modiloader | 5dc029079a56ef68777277db16d8fdce88033a8b06039d8913db07a05c922ff0

General

Target

01df1cf027a2b00995077937757b536d_JaffaCakes118.exe
Size

655KB
MD5

01df1cf027a2b00995077937757b536d
SHA1

df9bd5a62ed88fd8a6224a1f5a0027539b10095c
SHA256

5dc029079a56ef68777277db16d8fdce88033a8b06039d8913db07a05c922ff0
SHA512

613f749786d9f01c259e8630f7b522c0d1286c9defc40c6a3d0f2587a207d2c3e69b0a6de2691ca86e90325946e60d208e39bee9aa422d4607b21cf856ae649c
SSDEEP

12288:edFgzkLGsYVzGuDWJRE+NENaI3ZTq8mEF3Z4mxxKRDpCx8toXLCTw:LzLz1Gu+WJ3ZmpEQmXPNCs

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2012-41-0x0000000000400000-0x0000000000521000-memory.dmp	modiloader_stage2
behavioral1/memory/1264-43-0x0000000000400000-0x0000000000521000-memory.dmp	modiloader_stage2
behavioral1/memory/2012-55-0x0000000000400000-0x0000000000521000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1052 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

coinme.exe

pid process

1264 coinme.exe

pid	process
1052	cmd.exe

pid	process
1264	coinme.exe

Loads dropped DLL 5 IoCs

Processes:

01df1cf027a2b00995077937757b536d_JaffaCakes118.exeWerFault.exe

pid	process
2012	01df1cf027a2b00995077937757b536d_JaffaCakes118.exe
2012	01df1cf027a2b00995077937757b536d_JaffaCakes118.exe
2688	WerFault.exe
2688	WerFault.exe
2688	WerFault.exe

Drops file in System32 directory 2 IoCs

Processes:

coinme.exe

description ioc process

File created C:\Windows\SysWOW64\_coinme.exe coinme.exe
File opened for modification C:\Windows\SysWOW64\_coinme.exe coinme.exe

description	ioc	process
File created	C:\Windows\SysWOW64\_coinme.exe	coinme.exe
File opened for modification	C:\Windows\SysWOW64\_coinme.exe	coinme.exe

Drops file in Program Files directory 3 IoCs

Processes:

01df1cf027a2b00995077937757b536d_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\coinme.exe	01df1cf027a2b00995077937757b536d_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\coinme.exe	01df1cf027a2b00995077937757b536d_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat	01df1cf027a2b00995077937757b536d_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2688 1264 WerFault.exe coinme.exe

pid	pid_target	process	target process
2688	1264	WerFault.exe	coinme.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

01df1cf027a2b00995077937757b536d_JaffaCakes118.execoinme.exe

description	pid	process	target process
PID 2012 wrote to memory of 1264	2012	01df1cf027a2b00995077937757b536d_JaffaCakes118.exe	coinme.exe
PID 2012 wrote to memory of 1264	2012	01df1cf027a2b00995077937757b536d_JaffaCakes118.exe	coinme.exe
PID 2012 wrote to memory of 1264	2012	01df1cf027a2b00995077937757b536d_JaffaCakes118.exe	coinme.exe
PID 2012 wrote to memory of 1264	2012	01df1cf027a2b00995077937757b536d_JaffaCakes118.exe	coinme.exe
PID 1264 wrote to memory of 2688	1264	coinme.exe	WerFault.exe
PID 1264 wrote to memory of 2688	1264	coinme.exe	WerFault.exe
PID 1264 wrote to memory of 2688	1264	coinme.exe	WerFault.exe
PID 1264 wrote to memory of 2688	1264	coinme.exe	WerFault.exe
PID 2012 wrote to memory of 1052	2012	01df1cf027a2b00995077937757b536d_JaffaCakes118.exe	cmd.exe
PID 2012 wrote to memory of 1052	2012	01df1cf027a2b00995077937757b536d_JaffaCakes118.exe	cmd.exe
PID 2012 wrote to memory of 1052	2012	01df1cf027a2b00995077937757b536d_JaffaCakes118.exe	cmd.exe
PID 2012 wrote to memory of 1052	2012	01df1cf027a2b00995077937757b536d_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\01df1cf027a2b00995077937757b536d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01df1cf027a2b00995077937757b536d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2012

C:\Program Files\Common Files\Microsoft Shared\MSINFO\coinme.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\coinme.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 300
3⤵
- Loads dropped DLL
- Program crash
PID:2688

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat""
2⤵
- Deletes itself
PID:1052

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\ReDelBat.bat
Filesize
212B

MD5
5de93657922f46fb2793b397ebaafc85

SHA1
1078b4085948ee7c83b6c0a5755dd7671929883d

SHA256
089e8088a467b0be0595f659949ba0f95ec4cbc1d7478256f9bf1dfaca957ee3

SHA512
bf2474d9cb1eff29aa6341948b02619b949cc49e654eadc65e90a45e1c19e48d0d959601499ad2f6ac2180bdb3be1771220575389b71b15db2de4a0c05510579

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\coinme.exe
Filesize
655KB

MD5
01df1cf027a2b00995077937757b536d

SHA1
df9bd5a62ed88fd8a6224a1f5a0027539b10095c

SHA256
5dc029079a56ef68777277db16d8fdce88033a8b06039d8913db07a05c922ff0

SHA512
613f749786d9f01c259e8630f7b522c0d1286c9defc40c6a3d0f2587a207d2c3e69b0a6de2691ca86e90325946e60d208e39bee9aa422d4607b21cf856ae649c

Download Submit
memory/1264-47-0x00000000005A0000-0x00000000005F4000-memory.dmp

Filesize
336KB

Download
memory/1264-43-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/1264-33-0x00000000005A0000-0x00000000005F4000-memory.dmp

Filesize
336KB

Download
memory/1264-31-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/2012-5-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

Filesize
4KB

Download
memory/2012-15-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2012-0-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/2012-4-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/2012-3-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/2012-2-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/2012-12-0x0000000003390000-0x0000000003393000-memory.dmp

Filesize
12KB

Download
memory/2012-13-0x0000000003490000-0x0000000003491000-memory.dmp

Filesize
4KB

Download
memory/2012-20-0x0000000001F90000-0x0000000001F91000-memory.dmp

Filesize
4KB

Download
memory/2012-19-0x0000000003420000-0x0000000003421000-memory.dmp

Filesize
4KB

Download
memory/2012-18-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/2012-17-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/2012-16-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/2012-6-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/2012-14-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2012-7-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/2012-8-0x0000000002000000-0x0000000002001000-memory.dmp

Filesize
4KB

Download
memory/2012-30-0x0000000004700000-0x0000000004821000-memory.dmp

Filesize
1.1MB

Download
memory/2012-9-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/2012-32-0x0000000004700000-0x0000000004821000-memory.dmp

Filesize
1.1MB

Download
memory/2012-41-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/2012-10-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

Filesize
4KB

Download
memory/2012-44-0x0000000000370000-0x00000000003C4000-memory.dmp

Filesize
336KB

Download
memory/2012-11-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/2012-56-0x0000000000370000-0x00000000003C4000-memory.dmp

Filesize
336KB

Download
memory/2012-55-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/2012-1-0x0000000000370000-0x00000000003C4000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads