modiloader | 752b139eb6f1c70c9f3be4a4a39a247384be0356a6c0e7d613529aab5d934873

General

Target

3e9fc5cc1072a41bf2f22d85800638d4_JaffaCakes118.exe
Size

644KB
MD5

3e9fc5cc1072a41bf2f22d85800638d4
SHA1

27aab6ec4b11f9600c0b0444796829adf52f187f
SHA256

752b139eb6f1c70c9f3be4a4a39a247384be0356a6c0e7d613529aab5d934873
SHA512

02eb7dd1e7096c5a69742eb5db9ee547c3dc141cf888f82086f777476b1edd700725dfebc3d49f731761961ed59b8adfcb833c011126d901e2ba326be41efa15
SSDEEP

12288:ONDaP0GAEoXmls1sY0abKNm9SA8F3Z4mxxgDu8YaYr1vPqkDAm7:ONDasGAX3Z09EwlQmXgDu8YTrJ9DR

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral1/memory/2980-41-0x0000000000400000-0x0000000000511000-memory.dmp	modiloader_stage2
behavioral1/memory/3008-42-0x0000000000400000-0x0000000000511000-memory.dmp	modiloader_stage2
behavioral1/memory/2980-57-0x0000000000400000-0x0000000000511000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
2660	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3008	Server.exe

Loads dropped DLL 5 IoCs

pid	Process
2980	3e9fc5cc1072a41bf2f22d85800638d4_JaffaCakes118.exe
2980	3e9fc5cc1072a41bf2f22d85800638d4_JaffaCakes118.exe
2472	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_Server.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\_Server.exe	Server.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3008 set thread context of 2876	3008	Server.exe	31

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server.exe	3e9fc5cc1072a41bf2f22d85800638d4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server.exe	3e9fc5cc1072a41bf2f22d85800638d4_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat	3e9fc5cc1072a41bf2f22d85800638d4_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2472	3008	WerFault.exe	30

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 3008	2980	3e9fc5cc1072a41bf2f22d85800638d4_JaffaCakes118.exe	30
PID 2980 wrote to memory of 3008	2980	3e9fc5cc1072a41bf2f22d85800638d4_JaffaCakes118.exe	30
PID 2980 wrote to memory of 3008	2980	3e9fc5cc1072a41bf2f22d85800638d4_JaffaCakes118.exe	30
PID 2980 wrote to memory of 3008	2980	3e9fc5cc1072a41bf2f22d85800638d4_JaffaCakes118.exe	30
PID 3008 wrote to memory of 2876	3008	Server.exe	31
PID 3008 wrote to memory of 2876	3008	Server.exe	31
PID 3008 wrote to memory of 2876	3008	Server.exe	31
PID 3008 wrote to memory of 2876	3008	Server.exe	31
PID 3008 wrote to memory of 2876	3008	Server.exe	31
PID 3008 wrote to memory of 2876	3008	Server.exe	31
PID 3008 wrote to memory of 2472	3008	Server.exe	32
PID 3008 wrote to memory of 2472	3008	Server.exe	32
PID 3008 wrote to memory of 2472	3008	Server.exe	32
PID 3008 wrote to memory of 2472	3008	Server.exe	32
PID 2980 wrote to memory of 2660	2980	3e9fc5cc1072a41bf2f22d85800638d4_JaffaCakes118.exe	34
PID 2980 wrote to memory of 2660	2980	3e9fc5cc1072a41bf2f22d85800638d4_JaffaCakes118.exe	34
PID 2980 wrote to memory of 2660	2980	3e9fc5cc1072a41bf2f22d85800638d4_JaffaCakes118.exe	34
PID 2980 wrote to memory of 2660	2980	3e9fc5cc1072a41bf2f22d85800638d4_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\3e9fc5cc1072a41bf2f22d85800638d4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3e9fc5cc1072a41bf2f22d85800638d4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\Server.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\system32\calc.exe"
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 300
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat""
  2⤵
  - Deletes itself
  PID:2660

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\Delet.bat

Filesize
212B

MD5
e60b9565bc931a6c40545673a7689745

SHA1
02b5237ae99f0a2b16837626d68f95c71552a732

SHA256
c4698ffa1a7e3b8bce882f242d41a880d286871b1fc78e1cfb55d3b8aebd330f

SHA512
357ec10fbb3101d96a89a45404da6310280715db136bec013d5c34c3db456b1724d2d37339ec0f2c6e8a721048e999b2319f93ba896e83b2ec8e7a880b18ebbf

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\Server.exe

Filesize
644KB

MD5
3e9fc5cc1072a41bf2f22d85800638d4

SHA1
27aab6ec4b11f9600c0b0444796829adf52f187f

SHA256
752b139eb6f1c70c9f3be4a4a39a247384be0356a6c0e7d613529aab5d934873

SHA512
02eb7dd1e7096c5a69742eb5db9ee547c3dc141cf888f82086f777476b1edd700725dfebc3d49f731761961ed59b8adfcb833c011126d901e2ba326be41efa15

Download Submit
memory/2876-36-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2876-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2980-6-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/2980-19-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/2980-14-0x0000000003380000-0x0000000003383000-memory.dmp

Filesize
12KB

Download
memory/2980-13-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/2980-12-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/2980-11-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/2980-10-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2980-9-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/2980-8-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/2980-7-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

Filesize
4KB

Download
memory/2980-1-0x0000000001DE0000-0x0000000001E34000-memory.dmp

Filesize
336KB

Download
memory/2980-5-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/2980-4-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/2980-15-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/2980-16-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/2980-27-0x00000000046B0000-0x00000000047C1000-memory.dmp

Filesize
1.1MB

Download
memory/2980-56-0x0000000001DE0000-0x0000000001E34000-memory.dmp

Filesize
336KB

Download
memory/2980-26-0x00000000046B0000-0x00000000047C1000-memory.dmp

Filesize
1.1MB

Download
memory/2980-17-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2980-18-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2980-41-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2980-57-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2980-43-0x0000000001DE0000-0x0000000001E34000-memory.dmp

Filesize
336KB

Download
memory/2980-0-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/3008-42-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/3008-29-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing