modiloader | 9579ccf853d309acb8c5a5a46b980b31380b17e7b3de0268a6c66e40636f83e6

Analysis

max time kernel
140s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 12:49

Target

1a2e2f0a4bd39cc5354a6afdfcccadf9_JaffaCakes118.exe
Size

27KB
MD5

1a2e2f0a4bd39cc5354a6afdfcccadf9
SHA1

58547848ed0072732979bf49ff937772fd011983
SHA256

9579ccf853d309acb8c5a5a46b980b31380b17e7b3de0268a6c66e40636f83e6
SHA512

64be3d5a5a1c744ffb964106ccec67934eb8e18b1684705decaef0ec33a57cdfb08ac7d9eb38804a068c9f0190f612d326f507bebbbfc6502058cff0f8bd7ed5
SSDEEP

768:jwJpFHSLyupC2/kPWjWWY/mmS9qRjzfH46uM:jwJpFHSOuopPWjx9qFH46uM

Score

10^/10

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4236-14-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/4924-17-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

wmsj.exe

pid process

4924 wmsj.exe
Loads dropped DLL 2 IoCs

Processes:

wmsj.exe

pid process

4924 wmsj.exe
4924 wmsj.exe

pid	process
4924	wmsj.exe

pid	process
4924	wmsj.exe
4924	wmsj.exe

Drops file in Windows directory 5 IoCs

Processes:

1a2e2f0a4bd39cc5354a6afdfcccadf9_JaffaCakes118.exewmsj.exe

description	ioc	process
File created	C:\Windows\video.dll	1a2e2f0a4bd39cc5354a6afdfcccadf9_JaffaCakes118.exe
File created	C:\Windows\wmsj.exe	1a2e2f0a4bd39cc5354a6afdfcccadf9_JaffaCakes118.exe
File opened for modification	C:\Windows\wmsj.exe	1a2e2f0a4bd39cc5354a6afdfcccadf9_JaffaCakes118.exe
File created	C:\Windows\video.dll	wmsj.exe
File created	C:\Windows\wmsj.exe	wmsj.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wmsj.exe

pid process

4924 wmsj.exe

pid	process
4924	wmsj.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1a2e2f0a4bd39cc5354a6afdfcccadf9_JaffaCakes118.exe

description	pid	process	target process
PID 4236 wrote to memory of 4924	4236	1a2e2f0a4bd39cc5354a6afdfcccadf9_JaffaCakes118.exe	wmsj.exe
PID 4236 wrote to memory of 4924	4236	1a2e2f0a4bd39cc5354a6afdfcccadf9_JaffaCakes118.exe	wmsj.exe
PID 4236 wrote to memory of 4924	4236	1a2e2f0a4bd39cc5354a6afdfcccadf9_JaffaCakes118.exe	wmsj.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4456,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=1304 /prefetch:8
1⤵
PID:3468

C:\Windows\video.dll
Filesize
35KB

MD5
487db26d497514d94e4ccbc66a43faae

SHA1
e7cb4050ec799bc7266649bbbdd3a84cee9b4d95

SHA256
b4a5216bd5504bc90410565bacb65e9a1a0eacd1138cb177a45ea3345fdd7c47

SHA512
9676f8ed46e64228f7e461405be187bfcc49a9d9e223934f6003ac6d1d530353fbe87aa4e046dc43d9030a0dae0f47a0069773f01f3707fb9f084791e3fb62ff

Download Submit
C:\Windows\wmsj.exe
Filesize
27KB

MD5
1a2e2f0a4bd39cc5354a6afdfcccadf9

SHA1
58547848ed0072732979bf49ff937772fd011983

SHA256
9579ccf853d309acb8c5a5a46b980b31380b17e7b3de0268a6c66e40636f83e6

SHA512
64be3d5a5a1c744ffb964106ccec67934eb8e18b1684705decaef0ec33a57cdfb08ac7d9eb38804a068c9f0190f612d326f507bebbbfc6502058cff0f8bd7ed5

Download Submit
memory/4236-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4236-14-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4924-11-0x00000000004B0000-0x00000000004BE000-memory.dmp

Filesize
56KB

Download
memory/4924-15-0x00000000004B0000-0x00000000004BE000-memory.dmp

Filesize
56KB

Download
memory/4924-17-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download