modiloader | c84bbac6c96fb70c48c0fee5441d9aa6a21fcbc17e766ce4ef20a6c930fdd710

General

Target

42c91dc7762784de17cbdb418aa3ce50_JaffaCakes118.exe
Size

339KB
MD5

42c91dc7762784de17cbdb418aa3ce50
SHA1

6c3cfd60771e535a7129ab662fde902e7162874b
SHA256

c84bbac6c96fb70c48c0fee5441d9aa6a21fcbc17e766ce4ef20a6c930fdd710
SHA512

4ff0441f1a7b4651d3ed80b0826f64273f64f33e7ac9d127ed29f19648e4b45a9922e8bd1424caa07d91f109989fb3b182099baa8354c07096e07fdb9fc3dea1
SSDEEP

6144:GmDtFZjRO2kNqu3xkspjQcg/+b0Xkz8/PwgooklseavntJE6WA02/wI16d:tvLu35HykoP0qeavnzN/wm

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 8 IoCs

resource	yara_rule
behavioral1/memory/2000-1-0x0000000000400000-0x0000000000559000-memory.dmp	modiloader_stage2
behavioral1/memory/2000-6-0x0000000000400000-0x0000000000559000-memory.dmp	modiloader_stage2
behavioral1/memory/2224-13-0x0000000000400000-0x0000000000559000-memory.dmp	modiloader_stage2
behavioral1/memory/2224-15-0x0000000000400000-0x0000000000559000-memory.dmp	modiloader_stage2
behavioral1/memory/2804-34-0x0000000000400000-0x00000000004AA000-memory.dmp	modiloader_stage2
behavioral1/memory/2224-37-0x0000000000400000-0x0000000000559000-memory.dmp	modiloader_stage2
behavioral1/memory/2452-36-0x0000000000400000-0x0000000000559000-memory.dmp	modiloader_stage2
behavioral1/memory/2000-38-0x0000000000400000-0x0000000000559000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
1284	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2224	SVCH0ST.EXE
2452	SVCH0ST.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2452 set thread context of 2804	2452	SVCH0ST.EXE	34

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SVCH0ST.EXE	42c91dc7762784de17cbdb418aa3ce50_JaffaCakes118.exe
File opened for modification	C:\Windows\SVCH0ST.EXE	42c91dc7762784de17cbdb418aa3ce50_JaffaCakes118.exe
File created	C:\Windows\DaverDel.bat	42c91dc7762784de17cbdb418aa3ce50_JaffaCakes118.exe
File created	C:\Windows\SetupWay.TXT	SVCH0ST.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2224	2000	42c91dc7762784de17cbdb418aa3ce50_JaffaCakes118.exe	30
PID 2000 wrote to memory of 2224	2000	42c91dc7762784de17cbdb418aa3ce50_JaffaCakes118.exe	30
PID 2000 wrote to memory of 2224	2000	42c91dc7762784de17cbdb418aa3ce50_JaffaCakes118.exe	30
PID 2000 wrote to memory of 2224	2000	42c91dc7762784de17cbdb418aa3ce50_JaffaCakes118.exe	30
PID 2000 wrote to memory of 1284	2000	42c91dc7762784de17cbdb418aa3ce50_JaffaCakes118.exe	32
PID 2000 wrote to memory of 1284	2000	42c91dc7762784de17cbdb418aa3ce50_JaffaCakes118.exe	32
PID 2000 wrote to memory of 1284	2000	42c91dc7762784de17cbdb418aa3ce50_JaffaCakes118.exe	32
PID 2000 wrote to memory of 1284	2000	42c91dc7762784de17cbdb418aa3ce50_JaffaCakes118.exe	32
PID 2452 wrote to memory of 2804	2452	SVCH0ST.EXE	34
PID 2452 wrote to memory of 2804	2452	SVCH0ST.EXE	34
PID 2452 wrote to memory of 2804	2452	SVCH0ST.EXE	34
PID 2452 wrote to memory of 2804	2452	SVCH0ST.EXE	34
PID 2452 wrote to memory of 2804	2452	SVCH0ST.EXE	34
PID 2452 wrote to memory of 2804	2452	SVCH0ST.EXE	34

C:\Users\Admin\AppData\Local\Temp\42c91dc7762784de17cbdb418aa3ce50_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\42c91dc7762784de17cbdb418aa3ce50_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\SVCH0ST.EXE
  C:\Windows\SVCH0ST.EXE
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\DaverDel.bat
  2⤵
  - Deletes itself
  PID:1284

C:\Windows\SVCH0ST.EXE
C:\Windows\SVCH0ST.EXE
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe"
  2⤵
  PID:2804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\DaverDel.bat

Filesize
212B

MD5
78aec59f9c1882a38582be0831d98847

SHA1
2bae350dfbf097c889b7b365cf179a1dd74c1ad8

SHA256
7f8420fb591e6e8a8860ffd09221d5fecdc05d950ffa05d75e10d83f59229d5e

SHA512
b6586c5ebb7317b061939a3888311b08be2ee5fe492052708983d3828840614e249b22b0fbef666a548ec0dc56acd151ba7c43da87228fbb5f9eaccd4391ad73

Download Submit
C:\Windows\SVCH0ST.EXE

Filesize
339KB

MD5
42c91dc7762784de17cbdb418aa3ce50

SHA1
6c3cfd60771e535a7129ab662fde902e7162874b

SHA256
c84bbac6c96fb70c48c0fee5441d9aa6a21fcbc17e766ce4ef20a6c930fdd710

SHA512
4ff0441f1a7b4651d3ed80b0826f64273f64f33e7ac9d127ed29f19648e4b45a9922e8bd1424caa07d91f109989fb3b182099baa8354c07096e07fdb9fc3dea1

Download Submit
memory/2000-14-0x0000000001E80000-0x0000000001FD9000-memory.dmp

Filesize
1.3MB

Download
memory/2000-1-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2000-5-0x0000000000504000-0x0000000000558000-memory.dmp

Filesize
336KB

Download
memory/2000-0-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2000-38-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2000-6-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2000-2-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2224-15-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2224-37-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2224-13-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2452-19-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2452-20-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2452-18-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2452-36-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2804-34-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2804-32-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2804-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing