modiloader | e89a02b1742f58e50369e103f19f030dc1d31aff33f97dda2f35ef1a938cb7d5

Analysis

max time kernel
94s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 10:46

Target

19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe
Size

380KB
MD5

19d58529bd859c53f9520a9e2ed3a524
SHA1

542ded1a740d41bc9df36df64703767008d87ab2
SHA256

e89a02b1742f58e50369e103f19f030dc1d31aff33f97dda2f35ef1a938cb7d5
SHA512

bbfa761b443f1243b21f479af77604d9809448636eccc83dc7f273f934ebe7b0d27164c15fb5b9064eeb26084acf4112e84056e14bfc3270578005db5afe3849
SSDEEP

6144:S5emnohbdsdVnyAICBQP7C/aq1HgdxFFzFv9P9TqucPkzd2+9YwA2pIlt0uy0P:HmnQ2znHIC6P7C/pCd9BlPoF6vhYK8P

Score

10^/10

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2116-16-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2
behavioral2/memory/468-18-0x0000000000400000-0x00000000004BF000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

taskmger.exe

pid process

468 taskmger.exe
Drops file in System32 directory 2 IoCs

Processes:

taskmger.exe

description ioc process

File created C:\Windows\SysWOW64\_taskmger.exe taskmger.exe
File opened for modification C:\Windows\SysWOW64\_taskmger.exe taskmger.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

taskmger.exe

description pid process target process

PID 468 set thread context of 4592 468 taskmger.exe notepad.exe

pid	process
468	taskmger.exe

description	ioc	process
File created	C:\Windows\SysWOW64\_taskmger.exe	taskmger.exe
File opened for modification	C:\Windows\SysWOW64\_taskmger.exe	taskmger.exe

description	pid	process	target process
PID 468 set thread context of 4592	468	taskmger.exe	notepad.exe

Drops file in Windows directory 3 IoCs

Processes:

19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\taskmger.exe	19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe
File opened for modification	C:\Windows\taskmger.exe	19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe
File created	C:\Windows\SxDel.bat	19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process

4012 468 WerFault.exe
2416 4592 WerFault.exe

pid	pid_target	process
4012	468	WerFault.exe
2416	4592	WerFault.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exetaskmger.exe

description	pid	process	target process
PID 2116 wrote to memory of 468	2116	19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe	taskmger.exe
PID 2116 wrote to memory of 468	2116	19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe	taskmger.exe
PID 2116 wrote to memory of 468	2116	19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe	taskmger.exe
PID 468 wrote to memory of 4592	468	taskmger.exe	notepad.exe
PID 468 wrote to memory of 4592	468	taskmger.exe	notepad.exe
PID 468 wrote to memory of 4592	468	taskmger.exe	notepad.exe
PID 468 wrote to memory of 4592	468	taskmger.exe	notepad.exe
PID 468 wrote to memory of 4592	468	taskmger.exe	notepad.exe
PID 468 wrote to memory of 4260	468	taskmger.exe	IEXPLORE.EXE
PID 468 wrote to memory of 4260	468	taskmger.exe	IEXPLORE.EXE
PID 2116 wrote to memory of 208	2116	19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe	cmd.exe
PID 2116 wrote to memory of 208	2116	19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe	cmd.exe
PID 2116 wrote to memory of 208	2116	19d58529bd859c53f9520a9e2ed3a524_JaffaCakes118.exe	cmd.exe

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 12
4⤵
- Program crash
PID:2416

C:\program files\internet explorer\IEXPLORE.EXE
"C:\program files\internet explorer\IEXPLORE.EXE"
3⤵
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 656
3⤵
- Program crash
PID:4012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SxDel.bat
2⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4592 -ip 4592
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 468 -ip 468
1⤵
PID:732

C:\Windows\SxDel.bat
Filesize
212B

MD5
02dae0fbbc649edcc12d1bdf5a49bf34

SHA1
06b23264ba12e1f8fcc0a9bb89ce0022d9988c74

SHA256
e0f1c51db66cdc873201d0fa14df2da87bc1ff65e04fd6fc1ae50499b6265095

SHA512
58f806e4195244aef0657a71e4de2fd10191b98b5ced98447c7a1a87f55393e5b2ce88dd6f2ad2ccc9ff8e23f1b40760ee61e5efe6b49c5d2db845820b6c9bdf

Download Submit
C:\Windows\SysWOW64\_taskmger.exe
Filesize
380KB

MD5
19d58529bd859c53f9520a9e2ed3a524

SHA1
542ded1a740d41bc9df36df64703767008d87ab2

SHA256
e89a02b1742f58e50369e103f19f030dc1d31aff33f97dda2f35ef1a938cb7d5

SHA512
bbfa761b443f1243b21f479af77604d9809448636eccc83dc7f273f934ebe7b0d27164c15fb5b9064eeb26084acf4112e84056e14bfc3270578005db5afe3849

Download Submit
memory/468-7-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/468-10-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/468-18-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2116-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2116-1-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/2116-16-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4592-11-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download