modiloader | e89a02b1742f58e50369e103f19f030dc1d31aff33f97dda2f35ef1a938cb7d5

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe
Size

380KB
MD5

19d58529bd859c53f9520a9e2ed3a524
SHA1

542ded1a740d41bc9df36df64703767008d87ab2
SHA256

e89a02b1742f58e50369e103f19f030dc1d31aff33f97dda2f35ef1a938cb7d5
SHA512

bbfa761b443f1243b21f479af77604d9809448636eccc83dc7f273f934ebe7b0d27164c15fb5b9064eeb26084acf4112e84056e14bfc3270578005db5afe3849
SSDEEP

6144:S5emnohbdsdVnyAICBQP7C/aq1HgdxFFzFv9P9TqucPkzd2+9YwA2pIlt0uy0P:HmnQ2znHIC6P7C/pCd9BlPoF6vhYK8P

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2468-14-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2
behavioral1/memory/2192-22-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2
behavioral1/memory/2468-23-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2
behavioral1/memory/2192-27-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2
behavioral1/memory/2192-36-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2508 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

taskmger.exe

pid process

2468 taskmger.exe
Drops file in System32 directory 2 IoCs

Processes:

taskmger.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\_taskmger.exe taskmger.exe
File created C:\Windows\SysWOW64\_taskmger.exe taskmger.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

taskmger.exe

description pid process target process

PID 2468 set thread context of 3020 2468 taskmger.exe notepad.exe

pid	process
2508	cmd.exe

pid	process
2468	taskmger.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\_taskmger.exe	taskmger.exe
File created	C:\Windows\SysWOW64\_taskmger.exe	taskmger.exe

description	pid	process	target process
PID 2468 set thread context of 3020	2468	taskmger.exe	notepad.exe

Drops file in Windows directory 3 IoCs

Processes:

19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\taskmger.exe	19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe
File opened for modification	C:\Windows\taskmger.exe	19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe
File created	C:\Windows\SxDel.bat	19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2580 2468 WerFault.exe taskmger.exe

pid	pid_target	process	target process
2580	2468	WerFault.exe	taskmger.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exetaskmger.exe

description	pid	process	target process
PID 2192 wrote to memory of 2468	2192	19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe	taskmger.exe
PID 2192 wrote to memory of 2468	2192	19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe	taskmger.exe
PID 2192 wrote to memory of 2468	2192	19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe	taskmger.exe
PID 2192 wrote to memory of 2468	2192	19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe	taskmger.exe
PID 2468 wrote to memory of 3020	2468	taskmger.exe	notepad.exe
PID 2468 wrote to memory of 3020	2468	taskmger.exe	notepad.exe
PID 2468 wrote to memory of 3020	2468	taskmger.exe	notepad.exe
PID 2468 wrote to memory of 3020	2468	taskmger.exe	notepad.exe
PID 2468 wrote to memory of 3020	2468	taskmger.exe	notepad.exe
PID 2468 wrote to memory of 3020	2468	taskmger.exe	notepad.exe
PID 2468 wrote to memory of 2580	2468	taskmger.exe	WerFault.exe
PID 2468 wrote to memory of 2580	2468	taskmger.exe	WerFault.exe
PID 2468 wrote to memory of 2580	2468	taskmger.exe	WerFault.exe
PID 2468 wrote to memory of 2580	2468	taskmger.exe	WerFault.exe
PID 2192 wrote to memory of 2508	2192	19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe	cmd.exe
PID 2192 wrote to memory of 2508	2192	19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe	cmd.exe
PID 2192 wrote to memory of 2508	2192	19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe	cmd.exe
PID 2192 wrote to memory of 2508	2192	19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\taskmger.exe
C:\Windows\taskmger.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 280
3⤵
- Program crash
PID:2580

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SxDel.bat
2⤵
- Deletes itself
PID:2508

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SxDel.bat
Filesize
212B

MD5
02dae0fbbc649edcc12d1bdf5a49bf34

SHA1
06b23264ba12e1f8fcc0a9bb89ce0022d9988c74

SHA256
e0f1c51db66cdc873201d0fa14df2da87bc1ff65e04fd6fc1ae50499b6265095

SHA512
58f806e4195244aef0657a71e4de2fd10191b98b5ced98447c7a1a87f55393e5b2ce88dd6f2ad2ccc9ff8e23f1b40760ee61e5efe6b49c5d2db845820b6c9bdf

Download Submit
C:\Windows\taskmger.exe
Filesize
380KB

MD5
19d58529bd859c53f9520a9e2ed3a524

SHA1
542ded1a740d41bc9df36df64703767008d87ab2

SHA256
e89a02b1742f58e50369e103f19f030dc1d31aff33f97dda2f35ef1a938cb7d5

SHA512
bbfa761b443f1243b21f479af77604d9809448636eccc83dc7f273f934ebe7b0d27164c15fb5b9064eeb26084acf4112e84056e14bfc3270578005db5afe3849

Download Submit
memory/2192-24-0x0000000003000000-0x00000000030BF000-memory.dmp

Filesize
764KB

Download
memory/2192-22-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2192-9-0x0000000003000000-0x00000000030BF000-memory.dmp

Filesize
764KB

Download
memory/2192-36-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2192-10-0x0000000003000000-0x00000000030BF000-memory.dmp

Filesize
764KB

Download
memory/2192-27-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2192-3-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2192-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2468-14-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2468-23-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2468-15-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/3020-20-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3020-18-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3020-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads