modiloader | c8b0b734c6e4b9123e98ed60c823f9afd8c4e90132511b596668995ed6df231f

General

Target

0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
Size

21KB
MD5

0430e14e4b1bf9445c18b0512c534e2a
SHA1

45dacee7f66988e857cd5ee46f7e7251ea98ea8e
SHA256

c8b0b734c6e4b9123e98ed60c823f9afd8c4e90132511b596668995ed6df231f
SHA512

93d544bfe4f287a24200e5c12fc735cab74a9489dc6344f126daabcb8f0490adb9d6f01294398fd4c643a65a0aa6fba423e41dcfcdbc0dd1d694ebd9f630966c
SSDEEP

384:YgNoGOuaUXDsC2//NDyPx9Qz1FLMBiwwNnGMZbhQq+eVCb3H:7NokTSnNDyPx9G1HwSRZNQq+eVCb3H

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2176-5-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/4392-9-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2
behavioral2/memory/2176-12-0x0000000000400000-0x0000000000414000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

tcpip.exe

pid process

2176 tcpip.exe

pid	process
2176	tcpip.exe

Drops file in System32 directory 4 IoCs

Processes:

0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exetcpip.exe

description	ioc	process
File created	C:\Windows\SysWOW64\tcpip.exe	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\tcpip.exe	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\del.bat	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\portable.dll	tcpip.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exetcpip.exe

pid	process
4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
2176	tcpip.exe
2176	tcpip.exe
2176	tcpip.exe
2176	tcpip.exe
2176	tcpip.exe
2176	tcpip.exe
2176	tcpip.exe
2176	tcpip.exe
2176	tcpip.exe
2176	tcpip.exe
2176	tcpip.exe
2176	tcpip.exe
2176	tcpip.exe
2176	tcpip.exe
2176	tcpip.exe
2176	tcpip.exe
2176	tcpip.exe
2176	tcpip.exe
2176	tcpip.exe
2176	tcpip.exe
2176	tcpip.exe
2176	tcpip.exe
2176	tcpip.exe
2176	tcpip.exe
2176	tcpip.exe
2176	tcpip.exe
2176	tcpip.exe
2176	tcpip.exe
4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
2176	tcpip.exe
2176	tcpip.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exetcpip.exe

description pid process

Token: SeDebugPrivilege 4392 0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
Token: SeDebugPrivilege 2176 tcpip.exe

description	pid	process
Token: SeDebugPrivilege	4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
Token: SeDebugPrivilege	2176	tcpip.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exetcpip.exe

description	pid	process	target process
PID 4392 wrote to memory of 4756	4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe	cmd.exe
PID 4392 wrote to memory of 4756	4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe	cmd.exe
PID 4392 wrote to memory of 4756	4392	0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe	cmd.exe
PID 2176 wrote to memory of 3416	2176	tcpip.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3416

C:\Users\Admin\AppData\Local\Temp\0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0430e14e4b1bf9445c18b0512c534e2a_JaffaCakes118.exe"
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\del.bat
3⤵
PID:4756

C:\Windows\SysWOW64\tcpip.exe
C:\Windows\SysWOW64\tcpip.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\del.bat

Filesize
210B

MD5
ea5df0f807b968ee5a6c7de831ec648c

SHA1
6f0acbfc69058b692ba13f4730e2dcff4512173e

SHA256
fb313f020aad138508e493f9ff9608c41e43bad73e45c95806251d247a1ee152

SHA512
aeeda6b21f6c63b312a91dcaca06882bcd17f599db1aed4f69df38176b13d2aef651129737abe9d8f0121af0af6d6184bdcf31a1c1bf3c1b9115495f97a519c3

Download Submit
C:\Windows\SysWOW64\tcpip.exe

Filesize
21KB

MD5
0430e14e4b1bf9445c18b0512c534e2a

SHA1
45dacee7f66988e857cd5ee46f7e7251ea98ea8e

SHA256
c8b0b734c6e4b9123e98ed60c823f9afd8c4e90132511b596668995ed6df231f

SHA512
93d544bfe4f287a24200e5c12fc735cab74a9489dc6344f126daabcb8f0490adb9d6f01294398fd4c643a65a0aa6fba423e41dcfcdbc0dd1d694ebd9f630966c

Download Submit
memory/2176-5-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2176-6-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/2176-12-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4392-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4392-1-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/4392-9-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads