modiloader | c929656c6f2779689f4b99c563d877bd1481433d064be000e90ce88d4f735a2b

Analysis

max time kernel
142s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c79ccdd97978bcd7ee828f7d190a914_JaffaCakes118.exe
Size

296KB
MD5

1c79ccdd97978bcd7ee828f7d190a914
SHA1

edf3f59d954f154e28243c52cb30d35bc30300ad
SHA256

c929656c6f2779689f4b99c563d877bd1481433d064be000e90ce88d4f735a2b
SHA512

0b761abde1827ab8d644534810451ebfa6e439d5b18f2c724db4f161fd5d3b3a0d3d4dcbf5ba80fc048a701872babda432fc0d3ff109a35e744c7da1207c462d
SSDEEP

6144:hsWXEYOd9nWwfNEfKLZXhoPSgE50FggNFZGzq2L5ZZn8etX6c5Uxpac75XEIKHJp:h17YpvNYK5huNE5IggNSu2VvtX6Akac8

Score

10^/10

modiloader trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1920-25-0x0000000000400000-0x00000000004C6000-memory.dmp	modiloader_stage2
behavioral1/memory/2616-26-0x0000000000400000-0x00000000004C6000-memory.dmp	modiloader_stage2
behavioral1/memory/1920-38-0x0000000000400000-0x00000000004C6000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2696 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

rejoice91.exe

pid process

2616 rejoice91.exe
Loads dropped DLL 5 IoCs

Processes:

1c79ccdd97978bcd7ee828f7d190a914_JaffaCakes118.exeWerFault.exe

pid process

1920 1c79ccdd97978bcd7ee828f7d190a914_JaffaCakes118.exe
1920 1c79ccdd97978bcd7ee828f7d190a914_JaffaCakes118.exe
1428 WerFault.exe
1428 WerFault.exe
1428 WerFault.exe

pid	process
2696	cmd.exe

pid	process
2616	rejoice91.exe

pid	process
1920	1c79ccdd97978bcd7ee828f7d190a914_JaffaCakes118.exe
1920	1c79ccdd97978bcd7ee828f7d190a914_JaffaCakes118.exe
1428	WerFault.exe
1428	WerFault.exe
1428	WerFault.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1920-0-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice91.exe	upx
behavioral1/memory/3028-20-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/memory/1920-25-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/memory/2616-26-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/memory/1920-38-0x0000000000400000-0x00000000004C6000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

rejoice91.exe

description ioc process

File created C:\Windows\SysWOW64\_rejoice91.exe rejoice91.exe
File opened for modification C:\Windows\SysWOW64\_rejoice91.exe rejoice91.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

rejoice91.exe

description pid process target process

PID 2616 set thread context of 3028 2616 rejoice91.exe calc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\_rejoice91.exe	rejoice91.exe
File opened for modification	C:\Windows\SysWOW64\_rejoice91.exe	rejoice91.exe

description	pid	process	target process
PID 2616 set thread context of 3028	2616	rejoice91.exe	calc.exe

Drops file in Program Files directory 3 IoCs

Processes:

1c79ccdd97978bcd7ee828f7d190a914_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat	1c79ccdd97978bcd7ee828f7d190a914_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice91.exe	1c79ccdd97978bcd7ee828f7d190a914_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice91.exe	1c79ccdd97978bcd7ee828f7d190a914_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1428 2616 WerFault.exe rejoice91.exe

pid	pid_target	process	target process
1428	2616	WerFault.exe	rejoice91.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

1c79ccdd97978bcd7ee828f7d190a914_JaffaCakes118.exerejoice91.exe

description	pid	process	target process
PID 1920 wrote to memory of 2616	1920	1c79ccdd97978bcd7ee828f7d190a914_JaffaCakes118.exe	rejoice91.exe
PID 1920 wrote to memory of 2616	1920	1c79ccdd97978bcd7ee828f7d190a914_JaffaCakes118.exe	rejoice91.exe
PID 1920 wrote to memory of 2616	1920	1c79ccdd97978bcd7ee828f7d190a914_JaffaCakes118.exe	rejoice91.exe
PID 1920 wrote to memory of 2616	1920	1c79ccdd97978bcd7ee828f7d190a914_JaffaCakes118.exe	rejoice91.exe
PID 2616 wrote to memory of 3028	2616	rejoice91.exe	calc.exe
PID 2616 wrote to memory of 3028	2616	rejoice91.exe	calc.exe
PID 2616 wrote to memory of 3028	2616	rejoice91.exe	calc.exe
PID 2616 wrote to memory of 3028	2616	rejoice91.exe	calc.exe
PID 2616 wrote to memory of 3028	2616	rejoice91.exe	calc.exe
PID 2616 wrote to memory of 3028	2616	rejoice91.exe	calc.exe
PID 2616 wrote to memory of 1428	2616	rejoice91.exe	WerFault.exe
PID 2616 wrote to memory of 1428	2616	rejoice91.exe	WerFault.exe
PID 2616 wrote to memory of 1428	2616	rejoice91.exe	WerFault.exe
PID 2616 wrote to memory of 1428	2616	rejoice91.exe	WerFault.exe
PID 1920 wrote to memory of 2696	1920	1c79ccdd97978bcd7ee828f7d190a914_JaffaCakes118.exe	cmd.exe
PID 1920 wrote to memory of 2696	1920	1c79ccdd97978bcd7ee828f7d190a914_JaffaCakes118.exe	cmd.exe
PID 1920 wrote to memory of 2696	1920	1c79ccdd97978bcd7ee828f7d190a914_JaffaCakes118.exe	cmd.exe
PID 1920 wrote to memory of 2696	1920	1c79ccdd97978bcd7ee828f7d190a914_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1c79ccdd97978bcd7ee828f7d190a914_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c79ccdd97978bcd7ee828f7d190a914_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1920

C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice91.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice91.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\SysWOW64\calc.exe
"C:\Windows\system32\calc.exe"
3⤵
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 280
3⤵
- Loads dropped DLL
- Program crash
PID:1428

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat""
2⤵
- Deletes itself
PID:2696

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\ReDelBat.bat
Filesize
212B

MD5
8141e5ba1d20e9f4581067ac3dcba59b

SHA1
a946002fb785bd2b8ebe031d818b6f9556dd890b

SHA256
322502f3e197ac56e4e57d94b22818f4a5b81a30bbede13f092bc6c353def887

SHA512
c3241b581e626b898ed1fba6ea2cfe20def1ae63c2356c24355b7293cd5dda3004ea6f0ce86dd297106c4870f0b83ee5913674559426219b46baa485a17f3c0a

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice91.exe
Filesize
296KB

MD5
1c79ccdd97978bcd7ee828f7d190a914

SHA1
edf3f59d954f154e28243c52cb30d35bc30300ad

SHA256
c929656c6f2779689f4b99c563d877bd1481433d064be000e90ce88d4f735a2b

SHA512
0b761abde1827ab8d644534810451ebfa6e439d5b18f2c724db4f161fd5d3b3a0d3d4dcbf5ba80fc048a701872babda432fc0d3ff109a35e744c7da1207c462d

Download Submit
memory/1920-0-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/1920-1-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1920-11-0x0000000002040000-0x0000000002106000-memory.dmp

Filesize
792KB

Download
memory/1920-25-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/1920-28-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1920-38-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2616-15-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2616-26-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/3028-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3028-20-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads