modiloader | cafc7143efabe25df6640c29fa90fbd1ea9dfb2266ccae4bb143900b5b648579

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 12:40

Target

1a26a134946f6f3bcc62ec7a0b139f3c_JaffaCakes118.exe
Size

68KB
MD5

1a26a134946f6f3bcc62ec7a0b139f3c
SHA1

7a6fe4fa1878eed2a55d8b7ee2fca5ee423ec771
SHA256

cafc7143efabe25df6640c29fa90fbd1ea9dfb2266ccae4bb143900b5b648579
SHA512

2805814ebd708acd8cc1b1ea3caf2affe99cd29e59ec669f5348a2a1a277a22151a45331b640d98373cd38ab1f657704f055baae5b75579628781ceb41ceeb2f
SSDEEP

1536:kJ9oDIpc//////tBLaPQQfLGMKmkLjewprhQcxUYRRZdI1wB:kDo8pc//////tQDLvKmIjewprdR0A

Score

10^/10

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2204-13-0x0000000000220000-0x0000000000244000-memory.dmp	modiloader_stage2
behavioral1/memory/2204-16-0x0000000000220000-0x0000000000244000-memory.dmp	modiloader_stage2

Loads dropped DLL 1 IoCs

Processes:

1a26a134946f6f3bcc62ec7a0b139f3c_JaffaCakes118.exe

pid process

2204 1a26a134946f6f3bcc62ec7a0b139f3c_JaffaCakes118.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

1a26a134946f6f3bcc62ec7a0b139f3c_JaffaCakes118.exe

description pid process target process

PID 2212 set thread context of 2204 2212 1a26a134946f6f3bcc62ec7a0b139f3c_JaffaCakes118.exe 1a26a134946f6f3bcc62ec7a0b139f3c_JaffaCakes118.exe
Drops file in Program Files directory 1 IoCs

Processes:

1a26a134946f6f3bcc62ec7a0b139f3c_JaffaCakes118.exe

description ioc process

File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\atmQQ2.dll 1a26a134946f6f3bcc62ec7a0b139f3c_JaffaCakes118.exe

description	pid	process	target process
PID 2212 set thread context of 2204	2212	1a26a134946f6f3bcc62ec7a0b139f3c_JaffaCakes118.exe	1a26a134946f6f3bcc62ec7a0b139f3c_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\atmQQ2.dll	1a26a134946f6f3bcc62ec7a0b139f3c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

1a26a134946f6f3bcc62ec7a0b139f3c_JaffaCakes118.exe

pid	process
2204	1a26a134946f6f3bcc62ec7a0b139f3c_JaffaCakes118.exe
2204	1a26a134946f6f3bcc62ec7a0b139f3c_JaffaCakes118.exe
2204	1a26a134946f6f3bcc62ec7a0b139f3c_JaffaCakes118.exe
2204	1a26a134946f6f3bcc62ec7a0b139f3c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1a26a134946f6f3bcc62ec7a0b139f3c_JaffaCakes118.exe

pid process

2204 1a26a134946f6f3bcc62ec7a0b139f3c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

1a26a134946f6f3bcc62ec7a0b139f3c_JaffaCakes118.exe

description	pid	process	target process
PID 2212 wrote to memory of 2204	2212	1a26a134946f6f3bcc62ec7a0b139f3c_JaffaCakes118.exe	1a26a134946f6f3bcc62ec7a0b139f3c_JaffaCakes118.exe
PID 2212 wrote to memory of 2204	2212	1a26a134946f6f3bcc62ec7a0b139f3c_JaffaCakes118.exe	1a26a134946f6f3bcc62ec7a0b139f3c_JaffaCakes118.exe
PID 2212 wrote to memory of 2204	2212	1a26a134946f6f3bcc62ec7a0b139f3c_JaffaCakes118.exe	1a26a134946f6f3bcc62ec7a0b139f3c_JaffaCakes118.exe
PID 2212 wrote to memory of 2204	2212	1a26a134946f6f3bcc62ec7a0b139f3c_JaffaCakes118.exe	1a26a134946f6f3bcc62ec7a0b139f3c_JaffaCakes118.exe
PID 2212 wrote to memory of 2204	2212	1a26a134946f6f3bcc62ec7a0b139f3c_JaffaCakes118.exe	1a26a134946f6f3bcc62ec7a0b139f3c_JaffaCakes118.exe
PID 2212 wrote to memory of 2204	2212	1a26a134946f6f3bcc62ec7a0b139f3c_JaffaCakes118.exe	1a26a134946f6f3bcc62ec7a0b139f3c_JaffaCakes118.exe

\Program Files\Common Files\Microsoft Shared\MSInfo\atmQQ2.dll
Filesize
21KB

MD5
c84e2ab4249519800152bac12d3a67e0

SHA1
a95da943f19b7a6bbd30f06c7bfc4ddb2faeb6f6

SHA256
407a80d0f37ffea4be14e9c4bb44f117f21d37af8501853622fa7171254fe8a2

SHA512
7cae0cff99d41636fab8151529747f3e7b808d155bd9e7dc01e5555143dbc170e2a839864f64df12f2c58d42bea93601b15dd82a7646254fe7173bbe7c92dc8c

Download Submit
memory/2204-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2204-13-0x0000000000220000-0x0000000000244000-memory.dmp

Filesize
144KB

Download
memory/2204-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2204-11-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2204-4-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2204-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2204-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2204-14-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2204-15-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2204-16-0x0000000000220000-0x0000000000244000-memory.dmp

Filesize
144KB

Download
memory/2212-5-0x0000000010000000-0x00000000100185E8-memory.dmp

Filesize
97KB

Download