modiloader | 2a9db82801d3302a2027958a3edd85ed7e677be9b60a0b02ee1429993f04c800

General

Target

015cb9a468512dc70c56b9c4d3cff7a3_JaffaCakes118.exe
Size

315KB
MD5

015cb9a468512dc70c56b9c4d3cff7a3
SHA1

0c8f570edc212a8a87775514c5bf4923b58db82b
SHA256

2a9db82801d3302a2027958a3edd85ed7e677be9b60a0b02ee1429993f04c800
SHA512

cc5b1c1c8fd80e4b857bd70e799e7486d04c247e0db894b56d6ba103181fd9d44a8c4e7df6acbb8a90a1270703a5e784e3556d7d00f6da40d3cfdb4a80e45129
SSDEEP

6144:tT8sHiR3/tqh5+QYSMFk04Mq95bjHZRleTcQ8pXquv:tT80hhMO7X5b9Rler8/v

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/852-27-0x0000000000400000-0x0000000000518000-memory.dmp	modiloader_stage2
behavioral1/memory/1844-29-0x0000000000400000-0x0000000000518000-memory.dmp	modiloader_stage2
behavioral1/memory/852-37-0x0000000000400000-0x0000000000518000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2488 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

commond.exe

pid process

1844 commond.exe

pid	process
2488	cmd.exe

pid	process
1844	commond.exe

Loads dropped DLL 5 IoCs

Processes:

015cb9a468512dc70c56b9c4d3cff7a3_JaffaCakes118.exeWerFault.exe

pid	process
852	015cb9a468512dc70c56b9c4d3cff7a3_JaffaCakes118.exe
852	015cb9a468512dc70c56b9c4d3cff7a3_JaffaCakes118.exe
2848	WerFault.exe
2848	WerFault.exe
2848	WerFault.exe

Drops file in System32 directory 2 IoCs

Processes:

commond.exe

description ioc process

File created C:\Windows\SysWOW64\_commond.exe commond.exe
File opened for modification C:\Windows\SysWOW64\_commond.exe commond.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

commond.exe

description pid process target process

PID 1844 set thread context of 1384 1844 commond.exe calc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\_commond.exe	commond.exe
File opened for modification	C:\Windows\SysWOW64\_commond.exe	commond.exe

description	pid	process	target process
PID 1844 set thread context of 1384	1844	commond.exe	calc.exe

Drops file in Program Files directory 3 IoCs

Processes:

015cb9a468512dc70c56b9c4d3cff7a3_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\commond.exe	015cb9a468512dc70c56b9c4d3cff7a3_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat	015cb9a468512dc70c56b9c4d3cff7a3_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\commond.exe	015cb9a468512dc70c56b9c4d3cff7a3_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2848 1844 WerFault.exe commond.exe

pid	pid_target	process	target process
2848	1844	WerFault.exe	commond.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

015cb9a468512dc70c56b9c4d3cff7a3_JaffaCakes118.execommond.exe

description	pid	process	target process
PID 852 wrote to memory of 1844	852	015cb9a468512dc70c56b9c4d3cff7a3_JaffaCakes118.exe	commond.exe
PID 852 wrote to memory of 1844	852	015cb9a468512dc70c56b9c4d3cff7a3_JaffaCakes118.exe	commond.exe
PID 852 wrote to memory of 1844	852	015cb9a468512dc70c56b9c4d3cff7a3_JaffaCakes118.exe	commond.exe
PID 852 wrote to memory of 1844	852	015cb9a468512dc70c56b9c4d3cff7a3_JaffaCakes118.exe	commond.exe
PID 1844 wrote to memory of 1384	1844	commond.exe	calc.exe
PID 1844 wrote to memory of 1384	1844	commond.exe	calc.exe
PID 1844 wrote to memory of 1384	1844	commond.exe	calc.exe
PID 1844 wrote to memory of 1384	1844	commond.exe	calc.exe
PID 1844 wrote to memory of 1384	1844	commond.exe	calc.exe
PID 1844 wrote to memory of 1384	1844	commond.exe	calc.exe
PID 1844 wrote to memory of 2848	1844	commond.exe	WerFault.exe
PID 1844 wrote to memory of 2848	1844	commond.exe	WerFault.exe
PID 1844 wrote to memory of 2848	1844	commond.exe	WerFault.exe
PID 1844 wrote to memory of 2848	1844	commond.exe	WerFault.exe
PID 852 wrote to memory of 2488	852	015cb9a468512dc70c56b9c4d3cff7a3_JaffaCakes118.exe	cmd.exe
PID 852 wrote to memory of 2488	852	015cb9a468512dc70c56b9c4d3cff7a3_JaffaCakes118.exe	cmd.exe
PID 852 wrote to memory of 2488	852	015cb9a468512dc70c56b9c4d3cff7a3_JaffaCakes118.exe	cmd.exe
PID 852 wrote to memory of 2488	852	015cb9a468512dc70c56b9c4d3cff7a3_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\015cb9a468512dc70c56b9c4d3cff7a3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\015cb9a468512dc70c56b9c4d3cff7a3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:852

C:\Program Files\Common Files\Microsoft Shared\MSINFO\commond.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\commond.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\SysWOW64\calc.exe
"C:\Windows\system32\calc.exe"
3⤵
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 280
3⤵
- Loads dropped DLL
- Program crash
PID:2848

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat""
2⤵
- Deletes itself
PID:2488

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\Delet.bat
Filesize
212B

MD5
b4eb7e771ed35a3757787d5943ccaa9f

SHA1
6dbd49b8df50ec9ab668cc05d492563881a42805

SHA256
54aa375d29f5524cb49c2138c54c1714744e0bea0e099c082079853102ab51e9

SHA512
497256927467623b09d0f67d15317554a07bf57574f09f8cfaa11d7bfc0e0b58ad77bafee5a2f57f2bb8c95aacb6c59e2b86120f58fa5a40eb5d7cbca1c771c7

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\commond.exe
Filesize
315KB

MD5
015cb9a468512dc70c56b9c4d3cff7a3

SHA1
0c8f570edc212a8a87775514c5bf4923b58db82b

SHA256
2a9db82801d3302a2027958a3edd85ed7e677be9b60a0b02ee1429993f04c800

SHA512
cc5b1c1c8fd80e4b857bd70e799e7486d04c247e0db894b56d6ba103181fd9d44a8c4e7df6acbb8a90a1270703a5e784e3556d7d00f6da40d3cfdb4a80e45129

Download Submit
memory/852-27-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/852-2-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/852-12-0x0000000002FE0000-0x00000000030F8000-memory.dmp

Filesize
1.1MB

Download
memory/852-0-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/852-28-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/852-1-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/852-37-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/1384-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1384-22-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/1844-13-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/1844-17-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1844-29-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads