modiloader | 0b37d22d6c2d1a191c50f5ee6720e3f1f2db0063787dbbb4b40fa80933ea4365

General

Target

001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe
Size

577KB
MD5

001385ef05b556dbcda822925ea9a8ec
SHA1

cc3fdcee65d83153a1da72d8cdaee3f271967594
SHA256

0b37d22d6c2d1a191c50f5ee6720e3f1f2db0063787dbbb4b40fa80933ea4365
SHA512

18d899a08cd5565fde4d21f963cf46f7dbffc3062cbb15054becf5ed16c7a445047a7b4db0283992b19677ff5da816ac657cf2e8ad8bb118a056c000bc35434c
SSDEEP

12288:W7bkAWVjog6lWPjbUkbxb5GOaTTTTBPTT71cNM1c2obY7bjlTxClWnI96YzbL:EkAUjV6YUklvaTTTTBPTT7qNOocvRt9G

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2792-24-0x0000000000400000-0x0000000000509000-memory.dmp	modiloader_stage2
behavioral2/memory/3032-26-0x0000000000400000-0x0000000000509000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

11151.exe

pid process

2792 11151.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

11151.exe

description pid process target process

PID 2792 set thread context of 3312 2792 11151.exe svchost.exe

pid	process
2792	11151.exe

description	pid	process	target process
PID 2792 set thread context of 3312	2792	11151.exe	svchost.exe

Drops file in Program Files directory 3 IoCs

Processes:

001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe	001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe	001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat	001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2324 3312 WerFault.exe svchost.exe

pid	pid_target	process	target process
2324	3312	WerFault.exe	svchost.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe11151.exe

description	pid	process	target process
PID 3032 wrote to memory of 2792	3032	001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	11151.exe
PID 3032 wrote to memory of 2792	3032	001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	11151.exe
PID 3032 wrote to memory of 2792	3032	001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	11151.exe
PID 2792 wrote to memory of 3312	2792	11151.exe	svchost.exe
PID 2792 wrote to memory of 3312	2792	11151.exe	svchost.exe
PID 2792 wrote to memory of 3312	2792	11151.exe	svchost.exe
PID 2792 wrote to memory of 3312	2792	11151.exe	svchost.exe
PID 2792 wrote to memory of 3312	2792	11151.exe	svchost.exe
PID 3032 wrote to memory of 2972	3032	001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	cmd.exe
PID 3032 wrote to memory of 2972	3032	001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	cmd.exe
PID 3032 wrote to memory of 2972	3032	001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3032

C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 12
4⤵
- Program crash
PID:2324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat""
2⤵
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3312 -ip 3312
1⤵
PID:2240

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat
Filesize
212B

MD5
cf8b32b602fa7bc484a03a930a8d2375

SHA1
1fc78bc1ed022f94dbd655cd5e2a190684e95f31

SHA256
a5754221e1df6a36a5f54d23cab6258f8db2fa14abd3956d6654ab927e26504d

SHA512
e3f54423eacf8be23cb20fa202a236be37fda255af4421b9d3523c7c83a16c5eda022b57ee57f7ee753eb2d39843149a3a0c499196e0b2f113f9cd74f4e4c7d8

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\11151.exe
Filesize
577KB

MD5
001385ef05b556dbcda822925ea9a8ec

SHA1
cc3fdcee65d83153a1da72d8cdaee3f271967594

SHA256
0b37d22d6c2d1a191c50f5ee6720e3f1f2db0063787dbbb4b40fa80933ea4365

SHA512
18d899a08cd5565fde4d21f963cf46f7dbffc3062cbb15054becf5ed16c7a445047a7b4db0283992b19677ff5da816ac657cf2e8ad8bb118a056c000bc35434c

Download Submit
memory/2792-24-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/3032-2-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/3032-12-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/3032-7-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/3032-6-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/3032-5-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/3032-4-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/3032-3-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/3032-0-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/3032-1-0x00000000022C0000-0x0000000002310000-memory.dmp

Filesize
320KB

Download
memory/3032-8-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/3032-15-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download
memory/3032-14-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/3032-13-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3032-9-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/3032-11-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/3032-10-0x0000000002D50000-0x0000000002D53000-memory.dmp

Filesize
12KB

Download
memory/3032-27-0x00000000022C0000-0x0000000002310000-memory.dmp

Filesize
320KB

Download
memory/3032-26-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/3312-21-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads