modiloader | aeffe55ac5ad1dcce48c5f9732234b95e1dae5df5761d7d406be1990558501e7

General

Target

01c2902659671071d9c607de8067ae5c_JaffaCakes118.exe
Size

306KB
MD5

01c2902659671071d9c607de8067ae5c
SHA1

92264d6427cbb6c7da6173332f2672a3071ff4aa
SHA256

aeffe55ac5ad1dcce48c5f9732234b95e1dae5df5761d7d406be1990558501e7
SHA512

0a65f81a27384f0ba15b20aa184b2c88a946c6d8f5122b3430ebfde534625201cef106dcd0736e2882c4122b12cd309dac1677eea7d485b65b9ccf8f44cc961a
SSDEEP

6144:wQ0IBnz/hXNlJiSchd2wZJRYbQ15kGaBQyQbypTpT7pW4XTPqdyuzVl:w/IJZfJfESbQ15kGwObGtfX0yuZ

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1776-6-0x0000000000400000-0x00000000005040B5-memory.dmp	modiloader_stage2
behavioral1/memory/2868-22-0x0000000000400000-0x00000000005040B5-memory.dmp	modiloader_stage2
behavioral1/memory/2868-18-0x0000000000400000-0x00000000005040B5-memory.dmp	modiloader_stage2
behavioral1/memory/2868-17-0x0000000000400000-0x00000000005040B5-memory.dmp	modiloader_stage2
behavioral1/memory/1776-33-0x0000000000400000-0x00000000005040B5-memory.dmp	modiloader_stage2
behavioral1/memory/2868-34-0x0000000000400000-0x00000000005040B5-memory.dmp	modiloader_stage2
behavioral1/memory/1776-42-0x0000000000400000-0x00000000005040B5-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2576 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

windosmisf.exe

pid process

2868 windosmisf.exe

pid	process
2576	cmd.exe

pid	process
2868	windosmisf.exe

Loads dropped DLL 5 IoCs

Processes:

01c2902659671071d9c607de8067ae5c_JaffaCakes118.exeWerFault.exe

pid	process
1776	01c2902659671071d9c607de8067ae5c_JaffaCakes118.exe
1776	01c2902659671071d9c607de8067ae5c_JaffaCakes118.exe
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe

Drops file in System32 directory 2 IoCs

Processes:

windosmisf.exe

description	ioc	process
File created	C:\Windows\SysWOW64\_windosmisf.exe	windosmisf.exe
File opened for modification	C:\Windows\SysWOW64\_windosmisf.exe	windosmisf.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

windosmisf.exe

description pid process target process

PID 2868 set thread context of 2632 2868 windosmisf.exe calc.exe

description	pid	process	target process
PID 2868 set thread context of 2632	2868	windosmisf.exe	calc.exe

Drops file in Program Files directory 3 IoCs

Processes:

01c2902659671071d9c607de8067ae5c_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\windosmisf.exe	01c2902659671071d9c607de8067ae5c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\windosmisf.exe	01c2902659671071d9c607de8067ae5c_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat	01c2902659671071d9c607de8067ae5c_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2732 2868 WerFault.exe windosmisf.exe

pid	pid_target	process	target process
2732	2868	WerFault.exe	windosmisf.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

01c2902659671071d9c607de8067ae5c_JaffaCakes118.exewindosmisf.exe

description	pid	process	target process
PID 1776 wrote to memory of 2868	1776	01c2902659671071d9c607de8067ae5c_JaffaCakes118.exe	windosmisf.exe
PID 1776 wrote to memory of 2868	1776	01c2902659671071d9c607de8067ae5c_JaffaCakes118.exe	windosmisf.exe
PID 1776 wrote to memory of 2868	1776	01c2902659671071d9c607de8067ae5c_JaffaCakes118.exe	windosmisf.exe
PID 1776 wrote to memory of 2868	1776	01c2902659671071d9c607de8067ae5c_JaffaCakes118.exe	windosmisf.exe
PID 2868 wrote to memory of 2632	2868	windosmisf.exe	calc.exe
PID 2868 wrote to memory of 2632	2868	windosmisf.exe	calc.exe
PID 2868 wrote to memory of 2632	2868	windosmisf.exe	calc.exe
PID 2868 wrote to memory of 2632	2868	windosmisf.exe	calc.exe
PID 2868 wrote to memory of 2632	2868	windosmisf.exe	calc.exe
PID 2868 wrote to memory of 2632	2868	windosmisf.exe	calc.exe
PID 2868 wrote to memory of 2732	2868	windosmisf.exe	WerFault.exe
PID 2868 wrote to memory of 2732	2868	windosmisf.exe	WerFault.exe
PID 2868 wrote to memory of 2732	2868	windosmisf.exe	WerFault.exe
PID 2868 wrote to memory of 2732	2868	windosmisf.exe	WerFault.exe
PID 1776 wrote to memory of 2576	1776	01c2902659671071d9c607de8067ae5c_JaffaCakes118.exe	cmd.exe
PID 1776 wrote to memory of 2576	1776	01c2902659671071d9c607de8067ae5c_JaffaCakes118.exe	cmd.exe
PID 1776 wrote to memory of 2576	1776	01c2902659671071d9c607de8067ae5c_JaffaCakes118.exe	cmd.exe
PID 1776 wrote to memory of 2576	1776	01c2902659671071d9c607de8067ae5c_JaffaCakes118.exe	cmd.exe
PID 1776 wrote to memory of 2576	1776	01c2902659671071d9c607de8067ae5c_JaffaCakes118.exe	cmd.exe
PID 1776 wrote to memory of 2576	1776	01c2902659671071d9c607de8067ae5c_JaffaCakes118.exe	cmd.exe
PID 1776 wrote to memory of 2576	1776	01c2902659671071d9c607de8067ae5c_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\01c2902659671071d9c607de8067ae5c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01c2902659671071d9c607de8067ae5c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1776

C:\Program Files\Common Files\Microsoft Shared\MSINFO\windosmisf.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\windosmisf.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\SysWOW64\calc.exe
"C:\Windows\system32\calc.exe"
3⤵
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 300
3⤵
- Loads dropped DLL
- Program crash
PID:2732

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat""
2⤵
- Deletes itself
PID:2576

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\SetupDel.bat
Filesize
212B

MD5
9106c226dc1f11b95255de541689a4c4

SHA1
8cec43f7f47335f3c594950d4d9dd3ccb636b9b4

SHA256
83f19f90b146ba656176d1b89756f7ddcfe18bfc86c11eecac11476ce0279e1c

SHA512
0a7bcec86a47a64965567837c16cc5134ba56156e7872777891eb0bd57843fa53c49cbedc63f9edbd993bbf21ccd276ee88a867d7d36a817bc9f4bf8252d2461

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\windosmisf.exe
Filesize
306KB

MD5
01c2902659671071d9c607de8067ae5c

SHA1
92264d6427cbb6c7da6173332f2672a3071ff4aa

SHA256
aeffe55ac5ad1dcce48c5f9732234b95e1dae5df5761d7d406be1990558501e7

SHA512
0a65f81a27384f0ba15b20aa184b2c88a946c6d8f5122b3430ebfde534625201cef106dcd0736e2882c4122b12cd309dac1677eea7d485b65b9ccf8f44cc961a

Download Submit
memory/1776-14-0x00000000031C0000-0x00000000032C5000-memory.dmp

Filesize
1.0MB

Download
memory/1776-3-0x0000000000501000-0x0000000000503000-memory.dmp

Filesize
8KB

Download
memory/1776-2-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1776-6-0x0000000000400000-0x00000000005040B5-memory.dmp

Filesize
1.0MB

Download
memory/1776-42-0x0000000000400000-0x00000000005040B5-memory.dmp

Filesize
1.0MB

Download
memory/1776-33-0x0000000000400000-0x00000000005040B5-memory.dmp

Filesize
1.0MB

Download
memory/1776-32-0x0000000000501000-0x0000000000503000-memory.dmp

Filesize
8KB

Download
memory/1776-1-0x0000000000400000-0x00000000005040B5-memory.dmp

Filesize
1.0MB

Download
memory/2632-27-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2632-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2868-15-0x0000000000400000-0x00000000005040B5-memory.dmp

Filesize
1.0MB

Download
memory/2868-16-0x0000000000400000-0x00000000005040B5-memory.dmp

Filesize
1.0MB

Download
memory/2868-17-0x0000000000400000-0x00000000005040B5-memory.dmp

Filesize
1.0MB

Download
memory/2868-34-0x0000000000400000-0x00000000005040B5-memory.dmp

Filesize
1.0MB

Download
memory/2868-18-0x0000000000400000-0x00000000005040B5-memory.dmp

Filesize
1.0MB

Download
memory/2868-22-0x0000000000400000-0x00000000005040B5-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads