modiloader | 3c724d617a161797cd134a4c8babfe4dc02e23bf59d6acbb20f3c8885c1bf0d6

General

Target

0267f3ad68258fd1c208bd01068728bd_JaffaCakes118.exe
Size

735KB
MD5

0267f3ad68258fd1c208bd01068728bd
SHA1

56099f8050cfff61407efef10698c693b194a345
SHA256

3c724d617a161797cd134a4c8babfe4dc02e23bf59d6acbb20f3c8885c1bf0d6
SHA512

23218905208bb20a228da9881d71424151ed8a6165f192990862fbbdae3afe9a32512ae7cf1ce49814cfd6d6e2e16d7e5870dc3c17012448bb33b5f227e85d73
SSDEEP

12288:rmX53KYzEkDAqAlqTfkHyirIIDCcwJ7+x7u+8wlFCR1EmMlXTEK:rm5BzEyAlqTf2yn6AJuCECR1EmKXT3

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 5 IoCs

Processes:

resource	yara_rule
\Program Files\Common Files\Microsoft Shared\MSInfo\shvost.exe	modiloader_stage2
behavioral1/memory/2480-20-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2
behavioral1/memory/2932-25-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2
behavioral1/memory/1576-26-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2
behavioral1/memory/2932-31-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

shvost.exe

pid process

1576 shvost.exe

pid	process
1576	shvost.exe

Loads dropped DLL 5 IoCs

Processes:

0267f3ad68258fd1c208bd01068728bd_JaffaCakes118.exeWerFault.exe

pid	process
2932	0267f3ad68258fd1c208bd01068728bd_JaffaCakes118.exe
2932	0267f3ad68258fd1c208bd01068728bd_JaffaCakes118.exe
2100	WerFault.exe
2100	WerFault.exe
2100	WerFault.exe

Drops file in System32 directory 2 IoCs

Processes:

shvost.exe

description ioc process

File created C:\Windows\SysWOW64\_shvost.exe shvost.exe
File opened for modification C:\Windows\SysWOW64\_shvost.exe shvost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

shvost.exe

description pid process target process

PID 1576 set thread context of 2480 1576 shvost.exe calc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\_shvost.exe	shvost.exe
File opened for modification	C:\Windows\SysWOW64\_shvost.exe	shvost.exe

description	pid	process	target process
PID 1576 set thread context of 2480	1576	shvost.exe	calc.exe

Drops file in Program Files directory 2 IoCs

Processes:

0267f3ad68258fd1c208bd01068728bd_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\shvost.exe	0267f3ad68258fd1c208bd01068728bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\shvost.exe	0267f3ad68258fd1c208bd01068728bd_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2100 1576 WerFault.exe shvost.exe

pid	pid_target	process	target process
2100	1576	WerFault.exe	shvost.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

0267f3ad68258fd1c208bd01068728bd_JaffaCakes118.exeshvost.exe

description	pid	process	target process
PID 2932 wrote to memory of 1576	2932	0267f3ad68258fd1c208bd01068728bd_JaffaCakes118.exe	shvost.exe
PID 2932 wrote to memory of 1576	2932	0267f3ad68258fd1c208bd01068728bd_JaffaCakes118.exe	shvost.exe
PID 2932 wrote to memory of 1576	2932	0267f3ad68258fd1c208bd01068728bd_JaffaCakes118.exe	shvost.exe
PID 2932 wrote to memory of 1576	2932	0267f3ad68258fd1c208bd01068728bd_JaffaCakes118.exe	shvost.exe
PID 1576 wrote to memory of 2480	1576	shvost.exe	calc.exe
PID 1576 wrote to memory of 2480	1576	shvost.exe	calc.exe
PID 1576 wrote to memory of 2480	1576	shvost.exe	calc.exe
PID 1576 wrote to memory of 2480	1576	shvost.exe	calc.exe
PID 1576 wrote to memory of 2480	1576	shvost.exe	calc.exe
PID 1576 wrote to memory of 2480	1576	shvost.exe	calc.exe
PID 1576 wrote to memory of 2100	1576	shvost.exe	WerFault.exe
PID 1576 wrote to memory of 2100	1576	shvost.exe	WerFault.exe
PID 1576 wrote to memory of 2100	1576	shvost.exe	WerFault.exe
PID 1576 wrote to memory of 2100	1576	shvost.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\0267f3ad68258fd1c208bd01068728bd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0267f3ad68258fd1c208bd01068728bd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2932

C:\Program Files\Common Files\Microsoft Shared\MSINFO\shvost.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\shvost.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\calc.exe
"C:\Windows\system32\calc.exe"
3⤵
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 280
3⤵
- Loads dropped DLL
- Program crash
PID:2100

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files\Common Files\Microsoft Shared\MSInfo\shvost.exe

Filesize
735KB

MD5
0267f3ad68258fd1c208bd01068728bd

SHA1
56099f8050cfff61407efef10698c693b194a345

SHA256
3c724d617a161797cd134a4c8babfe4dc02e23bf59d6acbb20f3c8885c1bf0d6

SHA512
23218905208bb20a228da9881d71424151ed8a6165f192990862fbbdae3afe9a32512ae7cf1ce49814cfd6d6e2e16d7e5870dc3c17012448bb33b5f227e85d73

Download Submit
memory/1576-13-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1576-26-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2480-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2480-17-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2480-21-0x0000000000490000-0x0000000000490000-memory.dmp

Download
memory/2480-20-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2932-2-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2932-25-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2932-31-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads