modiloader | d8cc51b45c21626b5acc03d816da15fafaaa791e23e23bed2c1e1d34a37494c7

General

Target

024e1128de08ddaf5fe238d19ea95334_JaffaCakes118.exe
Size

282KB
MD5

024e1128de08ddaf5fe238d19ea95334
SHA1

4155f64811263c32acdb51be005e141caf387876
SHA256

d8cc51b45c21626b5acc03d816da15fafaaa791e23e23bed2c1e1d34a37494c7
SHA512

9d84805090922df041c425a976c2b3fca556c940ded54eef5bd37579a5a204a5edc72d3a1b08292790817931da182ac89ca923a4240984edfbbc089a0f832414
SSDEEP

3072:c1WnuDl+tchjRCfgSHSEopXUcl1gBWEFSrMpPCxmQ/Ex5L2Ku1m5e1JWKT4V8Y51:qT1KBnoCq1w0Ipim3M1m5e1UKYA0

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2416-24-0x0000000000400000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/2596-25-0x0000000000400000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/2416-38-0x0000000000400000-0x0000000000505000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2568 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

rejoice101.exe

pid process

2596 rejoice101.exe

pid	process
2568	cmd.exe

pid	process
2596	rejoice101.exe

Loads dropped DLL 5 IoCs

Processes:

024e1128de08ddaf5fe238d19ea95334_JaffaCakes118.exeWerFault.exe

pid	process
2416	024e1128de08ddaf5fe238d19ea95334_JaffaCakes118.exe
2416	024e1128de08ddaf5fe238d19ea95334_JaffaCakes118.exe
2660	WerFault.exe
2660	WerFault.exe
2660	WerFault.exe

Drops file in System32 directory 2 IoCs

Processes:

rejoice101.exe

description	ioc	process
File created	C:\Windows\SysWOW64\_rejoice101.exe	rejoice101.exe
File opened for modification	C:\Windows\SysWOW64\_rejoice101.exe	rejoice101.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rejoice101.exe

description pid process target process

PID 2596 set thread context of 2608 2596 rejoice101.exe calc.exe

description	pid	process	target process
PID 2596 set thread context of 2608	2596	rejoice101.exe	calc.exe

Drops file in Program Files directory 3 IoCs

Processes:

024e1128de08ddaf5fe238d19ea95334_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe	024e1128de08ddaf5fe238d19ea95334_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe	024e1128de08ddaf5fe238d19ea95334_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SxDel.bat	024e1128de08ddaf5fe238d19ea95334_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2660 2596 WerFault.exe rejoice101.exe

pid	pid_target	process	target process
2660	2596	WerFault.exe	rejoice101.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

024e1128de08ddaf5fe238d19ea95334_JaffaCakes118.exerejoice101.exe

description	pid	process	target process
PID 2416 wrote to memory of 2596	2416	024e1128de08ddaf5fe238d19ea95334_JaffaCakes118.exe	rejoice101.exe
PID 2416 wrote to memory of 2596	2416	024e1128de08ddaf5fe238d19ea95334_JaffaCakes118.exe	rejoice101.exe
PID 2416 wrote to memory of 2596	2416	024e1128de08ddaf5fe238d19ea95334_JaffaCakes118.exe	rejoice101.exe
PID 2416 wrote to memory of 2596	2416	024e1128de08ddaf5fe238d19ea95334_JaffaCakes118.exe	rejoice101.exe
PID 2596 wrote to memory of 2608	2596	rejoice101.exe	calc.exe
PID 2596 wrote to memory of 2608	2596	rejoice101.exe	calc.exe
PID 2596 wrote to memory of 2608	2596	rejoice101.exe	calc.exe
PID 2596 wrote to memory of 2608	2596	rejoice101.exe	calc.exe
PID 2596 wrote to memory of 2608	2596	rejoice101.exe	calc.exe
PID 2596 wrote to memory of 2608	2596	rejoice101.exe	calc.exe
PID 2596 wrote to memory of 2660	2596	rejoice101.exe	WerFault.exe
PID 2596 wrote to memory of 2660	2596	rejoice101.exe	WerFault.exe
PID 2596 wrote to memory of 2660	2596	rejoice101.exe	WerFault.exe
PID 2596 wrote to memory of 2660	2596	rejoice101.exe	WerFault.exe
PID 2416 wrote to memory of 2568	2416	024e1128de08ddaf5fe238d19ea95334_JaffaCakes118.exe	cmd.exe
PID 2416 wrote to memory of 2568	2416	024e1128de08ddaf5fe238d19ea95334_JaffaCakes118.exe	cmd.exe
PID 2416 wrote to memory of 2568	2416	024e1128de08ddaf5fe238d19ea95334_JaffaCakes118.exe	cmd.exe
PID 2416 wrote to memory of 2568	2416	024e1128de08ddaf5fe238d19ea95334_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\024e1128de08ddaf5fe238d19ea95334_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\024e1128de08ddaf5fe238d19ea95334_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2416

C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\SysWOW64\calc.exe
"C:\Windows\system32\calc.exe"
3⤵
PID:2608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 280
3⤵
- Loads dropped DLL
- Program crash
PID:2660

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SxDel.bat""
2⤵
- Deletes itself
PID:2568

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\SxDel.bat

Filesize
212B

MD5
c14f2598c064ca40aa677fa716e4c07c

SHA1
5b5711bbe721ca60d6e004b80c2645698bace8d5

SHA256
470f72ea15131621fe66c032e353516eb934f6c551d6e99968f36c30bff36f6f

SHA512
f780b1971b08ebf47bec6f4e190246fae725115ce90b8757424e00df6ceb3894c5ecd37ca9c9700df9bc79b4d6014d4602d5907d50a0e4ddc10d85f549cfa989

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice101.exe

Filesize
282KB

MD5
024e1128de08ddaf5fe238d19ea95334

SHA1
4155f64811263c32acdb51be005e141caf387876

SHA256
d8cc51b45c21626b5acc03d816da15fafaaa791e23e23bed2c1e1d34a37494c7

SHA512
9d84805090922df041c425a976c2b3fca556c940ded54eef5bd37579a5a204a5edc72d3a1b08292790817931da182ac89ca923a4240984edfbbc089a0f832414

Download Submit
memory/2416-0-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2416-1-0x00000000004FF000-0x0000000000501000-memory.dmp

Filesize
8KB

Download
memory/2416-10-0x0000000003010000-0x0000000003115000-memory.dmp

Filesize
1.0MB

Download
memory/2416-24-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2416-26-0x00000000004FF000-0x0000000000501000-memory.dmp

Filesize
8KB

Download
memory/2416-38-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2596-12-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2596-25-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2608-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2608-19-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads