modiloader | e052e41a78d8ba354df0390060a6e5d23d4e0ea6e738fedb8f9df49314e2785c

Analysis

max time kernel
125s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 23:48

Target

1cfd43135212054e066d11f620a6580b_JaffaCakes118.exe
Size

285KB
MD5

1cfd43135212054e066d11f620a6580b
SHA1

51293bb99347f01e8b52d1639a149f9a5a3de1ef
SHA256

e052e41a78d8ba354df0390060a6e5d23d4e0ea6e738fedb8f9df49314e2785c
SHA512

c53c8b122b9b8b687cc9249dd2c71546d3faf7d723590ec07bdfc3e65e6b6a1109e0043238b2829dee5ed6c836d32cf3314818be1158017fe9dcf843aede3709
SSDEEP

6144:Ly7gYErb/eaB78JAB7MYIQeItHMmYZCpVBr1Ee4YVkT2KedXaofzI:LQgYErb/0JAB7MYIutHMmYwHr1EenKik

Score

10^/10

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4600-11-0x0000000000400000-0x0000000000547000-memory.dmp	modiloader_stage2
behavioral2/memory/4824-12-0x0000000000400000-0x0000000000547000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

360Safe.exe

pid process

4600 360Safe.exe

pid	process
4600	360Safe.exe

Drops file in Program Files directory 3 IoCs

Processes:

1cfd43135212054e066d11f620a6580b_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\360Safe.exe	1cfd43135212054e066d11f620a6580b_JaffaCakes118.exe
File opened for modification	C:\Program Files\360Safe.exe	1cfd43135212054e066d11f620a6580b_JaffaCakes118.exe
File created	C:\Program Files\SgotoDel.bat	1cfd43135212054e066d11f620a6580b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

1cfd43135212054e066d11f620a6580b_JaffaCakes118.exe

description	pid	process	target process
PID 4824 wrote to memory of 4600	4824	1cfd43135212054e066d11f620a6580b_JaffaCakes118.exe	360Safe.exe
PID 4824 wrote to memory of 4600	4824	1cfd43135212054e066d11f620a6580b_JaffaCakes118.exe	360Safe.exe
PID 4824 wrote to memory of 4600	4824	1cfd43135212054e066d11f620a6580b_JaffaCakes118.exe	360Safe.exe
PID 4824 wrote to memory of 4524	4824	1cfd43135212054e066d11f620a6580b_JaffaCakes118.exe	cmd.exe
PID 4824 wrote to memory of 4524	4824	1cfd43135212054e066d11f620a6580b_JaffaCakes118.exe	cmd.exe
PID 4824 wrote to memory of 4524	4824	1cfd43135212054e066d11f620a6580b_JaffaCakes118.exe	cmd.exe

C:\Program Files\360Safe.exe
"C:\Program Files\360Safe.exe"
2⤵
- Executes dropped EXE
PID:4600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files\SgotoDel.bat""
2⤵
PID:4524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4488,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=3980 /prefetch:8
1⤵
PID:660

C:\Program Files\360Safe.exe
Filesize
285KB

MD5
1cfd43135212054e066d11f620a6580b

SHA1
51293bb99347f01e8b52d1639a149f9a5a3de1ef

SHA256
e052e41a78d8ba354df0390060a6e5d23d4e0ea6e738fedb8f9df49314e2785c

SHA512
c53c8b122b9b8b687cc9249dd2c71546d3faf7d723590ec07bdfc3e65e6b6a1109e0043238b2829dee5ed6c836d32cf3314818be1158017fe9dcf843aede3709

Download Submit
C:\Program Files\SgotoDel.bat
Filesize
212B

MD5
a7670fc9151710b61cf638b349872fe7

SHA1
94b8df1e499eb1973c4413690e4b6a914aa9d0bd

SHA256
396a12059c492a2dbb6ca15c8353c86c1946543fccbc6bc65cf73d9968608ec8

SHA512
8f223d4194127b8bf59f5f0f3d42fd64d7258d695a04ad10fa1855f66b1087e968f66b041a287956df4b8b28fd40744452be28de7aafa70651a146bacbdf4f08

Download Submit
memory/4600-10-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/4600-11-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/4824-1-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/4824-0-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/4824-2-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4824-12-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download