modiloader | e38c0d4a0dc32a7522228bc357288b2a848a85660ae5ee0224162823f6130026

Analysis

max time kernel
143s
max time network
126s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

174c85c315f791137ba772323832e3a8_JaffaCakes118.exe
Size

684KB
MD5

174c85c315f791137ba772323832e3a8
SHA1

51a1a72e1aa3c35872ec6b7f97cc81712e84bbaa
SHA256

e38c0d4a0dc32a7522228bc357288b2a848a85660ae5ee0224162823f6130026
SHA512

8f2510a4356deaca34f8be3c36802368acce2a79dac01645dfcf299e8ded3180ced8c0073cf931ec7200609203f955eaa1ab300eaad01e7a88775ab5fd54d70c
SSDEEP

12288:Ij2w3rk+yiBbhfHTtltLQ8UOYeCytF3Z4mxxdCpde+o1ZUT:IjzFBbhfzrtLx6eCytQmXdCphony

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2988-66-0x0000000000400000-0x000000000056B000-memory.dmp	modiloader_stage2
behavioral1/memory/2632-67-0x0000000000400000-0x000000000056B000-memory.dmp	modiloader_stage2
behavioral1/memory/2988-78-0x0000000000400000-0x000000000056B000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1616 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

re47.exe

pid process

2632 re47.exe
Loads dropped DLL 5 IoCs

Processes:

174c85c315f791137ba772323832e3a8_JaffaCakes118.exeWerFault.exe

pid process

2988 174c85c315f791137ba772323832e3a8_JaffaCakes118.exe
2988 174c85c315f791137ba772323832e3a8_JaffaCakes118.exe
2752 WerFault.exe
2752 WerFault.exe
2752 WerFault.exe
Drops file in System32 directory 2 IoCs

Processes:

re47.exe

description ioc process

File created C:\Windows\SysWOW64\_re47.exe re47.exe
File opened for modification C:\Windows\SysWOW64\_re47.exe re47.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

re47.exe

description pid process target process

PID 2632 set thread context of 2772 2632 re47.exe calc.exe

pid	process
1616	cmd.exe

pid	process
2632	re47.exe

pid	process
2988	174c85c315f791137ba772323832e3a8_JaffaCakes118.exe
2988	174c85c315f791137ba772323832e3a8_JaffaCakes118.exe
2752	WerFault.exe
2752	WerFault.exe
2752	WerFault.exe

description	ioc	process
File created	C:\Windows\SysWOW64\_re47.exe	re47.exe
File opened for modification	C:\Windows\SysWOW64\_re47.exe	re47.exe

description	pid	process	target process
PID 2632 set thread context of 2772	2632	re47.exe	calc.exe

Drops file in Program Files directory 3 IoCs

Processes:

174c85c315f791137ba772323832e3a8_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\re47.exe	174c85c315f791137ba772323832e3a8_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat	174c85c315f791137ba772323832e3a8_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\re47.exe	174c85c315f791137ba772323832e3a8_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2752 2632 WerFault.exe re47.exe

pid	pid_target	process	target process
2752	2632	WerFault.exe	re47.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

174c85c315f791137ba772323832e3a8_JaffaCakes118.exere47.exe

description	pid	process	target process
PID 2988 wrote to memory of 2632	2988	174c85c315f791137ba772323832e3a8_JaffaCakes118.exe	re47.exe
PID 2988 wrote to memory of 2632	2988	174c85c315f791137ba772323832e3a8_JaffaCakes118.exe	re47.exe
PID 2988 wrote to memory of 2632	2988	174c85c315f791137ba772323832e3a8_JaffaCakes118.exe	re47.exe
PID 2988 wrote to memory of 2632	2988	174c85c315f791137ba772323832e3a8_JaffaCakes118.exe	re47.exe
PID 2632 wrote to memory of 2772	2632	re47.exe	calc.exe
PID 2632 wrote to memory of 2772	2632	re47.exe	calc.exe
PID 2632 wrote to memory of 2772	2632	re47.exe	calc.exe
PID 2632 wrote to memory of 2772	2632	re47.exe	calc.exe
PID 2632 wrote to memory of 2772	2632	re47.exe	calc.exe
PID 2632 wrote to memory of 2772	2632	re47.exe	calc.exe
PID 2632 wrote to memory of 2752	2632	re47.exe	WerFault.exe
PID 2632 wrote to memory of 2752	2632	re47.exe	WerFault.exe
PID 2632 wrote to memory of 2752	2632	re47.exe	WerFault.exe
PID 2632 wrote to memory of 2752	2632	re47.exe	WerFault.exe
PID 2988 wrote to memory of 1616	2988	174c85c315f791137ba772323832e3a8_JaffaCakes118.exe	cmd.exe
PID 2988 wrote to memory of 1616	2988	174c85c315f791137ba772323832e3a8_JaffaCakes118.exe	cmd.exe
PID 2988 wrote to memory of 1616	2988	174c85c315f791137ba772323832e3a8_JaffaCakes118.exe	cmd.exe
PID 2988 wrote to memory of 1616	2988	174c85c315f791137ba772323832e3a8_JaffaCakes118.exe	cmd.exe
PID 2988 wrote to memory of 1616	2988	174c85c315f791137ba772323832e3a8_JaffaCakes118.exe	cmd.exe
PID 2988 wrote to memory of 1616	2988	174c85c315f791137ba772323832e3a8_JaffaCakes118.exe	cmd.exe
PID 2988 wrote to memory of 1616	2988	174c85c315f791137ba772323832e3a8_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\174c85c315f791137ba772323832e3a8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\174c85c315f791137ba772323832e3a8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2988

C:\Program Files\Common Files\Microsoft Shared\MSINFO\re47.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\re47.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\SysWOW64\calc.exe
"C:\Windows\system32\calc.exe"
3⤵
PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 320
3⤵
- Loads dropped DLL
- Program crash
PID:2752

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat""
2⤵
- Deletes itself
PID:1616

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\SetupDel.bat
Filesize
212B

MD5
b395aaa3de62597701bbc21bac32000f

SHA1
4ef57a9004f46813b9b19908d59c9bbf6a05ef21

SHA256
bad4350c139fae8c9c32a016629cbebad96a9fb7def677690cde5099262ab418

SHA512
5d7eba3274249f68b0edbb994c138ff21423e6c4e913d65953bff5438ef2166a553a18e59a71be7f1620d95219a6f73b971aaacf262db5aecb4fc1ca8f6b9e28

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\re47.exe
Filesize
684KB

MD5
174c85c315f791137ba772323832e3a8

SHA1
51a1a72e1aa3c35872ec6b7f97cc81712e84bbaa

SHA256
e38c0d4a0dc32a7522228bc357288b2a848a85660ae5ee0224162823f6130026

SHA512
8f2510a4356deaca34f8be3c36802368acce2a79dac01645dfcf299e8ded3180ced8c0073cf931ec7200609203f955eaa1ab300eaad01e7a88775ab5fd54d70c

Download Submit
memory/2632-52-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/2632-67-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/2772-56-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2772-58-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/2772-59-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/2988-31-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/2988-27-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2988-7-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2988-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2988-5-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2988-4-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2988-3-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2988-2-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2988-11-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/2988-14-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/2988-40-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2988-39-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2988-38-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2988-37-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2988-36-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/2988-35-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/2988-34-0x0000000002060000-0x0000000002061000-memory.dmp

Filesize
4KB

Download
memory/2988-33-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/2988-32-0x0000000002000000-0x0000000002001000-memory.dmp

Filesize
4KB

Download
memory/2988-9-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/2988-30-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/2988-29-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/2988-28-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2988-8-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2988-26-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/2988-25-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2988-24-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/2988-23-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2988-22-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2988-21-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/2988-20-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2988-19-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2988-18-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2988-17-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2988-16-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2988-15-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/2988-13-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/2988-12-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2988-10-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/2988-51-0x0000000003FA0000-0x000000000410B000-memory.dmp

Filesize
1.4MB

Download
memory/2988-49-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/2988-64-0x0000000000280000-0x00000000002D4000-memory.dmp

Filesize
336KB

Download
memory/2988-65-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2988-66-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/2988-1-0x0000000000280000-0x00000000002D4000-memory.dmp

Filesize
336KB

Download
memory/2988-0-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/2988-78-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads