modiloader | e38c0d4a0dc32a7522228bc357288b2a848a85660ae5ee0224162823f6130026

Analysis

max time kernel
140s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

174c85c315f791137ba772323832e3a8_JaffaCakes118.exe
Size

684KB
MD5

174c85c315f791137ba772323832e3a8
SHA1

51a1a72e1aa3c35872ec6b7f97cc81712e84bbaa
SHA256

e38c0d4a0dc32a7522228bc357288b2a848a85660ae5ee0224162823f6130026
SHA512

8f2510a4356deaca34f8be3c36802368acce2a79dac01645dfcf299e8ded3180ced8c0073cf931ec7200609203f955eaa1ab300eaad01e7a88775ab5fd54d70c
SSDEEP

12288:Ij2w3rk+yiBbhfHTtltLQ8UOYeCytF3Z4mxxdCpde+o1ZUT:IjzFBbhfzrtLx6eCytQmXdCphony

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3460-44-0x0000000000400000-0x000000000056B000-memory.dmp	modiloader_stage2
behavioral2/memory/3460-52-0x0000000000400000-0x000000000056B000-memory.dmp	modiloader_stage2
behavioral2/memory/1644-55-0x0000000000400000-0x000000000056B000-memory.dmp	modiloader_stage2
behavioral2/memory/3460-59-0x0000000000400000-0x000000000056B000-memory.dmp	modiloader_stage2
behavioral2/memory/1644-61-0x0000000000400000-0x000000000056B000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

re47.exe

pid process

1644 re47.exe
Drops file in System32 directory 2 IoCs

Processes:

re47.exe

description ioc process

File created C:\Windows\SysWOW64\_re47.exe re47.exe
File opened for modification C:\Windows\SysWOW64\_re47.exe re47.exe

pid	process
1644	re47.exe

description	ioc	process
File created	C:\Windows\SysWOW64\_re47.exe	re47.exe
File opened for modification	C:\Windows\SysWOW64\_re47.exe	re47.exe

Drops file in Program Files directory 3 IoCs

Processes:

174c85c315f791137ba772323832e3a8_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\re47.exe	174c85c315f791137ba772323832e3a8_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat	174c85c315f791137ba772323832e3a8_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\re47.exe	174c85c315f791137ba772323832e3a8_JaffaCakes118.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1196 1644 WerFault.exe re47.exe
5024 1644 WerFault.exe re47.exe

pid	pid_target	process	target process
1196	1644	WerFault.exe	re47.exe
5024	1644	WerFault.exe	re47.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

174c85c315f791137ba772323832e3a8_JaffaCakes118.exere47.exe

description	pid	process	target process
PID 3460 wrote to memory of 1644	3460	174c85c315f791137ba772323832e3a8_JaffaCakes118.exe	re47.exe
PID 3460 wrote to memory of 1644	3460	174c85c315f791137ba772323832e3a8_JaffaCakes118.exe	re47.exe
PID 3460 wrote to memory of 1644	3460	174c85c315f791137ba772323832e3a8_JaffaCakes118.exe	re47.exe
PID 1644 wrote to memory of 3900	1644	re47.exe	calc.exe
PID 1644 wrote to memory of 3900	1644	re47.exe	calc.exe
PID 1644 wrote to memory of 3900	1644	re47.exe	calc.exe
PID 3460 wrote to memory of 1408	3460	174c85c315f791137ba772323832e3a8_JaffaCakes118.exe	cmd.exe
PID 3460 wrote to memory of 1408	3460	174c85c315f791137ba772323832e3a8_JaffaCakes118.exe	cmd.exe
PID 3460 wrote to memory of 1408	3460	174c85c315f791137ba772323832e3a8_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\174c85c315f791137ba772323832e3a8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\174c85c315f791137ba772323832e3a8_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3460

C:\Program Files\Common Files\Microsoft Shared\MSINFO\re47.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\re47.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 324
3⤵
- Program crash
PID:1196

C:\Windows\SysWOW64\calc.exe
"C:\Windows\system32\calc.exe"
3⤵
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 680
3⤵
- Program crash
PID:5024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat""
2⤵
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3460 -ip 3460
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1644 -ip 1644
1⤵
PID:1756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 1644 -ip 1644
1⤵
PID:1136

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat
Filesize
212B

MD5
b395aaa3de62597701bbc21bac32000f

SHA1
4ef57a9004f46813b9b19908d59c9bbf6a05ef21

SHA256
bad4350c139fae8c9c32a016629cbebad96a9fb7def677690cde5099262ab418

SHA512
5d7eba3274249f68b0edbb994c138ff21423e6c4e913d65953bff5438ef2166a553a18e59a71be7f1620d95219a6f73b971aaacf262db5aecb4fc1ca8f6b9e28

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\re47.exe
Filesize
684KB

MD5
174c85c315f791137ba772323832e3a8

SHA1
51a1a72e1aa3c35872ec6b7f97cc81712e84bbaa

SHA256
e38c0d4a0dc32a7522228bc357288b2a848a85660ae5ee0224162823f6130026

SHA512
8f2510a4356deaca34f8be3c36802368acce2a79dac01645dfcf299e8ded3180ced8c0073cf931ec7200609203f955eaa1ab300eaad01e7a88775ab5fd54d70c

Download Submit
memory/1644-55-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/1644-61-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/3460-0-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/3460-1-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/3460-3-0x0000000000A40000-0x0000000000A94000-memory.dmp

Filesize
336KB

Download
memory/3460-2-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/3460-11-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/3460-10-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/3460-9-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/3460-8-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/3460-7-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/3460-6-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/3460-5-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/3460-4-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/3460-36-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/3460-42-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/3460-41-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/3460-40-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/3460-39-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/3460-38-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/3460-37-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/3460-43-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/3460-35-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/3460-34-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/3460-33-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/3460-32-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/3460-31-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/3460-30-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/3460-29-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/3460-28-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/3460-27-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/3460-26-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/3460-25-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3460-24-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/3460-23-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/3460-22-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/3460-21-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/3460-20-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/3460-19-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/3460-18-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/3460-17-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/3460-16-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/3460-15-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/3460-14-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/3460-13-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/3460-12-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/3460-44-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/3460-47-0x0000000000A40000-0x0000000000A94000-memory.dmp

Filesize
336KB

Download
memory/3460-51-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/3460-52-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/3460-59-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download