modiloader | 0516959d4fff534c129567fe04d9f937d211df181c9c239fc2951dc272a7a909

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b451ba997fefd59151dcc93eae4d847_JaffaCakes118.exe
Size

287KB
MD5

1b451ba997fefd59151dcc93eae4d847
SHA1

9c0e8da1a4209c8f11240374fd9071332c9930d1
SHA256

0516959d4fff534c129567fe04d9f937d211df181c9c239fc2951dc272a7a909
SHA512

6f2f6ee2c7a45e2cac20e29d19d2773fcc1301c9ad67af7cac9114861a77bd423d52dd7b65f6ea99cae0defbbfcb338425e8e8252b9e4ad1fda54059d973637f
SSDEEP

6144:9CvDPOOgaeAtWsBqk7SQrn62ril9+j9bLfUt0DB3o6RH19Igk:9SPfgtAtNUQDhrO9+Vgt0Zok9s

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2580-14-0x0000000000400000-0x0000000000548000-memory.dmp	modiloader_stage2
behavioral1/memory/2408-17-0x0000000000400000-0x0000000000548000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-25-0x0000000000400000-0x0000000000548000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3008 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

cmd.bat

pid process

2408 cmd.bat

pid	process
3008	cmd.exe

pid	process
2408	cmd.bat

Drops file in Windows directory 3 IoCs

Processes:

1b451ba997fefd59151dcc93eae4d847_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\cmd.bat	1b451ba997fefd59151dcc93eae4d847_JaffaCakes118.exe
File opened for modification	C:\Windows\cmd.bat	1b451ba997fefd59151dcc93eae4d847_JaffaCakes118.exe
File created	C:\Windows\SgotoDel.bat	1b451ba997fefd59151dcc93eae4d847_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1300 2408 WerFault.exe cmd.bat

pid	pid_target	process	target process
1300	2408	WerFault.exe	cmd.bat

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1b451ba997fefd59151dcc93eae4d847_JaffaCakes118.execmd.bat

description	pid	process	target process
PID 2580 wrote to memory of 2408	2580	1b451ba997fefd59151dcc93eae4d847_JaffaCakes118.exe	cmd.bat
PID 2580 wrote to memory of 2408	2580	1b451ba997fefd59151dcc93eae4d847_JaffaCakes118.exe	cmd.bat
PID 2580 wrote to memory of 2408	2580	1b451ba997fefd59151dcc93eae4d847_JaffaCakes118.exe	cmd.bat
PID 2580 wrote to memory of 2408	2580	1b451ba997fefd59151dcc93eae4d847_JaffaCakes118.exe	cmd.bat
PID 2408 wrote to memory of 1300	2408	cmd.bat	WerFault.exe
PID 2408 wrote to memory of 1300	2408	cmd.bat	WerFault.exe
PID 2408 wrote to memory of 1300	2408	cmd.bat	WerFault.exe
PID 2408 wrote to memory of 1300	2408	cmd.bat	WerFault.exe
PID 2580 wrote to memory of 3008	2580	1b451ba997fefd59151dcc93eae4d847_JaffaCakes118.exe	cmd.exe
PID 2580 wrote to memory of 3008	2580	1b451ba997fefd59151dcc93eae4d847_JaffaCakes118.exe	cmd.exe
PID 2580 wrote to memory of 3008	2580	1b451ba997fefd59151dcc93eae4d847_JaffaCakes118.exe	cmd.exe
PID 2580 wrote to memory of 3008	2580	1b451ba997fefd59151dcc93eae4d847_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1b451ba997fefd59151dcc93eae4d847_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b451ba997fefd59151dcc93eae4d847_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\cmd.bat
C:\Windows\cmd.bat
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 284
3⤵
- Program crash
PID:1300

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SgotoDel.bat
2⤵
- Deletes itself
PID:3008

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SgotoDel.bat
Filesize
212B

MD5
ea67132a519059cbb202b3a1767a8d0d

SHA1
f2a6982836a8c85d6c1911060ed462a5527540c3

SHA256
f5cd99bdbd38ee995d66b9e0ea62866e48a013048f0700167896d883c58e024e

SHA512
e68454d16d59b2388cd99457d277f0982f904f877c7107f396e782e7d3cd5ac8d0633463daa4177d5a8f7697a8842834ece31705b5fa436a5875c6247eb707fa

Download Submit
C:\Windows\cmd.bat
Filesize
287KB

MD5
1b451ba997fefd59151dcc93eae4d847

SHA1
9c0e8da1a4209c8f11240374fd9071332c9930d1

SHA256
0516959d4fff534c129567fe04d9f937d211df181c9c239fc2951dc272a7a909

SHA512
6f2f6ee2c7a45e2cac20e29d19d2773fcc1301c9ad67af7cac9114861a77bd423d52dd7b65f6ea99cae0defbbfcb338425e8e8252b9e4ad1fda54059d973637f

Download Submit
memory/2408-12-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download
memory/2408-17-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download
memory/2408-13-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2580-10-0x0000000003110000-0x0000000003258000-memory.dmp

Filesize
1.3MB

Download
memory/2580-0-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download
memory/2580-9-0x0000000003110000-0x0000000003258000-memory.dmp

Filesize
1.3MB

Download
memory/2580-14-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download
memory/2580-15-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2580-16-0x0000000003110000-0x0000000003258000-memory.dmp

Filesize
1.3MB

Download
memory/2580-2-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2580-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2580-25-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads