modiloader | 68f8206c5051a1886a9d9ebf8a4f34836ea7fe24d1b586c59366175a7197590d

General

Target

37b8a1b7e1bbd4ce9b9fba775a7c2360_JaffaCakes118.exe
Size

589KB
MD5

37b8a1b7e1bbd4ce9b9fba775a7c2360
SHA1

dab00012f7c7ef599d92cab953bf0d92bd8b6556
SHA256

68f8206c5051a1886a9d9ebf8a4f34836ea7fe24d1b586c59366175a7197590d
SHA512

850acb85113222a7f282aba02406806ea5c4d1b4c0f733cab182e146ac627359110a16c609a726a0039fd4360147f38d691a1984f02b3a97d29ccdbc351e6081
SSDEEP

12288:Nf2XMrI3s2Okf6TWMZjJfYiw29rNkYKWXpSN1PdHfz+gjHDzW33uEy:Nf28ezOkf6TWsPw8ZXpSNhR6Y0+Ey

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/2792-37-0x0000000000400000-0x000000000059F000-memory.dmp	modiloader_stage2
behavioral1/memory/2440-39-0x0000000000400000-0x000000000059F000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
2780	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2792	winiis.exe

Loads dropped DLL 2 IoCs

pid	Process
2440	37b8a1b7e1bbd4ce9b9fba775a7c2360_JaffaCakes118.exe
2440	37b8a1b7e1bbd4ce9b9fba775a7c2360_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winiis.exe	37b8a1b7e1bbd4ce9b9fba775a7c2360_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winiis.exe	37b8a1b7e1bbd4ce9b9fba775a7c2360_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winiis.exe	winiis.exe
File created	C:\Windows\SysWOW64\Deleteme.bat	37b8a1b7e1bbd4ce9b9fba775a7c2360_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2792	2440	37b8a1b7e1bbd4ce9b9fba775a7c2360_JaffaCakes118.exe	31
PID 2440 wrote to memory of 2792	2440	37b8a1b7e1bbd4ce9b9fba775a7c2360_JaffaCakes118.exe	31
PID 2440 wrote to memory of 2792	2440	37b8a1b7e1bbd4ce9b9fba775a7c2360_JaffaCakes118.exe	31
PID 2440 wrote to memory of 2792	2440	37b8a1b7e1bbd4ce9b9fba775a7c2360_JaffaCakes118.exe	31
PID 2440 wrote to memory of 2780	2440	37b8a1b7e1bbd4ce9b9fba775a7c2360_JaffaCakes118.exe	32
PID 2440 wrote to memory of 2780	2440	37b8a1b7e1bbd4ce9b9fba775a7c2360_JaffaCakes118.exe	32
PID 2440 wrote to memory of 2780	2440	37b8a1b7e1bbd4ce9b9fba775a7c2360_JaffaCakes118.exe	32
PID 2440 wrote to memory of 2780	2440	37b8a1b7e1bbd4ce9b9fba775a7c2360_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\37b8a1b7e1bbd4ce9b9fba775a7c2360_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\37b8a1b7e1bbd4ce9b9fba775a7c2360_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\SysWOW64\winiis.exe
  C:\Windows\system32\winiis.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deleteme.bat
  2⤵
  - Deletes itself
  PID:2780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Deleteme.bat

Filesize
212B

MD5
01d6dced09a0ccc04de81911fc9b3f04

SHA1
f9142352d09fdb1b49c5409c8f5f42908da1dee0

SHA256
f47cee710e2115bc447665bb75a5222feb427bffab00aa08facada1a7005c251

SHA512
f1743cfacbea436b471c6f11df859c8a0044e71fab94b0c6f8530e4ecf1c6f50063b5208fcbd4918e8c3ed15da067555597697f3a6edfb1014f1762995d5aba3

Download Submit
\Windows\SysWOW64\winiis.exe

Filesize
589KB

MD5
37b8a1b7e1bbd4ce9b9fba775a7c2360

SHA1
dab00012f7c7ef599d92cab953bf0d92bd8b6556

SHA256
68f8206c5051a1886a9d9ebf8a4f34836ea7fe24d1b586c59366175a7197590d

SHA512
850acb85113222a7f282aba02406806ea5c4d1b4c0f733cab182e146ac627359110a16c609a726a0039fd4360147f38d691a1984f02b3a97d29ccdbc351e6081

Download Submit
memory/2440-10-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/2440-39-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/2440-2-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2440-3-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/2440-12-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/2440-16-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/2440-15-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2440-14-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2440-13-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Filesize
4KB

Download
memory/2440-8-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/2440-4-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/2440-5-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/2440-11-0x0000000002B60000-0x0000000002B63000-memory.dmp

Filesize
12KB

Download
memory/2440-7-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/2440-6-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/2440-0-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/2440-9-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/2440-26-0x0000000004030000-0x00000000041CF000-memory.dmp

Filesize
1.6MB

Download
memory/2440-25-0x0000000004030000-0x00000000041CF000-memory.dmp

Filesize
1.6MB

Download
memory/2440-1-0x0000000000380000-0x00000000003D0000-memory.dmp

Filesize
320KB

Download
memory/2440-38-0x0000000000380000-0x00000000003D0000-memory.dmp

Filesize
320KB

Download
memory/2792-37-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/2792-28-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing