modiloader | b1c7f6bff6a51926e4b05364f3f02794d16e329f72b46d4413d95b2f53a69ef8

General

Target

25d3a71f1444960622531412fe6056d5_JaffaCakes118.exe
Size

627KB
MD5

25d3a71f1444960622531412fe6056d5
SHA1

20318ab09499c60714f9e68e99f0598fdfb977ad
SHA256

b1c7f6bff6a51926e4b05364f3f02794d16e329f72b46d4413d95b2f53a69ef8
SHA512

36ad5c58c13fc907ddeada415bb05d895952795ccc546a5ac80538d5901ed3289b750f914c3769d0027aeb3bab075b319fc7f2d255ff8ca688a415665061a532
SSDEEP

12288:zHz3K7yEK4TRCR+atjgKA563tF3Z4mxxKTkmJ0Y24VzRpDHMi:H2yuTRC+MtQmXzmOY/h4i

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/memory/4660-35-0x0000000000400000-0x0000000000513000-memory.dmp	modiloader_stage2
behavioral2/memory/2168-38-0x0000000000400000-0x0000000000513000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
2168	1.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_1.exe	1.exe
File opened for modification	C:\Windows\SysWOW64\_1.exe	1.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2168 set thread context of 4524	2168	1.exe	79

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\1.exe	25d3a71f1444960622531412fe6056d5_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\1.exe	25d3a71f1444960622531412fe6056d5_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat	25d3a71f1444960622531412fe6056d5_JaffaCakes118.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3784	4524	WerFault.exe	79
5008	2168	WerFault.exe	78

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4660 wrote to memory of 2168	4660	25d3a71f1444960622531412fe6056d5_JaffaCakes118.exe	78
PID 4660 wrote to memory of 2168	4660	25d3a71f1444960622531412fe6056d5_JaffaCakes118.exe	78
PID 4660 wrote to memory of 2168	4660	25d3a71f1444960622531412fe6056d5_JaffaCakes118.exe	78
PID 2168 wrote to memory of 4524	2168	1.exe	79
PID 2168 wrote to memory of 4524	2168	1.exe	79
PID 2168 wrote to memory of 4524	2168	1.exe	79
PID 2168 wrote to memory of 4524	2168	1.exe	79
PID 2168 wrote to memory of 4524	2168	1.exe	79
PID 2168 wrote to memory of 436	2168	1.exe	81
PID 2168 wrote to memory of 436	2168	1.exe	81
PID 4660 wrote to memory of 1324	4660	25d3a71f1444960622531412fe6056d5_JaffaCakes118.exe	86
PID 4660 wrote to memory of 1324	4660	25d3a71f1444960622531412fe6056d5_JaffaCakes118.exe	86
PID 4660 wrote to memory of 1324	4660	25d3a71f1444960622531412fe6056d5_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\25d3a71f1444960622531412fe6056d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\25d3a71f1444960622531412fe6056d5_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\1.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\1.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\system32\calc.exe"
    3⤵
    PID:4524
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 12
      4⤵
      Program crash
      PID:3784
- - C:\program files\internet explorer\IEXPLORE.EXE
    "C:\program files\internet explorer\IEXPLORE.EXE"
    3⤵
    PID:436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 688
    3⤵
    - Program crash
    PID:5008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat""
  2⤵
  PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4524 -ip 4524
1⤵
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2168 -ip 2168
1⤵
PID:1548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat

Filesize
212B

MD5
5bbf68f9cf59d121dd6f23eb21a56184

SHA1
c3784da68973f367111e8fdb873331d50430d1ff

SHA256
c6903edba56dbac120d1afdbb0dd48c86a446ece7c11eba46e0f2ac926539f74

SHA512
af2e86f034ac9db206c85cc7c9f34375ec927f4b0137b3fdad7cbe227a4c8b9a30600127b00075d8d60eba63b9364eca26aa10ea607727e8ff39f844e80e478f

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\1.exe

Filesize
627KB

MD5
25d3a71f1444960622531412fe6056d5

SHA1
20318ab09499c60714f9e68e99f0598fdfb977ad

SHA256
b1c7f6bff6a51926e4b05364f3f02794d16e329f72b46d4413d95b2f53a69ef8

SHA512
36ad5c58c13fc907ddeada415bb05d895952795ccc546a5ac80538d5901ed3289b750f914c3769d0027aeb3bab075b319fc7f2d255ff8ca688a415665061a532

Download Submit
memory/2168-39-0x0000000002100000-0x0000000002154000-memory.dmp

Filesize
336KB

Download
memory/2168-38-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2168-26-0x0000000002100000-0x0000000002154000-memory.dmp

Filesize
336KB

Download
memory/4524-29-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/4660-8-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/4660-4-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4660-7-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/4660-15-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/4660-19-0x0000000003550000-0x0000000003551000-memory.dmp

Filesize
4KB

Download
memory/4660-18-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/4660-17-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/4660-16-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/4660-14-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/4660-6-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/4660-5-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/4660-0-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/4660-3-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/4660-2-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/4660-20-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/4660-9-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/4660-10-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/4660-11-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/4660-33-0x0000000000415000-0x0000000000416000-memory.dmp

Filesize
4KB

Download
memory/4660-35-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/4660-36-0x00000000022E0000-0x0000000002334000-memory.dmp

Filesize
336KB

Download
memory/4660-12-0x00000000034C0000-0x00000000034C3000-memory.dmp

Filesize
12KB

Download
memory/4660-13-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/4660-1-0x00000000022E0000-0x0000000002334000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing