modiloader | d8cc51b45c21626b5acc03d816da15fafaaa791e23e23bed2c1e1d34a37494c7

General

Target

024e1128de08ddaf5fe238d19ea95334_JaffaCakes118.exe
Size

282KB
MD5

024e1128de08ddaf5fe238d19ea95334
SHA1

4155f64811263c32acdb51be005e141caf387876
SHA256

d8cc51b45c21626b5acc03d816da15fafaaa791e23e23bed2c1e1d34a37494c7
SHA512

9d84805090922df041c425a976c2b3fca556c940ded54eef5bd37579a5a204a5edc72d3a1b08292790817931da182ac89ca923a4240984edfbbc089a0f832414
SSDEEP

3072:c1WnuDl+tchjRCfgSHSEopXUcl1gBWEFSrMpPCxmQ/Ex5L2Ku1m5e1JWKT4V8Y51:qT1KBnoCq1w0Ipim3M1m5e1UKYA0

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1160-15-0x0000000000400000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral2/memory/2976-17-0x0000000000400000-0x0000000000505000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

rejoice101.exe

pid process

1160 rejoice101.exe

pid	process
1160	rejoice101.exe

Drops file in System32 directory 2 IoCs

Processes:

rejoice101.exe

description	ioc	process
File created	C:\Windows\SysWOW64\_rejoice101.exe	rejoice101.exe
File opened for modification	C:\Windows\SysWOW64\_rejoice101.exe	rejoice101.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

rejoice101.exe

description	pid	process	target process
PID 1160 set thread context of 1316	1160	rejoice101.exe	calc.exe
PID 1160 set thread context of 4788	1160	rejoice101.exe	notepad.exe

Drops file in Program Files directory 3 IoCs

Processes:

024e1128de08ddaf5fe238d19ea95334_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe	024e1128de08ddaf5fe238d19ea95334_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe	024e1128de08ddaf5fe238d19ea95334_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SxDel.bat	024e1128de08ddaf5fe238d19ea95334_JaffaCakes118.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4076 4788 WerFault.exe notepad.exe
2260 1316 WerFault.exe calc.exe

pid	pid_target	process	target process
4076	4788	WerFault.exe	notepad.exe
2260	1316	WerFault.exe	calc.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

024e1128de08ddaf5fe238d19ea95334_JaffaCakes118.exerejoice101.exe

description	pid	process	target process
PID 2976 wrote to memory of 1160	2976	024e1128de08ddaf5fe238d19ea95334_JaffaCakes118.exe	rejoice101.exe
PID 2976 wrote to memory of 1160	2976	024e1128de08ddaf5fe238d19ea95334_JaffaCakes118.exe	rejoice101.exe
PID 2976 wrote to memory of 1160	2976	024e1128de08ddaf5fe238d19ea95334_JaffaCakes118.exe	rejoice101.exe
PID 1160 wrote to memory of 1316	1160	rejoice101.exe	calc.exe
PID 1160 wrote to memory of 1316	1160	rejoice101.exe	calc.exe
PID 1160 wrote to memory of 1316	1160	rejoice101.exe	calc.exe
PID 1160 wrote to memory of 1316	1160	rejoice101.exe	calc.exe
PID 1160 wrote to memory of 1316	1160	rejoice101.exe	calc.exe
PID 1160 wrote to memory of 4788	1160	rejoice101.exe	notepad.exe
PID 1160 wrote to memory of 4788	1160	rejoice101.exe	notepad.exe
PID 1160 wrote to memory of 4788	1160	rejoice101.exe	notepad.exe
PID 1160 wrote to memory of 4788	1160	rejoice101.exe	notepad.exe
PID 1160 wrote to memory of 4788	1160	rejoice101.exe	notepad.exe
PID 2976 wrote to memory of 4576	2976	024e1128de08ddaf5fe238d19ea95334_JaffaCakes118.exe	cmd.exe
PID 2976 wrote to memory of 4576	2976	024e1128de08ddaf5fe238d19ea95334_JaffaCakes118.exe	cmd.exe
PID 2976 wrote to memory of 4576	2976	024e1128de08ddaf5fe238d19ea95334_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\024e1128de08ddaf5fe238d19ea95334_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\024e1128de08ddaf5fe238d19ea95334_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2976

C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\calc.exe
"C:\Windows\system32\calc.exe"
3⤵
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 12
4⤵
- Program crash
PID:2260

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 12
4⤵
- Program crash
PID:4076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SxDel.bat""
2⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4788 -ip 4788
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1316 -ip 1316
1⤵
PID:3720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\SxDel.bat

Filesize
212B

MD5
c14f2598c064ca40aa677fa716e4c07c

SHA1
5b5711bbe721ca60d6e004b80c2645698bace8d5

SHA256
470f72ea15131621fe66c032e353516eb934f6c551d6e99968f36c30bff36f6f

SHA512
f780b1971b08ebf47bec6f4e190246fae725115ce90b8757424e00df6ceb3894c5ecd37ca9c9700df9bc79b4d6014d4602d5907d50a0e4ddc10d85f549cfa989

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\rejoice101.exe

Filesize
282KB

MD5
024e1128de08ddaf5fe238d19ea95334

SHA1
4155f64811263c32acdb51be005e141caf387876

SHA256
d8cc51b45c21626b5acc03d816da15fafaaa791e23e23bed2c1e1d34a37494c7

SHA512
9d84805090922df041c425a976c2b3fca556c940ded54eef5bd37579a5a204a5edc72d3a1b08292790817931da182ac89ca923a4240984edfbbc089a0f832414

Download Submit
memory/1160-7-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/1160-15-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/1316-10-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2976-0-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2976-1-0x00000000004FF000-0x0000000000501000-memory.dmp

Filesize
8KB

Download
memory/2976-17-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads