modiloader | 5dc029079a56ef68777277db16d8fdce88033a8b06039d8913db07a05c922ff0

General

Target

01df1cf027a2b00995077937757b536d_JaffaCakes118.exe
Size

655KB
MD5

01df1cf027a2b00995077937757b536d
SHA1

df9bd5a62ed88fd8a6224a1f5a0027539b10095c
SHA256

5dc029079a56ef68777277db16d8fdce88033a8b06039d8913db07a05c922ff0
SHA512

613f749786d9f01c259e8630f7b522c0d1286c9defc40c6a3d0f2587a207d2c3e69b0a6de2691ca86e90325946e60d208e39bee9aa422d4607b21cf856ae649c
SSDEEP

12288:edFgzkLGsYVzGuDWJRE+NENaI3ZTq8mEF3Z4mxxKRDpCx8toXLCTw:LzLz1Gu+WJ3ZmpEQmXPNCs

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3640-38-0x0000000000400000-0x0000000000521000-memory.dmp	modiloader_stage2
behavioral2/memory/4580-41-0x0000000000400000-0x0000000000521000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

coinme.exe

pid process

4580 coinme.exe
Drops file in System32 directory 2 IoCs

Processes:

coinme.exe

description ioc process

File created C:\Windows\SysWOW64\_coinme.exe coinme.exe
File opened for modification C:\Windows\SysWOW64\_coinme.exe coinme.exe

pid	process
4580	coinme.exe

description	ioc	process
File created	C:\Windows\SysWOW64\_coinme.exe	coinme.exe
File opened for modification	C:\Windows\SysWOW64\_coinme.exe	coinme.exe

Drops file in Program Files directory 3 IoCs

Processes:

01df1cf027a2b00995077937757b536d_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\coinme.exe	01df1cf027a2b00995077937757b536d_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\coinme.exe	01df1cf027a2b00995077937757b536d_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat	01df1cf027a2b00995077937757b536d_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5092 4580 WerFault.exe coinme.exe

pid	pid_target	process	target process
5092	4580	WerFault.exe	coinme.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

01df1cf027a2b00995077937757b536d_JaffaCakes118.execoinme.exe

description	pid	process	target process
PID 3640 wrote to memory of 4580	3640	01df1cf027a2b00995077937757b536d_JaffaCakes118.exe	coinme.exe
PID 3640 wrote to memory of 4580	3640	01df1cf027a2b00995077937757b536d_JaffaCakes118.exe	coinme.exe
PID 3640 wrote to memory of 4580	3640	01df1cf027a2b00995077937757b536d_JaffaCakes118.exe	coinme.exe
PID 4580 wrote to memory of 2500	4580	coinme.exe	IEXPLORE.EXE
PID 4580 wrote to memory of 2500	4580	coinme.exe	IEXPLORE.EXE
PID 3640 wrote to memory of 1464	3640	01df1cf027a2b00995077937757b536d_JaffaCakes118.exe	cmd.exe
PID 3640 wrote to memory of 1464	3640	01df1cf027a2b00995077937757b536d_JaffaCakes118.exe	cmd.exe
PID 3640 wrote to memory of 1464	3640	01df1cf027a2b00995077937757b536d_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\01df1cf027a2b00995077937757b536d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01df1cf027a2b00995077937757b536d_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3640

C:\Program Files\Common Files\Microsoft Shared\MSINFO\coinme.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\coinme.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4580

C:\program files\internet explorer\IEXPLORE.EXE
"C:\program files\internet explorer\IEXPLORE.EXE"
3⤵
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 684
3⤵
- Program crash
PID:5092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat""
2⤵
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4580 -ip 4580
1⤵
PID:5060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat
Filesize
212B

MD5
5de93657922f46fb2793b397ebaafc85

SHA1
1078b4085948ee7c83b6c0a5755dd7671929883d

SHA256
089e8088a467b0be0595f659949ba0f95ec4cbc1d7478256f9bf1dfaca957ee3

SHA512
bf2474d9cb1eff29aa6341948b02619b949cc49e654eadc65e90a45e1c19e48d0d959601499ad2f6ac2180bdb3be1771220575389b71b15db2de4a0c05510579

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSINFO\coinme.exe
Filesize
655KB

MD5
01df1cf027a2b00995077937757b536d

SHA1
df9bd5a62ed88fd8a6224a1f5a0027539b10095c

SHA256
5dc029079a56ef68777277db16d8fdce88033a8b06039d8913db07a05c922ff0

SHA512
613f749786d9f01c259e8630f7b522c0d1286c9defc40c6a3d0f2587a207d2c3e69b0a6de2691ca86e90325946e60d208e39bee9aa422d4607b21cf856ae649c

Download Submit
memory/3640-8-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3640-22-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/3640-0-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/3640-17-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/3640-16-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/3640-21-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download
memory/3640-20-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3640-19-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/3640-18-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/3640-12-0x00000000034D0000-0x00000000034D3000-memory.dmp

Filesize
12KB

Download
memory/3640-11-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3640-10-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/3640-9-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/3640-38-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/3640-13-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/3640-6-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/3640-14-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/3640-5-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/3640-4-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/3640-3-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/3640-2-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/3640-15-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/3640-7-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/3640-1-0x0000000002310000-0x0000000002364000-memory.dmp

Filesize
336KB

Download
memory/3640-36-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/3640-35-0x0000000003550000-0x0000000003551000-memory.dmp

Filesize
4KB

Download
memory/3640-39-0x0000000002310000-0x0000000002364000-memory.dmp

Filesize
336KB

Download
memory/4580-42-0x00000000021D0000-0x0000000002224000-memory.dmp

Filesize
336KB

Download
memory/4580-29-0x00000000021D0000-0x0000000002224000-memory.dmp

Filesize
336KB

Download
memory/4580-41-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4580-28-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads