modiloader | be05462d54258875d49c2cae5c9c5267ccc9c1471e255e9d981b246d2c0e95d1

Analysis

max time kernel
142s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 14:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe
Size

649KB
MD5

1bbce924d9b761a165bff0df9afa458c
SHA1

473bd5e80674cdbfbea6cea4d5b5b392f8aa52af
SHA256

be05462d54258875d49c2cae5c9c5267ccc9c1471e255e9d981b246d2c0e95d1
SHA512

fe8890c7eed45db8a0fd70e55481eee184dd90199701c0f547439862abf21a16a4c822658fedddf62851545a5b91ddf012c46ea3c408df080a553f205df8c7e5
SSDEEP

12288:Dzq4uVpY4TSipHDdpV9NT5cQEOxylLXUD7lyyLzdmf5OZ7Zy:3qJpxHNTORWyEHlyyfdU

Score

10^/10

modiloader aspackv2 trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2204-43-0x0000000000400000-0x000000000051F000-memory.dmp	modiloader_stage2
behavioral1/memory/1408-44-0x0000000000400000-0x000000000051F000-memory.dmp	modiloader_stage2
behavioral1/memory/2204-57-0x0000000000400000-0x000000000051F000-memory.dmp	modiloader_stage2

ASPack v2.12-2.42 1 IoCs
Detects executables packed with ASPack v2.12-2.42
aspackv2

Processes:

resource yara_rule

\Program Files\Common Files\Microsoft Shared\MSInfo\Svchoft.exe aspack_v212_v242
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2092 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

Svchoft.exe

pid process

1408 Svchoft.exe
Loads dropped DLL 5 IoCs

Processes:

1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exeWerFault.exe

pid process

2204 1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe
2204 1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe
2716 WerFault.exe
2716 WerFault.exe
2716 WerFault.exe
Drops file in System32 directory 2 IoCs

Processes:

Svchoft.exe

description ioc process

File created C:\Windows\SysWOW64\_Svchoft.exe Svchoft.exe
File opened for modification C:\Windows\SysWOW64\_Svchoft.exe Svchoft.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Svchoft.exe

description pid process target process

PID 1408 set thread context of 2840 1408 Svchoft.exe mspaint.exe

resource	yara_rule
\Program Files\Common Files\Microsoft Shared\MSInfo\Svchoft.exe	aspack_v212_v242

pid	process
2092	cmd.exe

pid	process
1408	Svchoft.exe

pid	process
2204	1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe
2204	1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe
2716	WerFault.exe
2716	WerFault.exe
2716	WerFault.exe

description	ioc	process
File created	C:\Windows\SysWOW64\_Svchoft.exe	Svchoft.exe
File opened for modification	C:\Windows\SysWOW64\_Svchoft.exe	Svchoft.exe

description	pid	process	target process
PID 1408 set thread context of 2840	1408	Svchoft.exe	mspaint.exe

Drops file in Program Files directory 3 IoCs

Processes:

1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat	1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Svchoft.exe	1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Svchoft.exe	1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2716 1408 WerFault.exe Svchoft.exe

pid	pid_target	process	target process
2716	1408	WerFault.exe	Svchoft.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exeSvchoft.exe

description	pid	process	target process
PID 2204 wrote to memory of 1408	2204	1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe	Svchoft.exe
PID 2204 wrote to memory of 1408	2204	1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe	Svchoft.exe
PID 2204 wrote to memory of 1408	2204	1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe	Svchoft.exe
PID 2204 wrote to memory of 1408	2204	1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe	Svchoft.exe
PID 1408 wrote to memory of 2840	1408	Svchoft.exe	mspaint.exe
PID 1408 wrote to memory of 2840	1408	Svchoft.exe	mspaint.exe
PID 1408 wrote to memory of 2840	1408	Svchoft.exe	mspaint.exe
PID 1408 wrote to memory of 2840	1408	Svchoft.exe	mspaint.exe
PID 1408 wrote to memory of 2840	1408	Svchoft.exe	mspaint.exe
PID 1408 wrote to memory of 2840	1408	Svchoft.exe	mspaint.exe
PID 1408 wrote to memory of 2716	1408	Svchoft.exe	WerFault.exe
PID 1408 wrote to memory of 2716	1408	Svchoft.exe	WerFault.exe
PID 1408 wrote to memory of 2716	1408	Svchoft.exe	WerFault.exe
PID 1408 wrote to memory of 2716	1408	Svchoft.exe	WerFault.exe
PID 2204 wrote to memory of 2092	2204	1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe	cmd.exe
PID 2204 wrote to memory of 2092	2204	1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe	cmd.exe
PID 2204 wrote to memory of 2092	2204	1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe	cmd.exe
PID 2204 wrote to memory of 2092	2204	1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2204

C:\Program Files\Common Files\Microsoft Shared\MSINFO\Svchoft.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\Svchoft.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\SysWOW64\mspaint.exe
"C:\Windows\system32\mspaint.exe"
3⤵
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 300
3⤵
- Loads dropped DLL
- Program crash
PID:2716

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat""
2⤵
- Deletes itself
PID:2092

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\ReDelBat.bat
Filesize
212B

MD5
3cb149f3af5f694bc2c163e91acfb2d2

SHA1
8fc38377758cfd8b426c0083a6b2415297f28485

SHA256
4fb9faef1e7e097bdd3aa4b21bcd59330281c30d95e80d6a6a305404c609c6a5

SHA512
727d0b5dda54151058cc97cfa581e024d19365b4f5a96ec3c5f66beefa86be186d1f14ab4bfc20ac3baa040c495dadc5edcf22c513e35f7f3598fd69fe928506

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\Svchoft.exe
Filesize
649KB

MD5
1bbce924d9b761a165bff0df9afa458c

SHA1
473bd5e80674cdbfbea6cea4d5b5b392f8aa52af

SHA256
be05462d54258875d49c2cae5c9c5267ccc9c1471e255e9d981b246d2c0e95d1

SHA512
fe8890c7eed45db8a0fd70e55481eee184dd90199701c0f547439862abf21a16a4c822658fedddf62851545a5b91ddf012c46ea3c408df080a553f205df8c7e5

Download Submit
memory/1408-49-0x0000000001D10000-0x0000000001D64000-memory.dmp

Filesize
336KB

Download
memory/1408-44-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/1408-31-0x0000000001D10000-0x0000000001D64000-memory.dmp

Filesize
336KB

Download
memory/2204-3-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/2204-21-0x0000000003410000-0x0000000003411000-memory.dmp

Filesize
4KB

Download
memory/2204-16-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/2204-15-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/2204-14-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/2204-13-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2204-8-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/2204-7-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/2204-6-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/2204-5-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/2204-4-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/2204-0-0x0000000001E40000-0x0000000001E94000-memory.dmp

Filesize
336KB

Download
memory/2204-19-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2204-2-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/2204-1-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/2204-17-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/2204-20-0x0000000003400000-0x0000000003401000-memory.dmp

Filesize
4KB

Download
memory/2204-18-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/2204-9-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/2204-58-0x0000000001E40000-0x0000000001E94000-memory.dmp

Filesize
336KB

Download
memory/2204-57-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/2204-12-0x0000000003480000-0x0000000003481000-memory.dmp

Filesize
4KB

Download
memory/2204-43-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/2204-10-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/2204-45-0x0000000001E40000-0x0000000001E94000-memory.dmp

Filesize
336KB

Download
memory/2204-46-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/2204-11-0x0000000003380000-0x0000000003383000-memory.dmp

Filesize
12KB

Download
memory/2840-38-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/2840-36-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/2840-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads