modiloader | c84bbac6c96fb70c48c0fee5441d9aa6a21fcbc17e766ce4ef20a6c930fdd710

General

Target

42c91dc7762784de17cbdb418aa3ce50_JaffaCakes118.exe
Size

339KB
MD5

42c91dc7762784de17cbdb418aa3ce50
SHA1

6c3cfd60771e535a7129ab662fde902e7162874b
SHA256

c84bbac6c96fb70c48c0fee5441d9aa6a21fcbc17e766ce4ef20a6c930fdd710
SHA512

4ff0441f1a7b4651d3ed80b0826f64273f64f33e7ac9d127ed29f19648e4b45a9922e8bd1424caa07d91f109989fb3b182099baa8354c07096e07fdb9fc3dea1
SSDEEP

6144:GmDtFZjRO2kNqu3xkspjQcg/+b0Xkz8/PwgooklseavntJE6WA02/wI16d:tvLu35HykoP0qeavnzN/wm

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 7 IoCs

resource	yara_rule
behavioral2/memory/4764-6-0x0000000000400000-0x0000000000559000-memory.dmp	modiloader_stage2
behavioral2/memory/4764-3-0x0000000000400000-0x0000000000559000-memory.dmp	modiloader_stage2
behavioral2/memory/2044-12-0x0000000000400000-0x0000000000559000-memory.dmp	modiloader_stage2
behavioral2/memory/4912-23-0x0000000000400000-0x00000000004AA000-memory.dmp	modiloader_stage2
behavioral2/memory/2776-27-0x0000000000400000-0x0000000000559000-memory.dmp	modiloader_stage2
behavioral2/memory/4764-25-0x0000000000400000-0x0000000000559000-memory.dmp	modiloader_stage2
behavioral2/memory/2044-24-0x0000000000400000-0x0000000000559000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2044	SVCH0ST.EXE
2776	SVCH0ST.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2776 set thread context of 4912	2776	SVCH0ST.EXE	90

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SVCH0ST.EXE	42c91dc7762784de17cbdb418aa3ce50_JaffaCakes118.exe
File opened for modification	C:\Windows\SVCH0ST.EXE	42c91dc7762784de17cbdb418aa3ce50_JaffaCakes118.exe
File created	C:\Windows\SetupWay.TXT	SVCH0ST.EXE
File created	C:\Windows\DaverDel.bat	42c91dc7762784de17cbdb418aa3ce50_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process
1176	4912	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 2044	4764	42c91dc7762784de17cbdb418aa3ce50_JaffaCakes118.exe	86
PID 4764 wrote to memory of 2044	4764	42c91dc7762784de17cbdb418aa3ce50_JaffaCakes118.exe	86
PID 4764 wrote to memory of 2044	4764	42c91dc7762784de17cbdb418aa3ce50_JaffaCakes118.exe	86
PID 2776 wrote to memory of 4912	2776	SVCH0ST.EXE	90
PID 2776 wrote to memory of 4912	2776	SVCH0ST.EXE	90
PID 2776 wrote to memory of 4912	2776	SVCH0ST.EXE	90
PID 2776 wrote to memory of 4912	2776	SVCH0ST.EXE	90
PID 2776 wrote to memory of 4912	2776	SVCH0ST.EXE	90
PID 4764 wrote to memory of 2040	4764	42c91dc7762784de17cbdb418aa3ce50_JaffaCakes118.exe	91
PID 4764 wrote to memory of 2040	4764	42c91dc7762784de17cbdb418aa3ce50_JaffaCakes118.exe	91
PID 4764 wrote to memory of 2040	4764	42c91dc7762784de17cbdb418aa3ce50_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\42c91dc7762784de17cbdb418aa3ce50_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\42c91dc7762784de17cbdb418aa3ce50_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\SVCH0ST.EXE
  C:\Windows\SVCH0ST.EXE
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\DaverDel.bat
  2⤵
  PID:2040

C:\Windows\SVCH0ST.EXE
C:\Windows\SVCH0ST.EXE
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe"
  2⤵
  PID:4912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 32
    3⤵
    - Program crash
    PID:1176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4912 -ip 4912
1⤵
PID:1880

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\DaverDel.bat

Filesize
212B

MD5
78aec59f9c1882a38582be0831d98847

SHA1
2bae350dfbf097c889b7b365cf179a1dd74c1ad8

SHA256
7f8420fb591e6e8a8860ffd09221d5fecdc05d950ffa05d75e10d83f59229d5e

SHA512
b6586c5ebb7317b061939a3888311b08be2ee5fe492052708983d3828840614e249b22b0fbef666a548ec0dc56acd151ba7c43da87228fbb5f9eaccd4391ad73

Download Submit
C:\Windows\SVCH0ST.EXE

Filesize
339KB

MD5
42c91dc7762784de17cbdb418aa3ce50

SHA1
6c3cfd60771e535a7129ab662fde902e7162874b

SHA256
c84bbac6c96fb70c48c0fee5441d9aa6a21fcbc17e766ce4ef20a6c930fdd710

SHA512
4ff0441f1a7b4651d3ed80b0826f64273f64f33e7ac9d127ed29f19648e4b45a9922e8bd1424caa07d91f109989fb3b182099baa8354c07096e07fdb9fc3dea1

Download Submit
memory/2044-24-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2044-12-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2044-13-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2044-11-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2776-17-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2776-27-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2776-16-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2776-18-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/4764-3-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/4764-0-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/4764-6-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/4764-26-0x0000000000504000-0x0000000000558000-memory.dmp

Filesize
336KB

Download
memory/4764-25-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/4764-2-0x0000000000504000-0x0000000000558000-memory.dmp

Filesize
336KB

Download
memory/4764-1-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/4912-23-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download

Analysis

Sharing