modiloader | be05462d54258875d49c2cae5c9c5267ccc9c1471e255e9d981b246d2c0e95d1

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 14:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe
Size

649KB
MD5

1bbce924d9b761a165bff0df9afa458c
SHA1

473bd5e80674cdbfbea6cea4d5b5b392f8aa52af
SHA256

be05462d54258875d49c2cae5c9c5267ccc9c1471e255e9d981b246d2c0e95d1
SHA512

fe8890c7eed45db8a0fd70e55481eee184dd90199701c0f547439862abf21a16a4c822658fedddf62851545a5b91ddf012c46ea3c408df080a553f205df8c7e5
SSDEEP

12288:Dzq4uVpY4TSipHDdpV9NT5cQEOxylLXUD7lyyLzdmf5OZ7Zy:3qJpxHNTORWyEHlyyfdU

Score

10^/10

modiloader aspackv2 trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3660-33-0x0000000000400000-0x000000000051F000-memory.dmp	modiloader_stage2
behavioral2/memory/5016-36-0x0000000000400000-0x000000000051F000-memory.dmp	modiloader_stage2

ASPack v2.12-2.42 1 IoCs
Detects executables packed with ASPack v2.12-2.42
aspackv2

Processes:

resource yara_rule

C:\Program Files\Common Files\microsoft shared\MSInfo\Svchoft.exe aspack_v212_v242
Executes dropped EXE 1 IoCs

Processes:

Svchoft.exe

pid process

5016 Svchoft.exe
Drops file in System32 directory 2 IoCs

Processes:

Svchoft.exe

description ioc process

File created C:\Windows\SysWOW64\_Svchoft.exe Svchoft.exe
File opened for modification C:\Windows\SysWOW64\_Svchoft.exe Svchoft.exe

resource	yara_rule
C:\Program Files\Common Files\microsoft shared\MSInfo\Svchoft.exe	aspack_v212_v242

pid	process
5016	Svchoft.exe

description	ioc	process
File created	C:\Windows\SysWOW64\_Svchoft.exe	Svchoft.exe
File opened for modification	C:\Windows\SysWOW64\_Svchoft.exe	Svchoft.exe

Drops file in Program Files directory 3 IoCs

Processes:

1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Svchoft.exe	1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Svchoft.exe	1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat	1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1720 3660 WerFault.exe 1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe
4956 5016 WerFault.exe Svchoft.exe
4920 5016 WerFault.exe Svchoft.exe

pid	pid_target	process	target process
1720	3660	WerFault.exe	1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe
4956	5016	WerFault.exe	Svchoft.exe
4920	5016	WerFault.exe	Svchoft.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exeSvchoft.exe

description	pid	process	target process
PID 3660 wrote to memory of 5016	3660	1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe	Svchoft.exe
PID 3660 wrote to memory of 5016	3660	1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe	Svchoft.exe
PID 3660 wrote to memory of 5016	3660	1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe	Svchoft.exe
PID 5016 wrote to memory of 2224	5016	Svchoft.exe	mspaint.exe
PID 5016 wrote to memory of 2224	5016	Svchoft.exe	mspaint.exe
PID 5016 wrote to memory of 2224	5016	Svchoft.exe	mspaint.exe
PID 3660 wrote to memory of 4228	3660	1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe	cmd.exe
PID 3660 wrote to memory of 4228	3660	1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe	cmd.exe
PID 3660 wrote to memory of 4228	3660	1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1bbce924d9b761a165bff0df9afa458c_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 532
2⤵
- Program crash
PID:1720

C:\Program Files\Common Files\Microsoft Shared\MSINFO\Svchoft.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\Svchoft.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 532
3⤵
- Program crash
PID:4956

C:\Windows\SysWOW64\mspaint.exe
"C:\Windows\system32\mspaint.exe"
3⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 680
3⤵
- Program crash
PID:4920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat""
2⤵
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3660 -ip 3660
1⤵
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5016 -ip 5016
1⤵
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 5016 -ip 5016
1⤵
PID:4224

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat
Filesize
212B

MD5
3cb149f3af5f694bc2c163e91acfb2d2

SHA1
8fc38377758cfd8b426c0083a6b2415297f28485

SHA256
4fb9faef1e7e097bdd3aa4b21bcd59330281c30d95e80d6a6a305404c609c6a5

SHA512
727d0b5dda54151058cc97cfa581e024d19365b4f5a96ec3c5f66beefa86be186d1f14ab4bfc20ac3baa040c495dadc5edcf22c513e35f7f3598fd69fe928506

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\Svchoft.exe
Filesize
649KB

MD5
1bbce924d9b761a165bff0df9afa458c

SHA1
473bd5e80674cdbfbea6cea4d5b5b392f8aa52af

SHA256
be05462d54258875d49c2cae5c9c5267ccc9c1471e255e9d981b246d2c0e95d1

SHA512
fe8890c7eed45db8a0fd70e55481eee184dd90199701c0f547439862abf21a16a4c822658fedddf62851545a5b91ddf012c46ea3c408df080a553f205df8c7e5

Download Submit
memory/3660-8-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/3660-1-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/3660-0-0x0000000002330000-0x0000000002384000-memory.dmp

Filesize
336KB

Download
memory/3660-20-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/3660-19-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/3660-18-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/3660-17-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/3660-16-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/3660-15-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/3660-11-0x00000000034C0000-0x00000000034C3000-memory.dmp

Filesize
12KB

Download
memory/3660-10-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/3660-9-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/3660-21-0x0000000003530000-0x0000000003531000-memory.dmp

Filesize
4KB

Download
memory/3660-7-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/3660-12-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/3660-5-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/3660-4-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/3660-2-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/3660-3-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/3660-22-0x0000000003550000-0x0000000003551000-memory.dmp

Filesize
4KB

Download
memory/3660-23-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/3660-6-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3660-33-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/3660-34-0x0000000002330000-0x0000000002384000-memory.dmp

Filesize
336KB

Download
memory/5016-27-0x0000000002270000-0x00000000022C4000-memory.dmp

Filesize
336KB

Download
memory/5016-37-0x0000000002270000-0x00000000022C4000-memory.dmp

Filesize
336KB

Download
memory/5016-36-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download