modiloader | 4c2ca2e13a3b2ae9c5a55f5c1d2c68bbd6c5834361c735c23e02e365ee81b14f

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b4fc42cbb32187b36c32f69276a9a43_JaffaCakes118.exe
Size

154KB
MD5

1b4fc42cbb32187b36c32f69276a9a43
SHA1

c02ba2c8080f967262baa4f06dcce7878b655e23
SHA256

4c2ca2e13a3b2ae9c5a55f5c1d2c68bbd6c5834361c735c23e02e365ee81b14f
SHA512

afae33594e1f45fffa961bd7119f335c904c9621aa2e64c25316a5db2dfd2adf731249ff111d9bf3ea0cedb51dee9f38b90f10d03e11367ce86bf8a0fb26e756
SSDEEP

3072:vl+8bQ/Ry/FtVttsFm4qMHbadBJvC0iTFF:48k/G3VAnHbSC/

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
ModiLoader Second Stage 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/1656-32-0x0000000000400000-0x0000000000427000-memory.dmp modiloader_stage2
Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

2212 server.exe
Loads dropped DLL 2 IoCs

Processes:

1b4fc42cbb32187b36c32f69276a9a43_JaffaCakes118.exe

pid process

1656 1b4fc42cbb32187b36c32f69276a9a43_JaffaCakes118.exe
1656 1b4fc42cbb32187b36c32f69276a9a43_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

server.exe

pid process

2212 server.exe
2212 server.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

2756 DllHost.exe

resource	yara_rule
behavioral1/memory/1656-32-0x0000000000400000-0x0000000000427000-memory.dmp	modiloader_stage2

pid	process
2212	server.exe

pid	process
1656	1b4fc42cbb32187b36c32f69276a9a43_JaffaCakes118.exe
1656	1b4fc42cbb32187b36c32f69276a9a43_JaffaCakes118.exe

pid	process
2212	server.exe
2212	server.exe

pid	process
2756	DllHost.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

1b4fc42cbb32187b36c32f69276a9a43_JaffaCakes118.exeserver.exe

description	pid	process	target process
PID 1656 wrote to memory of 2212	1656	1b4fc42cbb32187b36c32f69276a9a43_JaffaCakes118.exe	server.exe
PID 1656 wrote to memory of 2212	1656	1b4fc42cbb32187b36c32f69276a9a43_JaffaCakes118.exe	server.exe
PID 1656 wrote to memory of 2212	1656	1b4fc42cbb32187b36c32f69276a9a43_JaffaCakes118.exe	server.exe
PID 1656 wrote to memory of 2212	1656	1b4fc42cbb32187b36c32f69276a9a43_JaffaCakes118.exe	server.exe
PID 2212 wrote to memory of 1372	2212	server.exe	Explorer.EXE
PID 2212 wrote to memory of 1372	2212	server.exe	Explorer.EXE
PID 2212 wrote to memory of 1372	2212	server.exe	Explorer.EXE
PID 2212 wrote to memory of 1372	2212	server.exe	Explorer.EXE
PID 2212 wrote to memory of 1372	2212	server.exe	Explorer.EXE
PID 2212 wrote to memory of 1372	2212	server.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\1b4fc42cbb32187b36c32f69276a9a43_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b4fc42cbb32187b36c32f69276a9a43_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2756

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zabour.jpg
Filesize
55KB

MD5
095dc0190f34b162c1027b2108beae8a

SHA1
330fd7aff62e617d7db78aa3411141eeb75e6082

SHA256
5ddd498744efe01380e923f3a29065290c123a129b68c8de52d4d6a6b30014da

SHA512
21da19e0598b84e12386298ff3510644405df82ed804689750c9738bca80c7374ab61c3dcbb061b66b4a6aa4093756e9487195d964257d14280008a814028a72

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
50KB

MD5
2a350ddf46b4104f10d5f6cf34f6b1ef

SHA1
6db06c930bdb38b170a43f56e7659f3fafb4b2fd

SHA256
88afa5f3e6f54a635822b88349820839b2356213f3c7244637faac41b5156cde

SHA512
b62365c55b50d3b6b74c1ab47ab95fa9556b89ab4685811406952035e11d8761a333225d0b2d9ffb4e5159aff23a47a33f8624f0c9351fe3c581c0d5a721e841

Download Submit
memory/1372-13-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/1372-21-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

Filesize
24KB

Download
memory/1656-3-0x0000000002810000-0x0000000002819000-memory.dmp

Filesize
36KB

Download
memory/1656-27-0x00000000029F0000-0x00000000029F2000-memory.dmp

Filesize
8KB

Download
memory/1656-32-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2212-17-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2212-16-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2756-28-0x0000000000170000-0x0000000000172000-memory.dmp

Filesize
8KB

Download