3984	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe
PID 3984 wrote to memory of 716	3984	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe
PID 3984 wrote to memory of 716	3984	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe
PID 3984 wrote to memory of 716	3984	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe
PID 716 wrote to memory of 3992	716	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe	rejoice101.exe
PID 716 wrote to memory of 3992	716	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe	rejoice101.exe
PID 716 wrote to memory of 3992	716	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe	rejoice101.exe
PID 3992 wrote to memory of 4112	3992	rejoice101.exe	rejoice101.exe
PID 3992 wrote to memory of 4112	3992	rejoice101.exe	rejoice101.exe
PID 3992 wrote to memory of 4112	3992	rejoice101.exe	rejoice101.exe
PID 3992 wrote to memory of 4112	3992	rejoice101.exe	rejoice101.exe
PID 3992 wrote to memory of 4112	3992	rejoice101.exe	rejoice101.exe
PID 716 wrote to memory of 332	716	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe	cmd.exe
PID 716 wrote to memory of 332	716	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe	cmd.exe
PID 716 wrote to memory of 332	716	01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe	cmd.exe
PID 4112 wrote to memory of 3184	4112	rejoice101.exe	calc.exe
PID 4112 wrote to memory of 3184	4112	rejoice101.exe	calc.exe
PID 4112 wrote to memory of 3184	4112	rejoice101.exe	calc.exe
PID 4112 wrote to memory of 3184	4112	rejoice101.exe	calc.exe
PID 4112 wrote to memory of 3184	4112	rejoice101.exe	calc.exe
PID 4112 wrote to memory of 4596	4112	rejoice101.exe	IEXPLORE.EXE
PID 4112 wrote to memory of 4596	4112	rejoice101.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3984

C:\Users\Admin\AppData\Local\Temp\01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\01139652e060fbb029975fd04ad7dd9a_JaffaCakes118.exe
2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:716

C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3992

C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\SysWOW64\calc.exe
"C:\Windows\system32\calc.exe"
5⤵
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 12
6⤵
- Program crash
PID:3344

C:\program files\internet explorer\IEXPLORE.EXE
"C:\program files\internet explorer\IEXPLORE.EXE"
5⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 640
5⤵
- Program crash
PID:2176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SxingDel.bat""
3⤵
PID:332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4112 -ip 4112
1⤵
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3184 -ip 3184
1⤵
PID:3080

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\SxingDel.bat
Filesize
212B

MD5
cab676573a11803a2b4f4f43728a59ab

SHA1
b76d2e9c874dd1ad3b31ba9d9c211c8450e6b774

SHA256
705b08c734bfe667ee49ea446829bf9b0d655bda22ec4696db3585ccc881b858

SHA512
5538a8482d314ee81ece52482032cf9d1d3db122e0b234a8fd888cef37a4cd489c18e3dd49bd6a37b907ec4d1ac655d337ecc89e64a7a24447d34216955548a6

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\rejoice101.exe
Filesize
732KB

MD5
01139652e060fbb029975fd04ad7dd9a

SHA1
a223c3bbce74a84529f5d2915e7483c5e51af6bf

SHA256
9c80bee3bca435101cc652d586be910cd184c50bc21f6878172920131746cc6e

SHA512
811121028991d763807588a2b663af1a34fbe2ab66de888948cafefefed1f672a3eeb55c440d05f37ccb45d71af2b68839aefe311e82c67b34f98d085f4b8d81

Download Submit
memory/716-28-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/716-46-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/716-32-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3184-50-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3984-11-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3984-6-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/3984-21-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3984-20-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/3984-19-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/3984-18-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/3984-17-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/3984-16-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/3984-15-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/3984-14-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/3984-13-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/3984-12-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/3984-1-0x0000000002130000-0x0000000002184000-memory.dmp

Filesize
336KB

Download
memory/3984-10-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/3984-9-0x0000000003310000-0x0000000003311000-memory.dmp

Filesize
4KB

Download
memory/3984-8-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/3984-7-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/3984-22-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/3984-5-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/3984-4-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/3984-3-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/3984-2-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/3984-23-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/3984-30-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3984-31-0x0000000002130000-0x0000000002184000-memory.dmp

Filesize
336KB

Download
memory/3984-24-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/3984-25-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/3984-0-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3984-27-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/3984-26-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/3992-45-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3992-37-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4112-53-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads