modiloader | de46075e7db5cd35c194ef352bcfacd63541ef87e26ac475ee571d6ec2490637

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

269d98d6d42b52375626fde61db67281_JaffaCakes118.exe
Size

320KB
MD5

269d98d6d42b52375626fde61db67281
SHA1

d972078d8bfcadfd3ccb2e494c58d65035d341eb
SHA256

de46075e7db5cd35c194ef352bcfacd63541ef87e26ac475ee571d6ec2490637
SHA512

2780fe3814ee974c2cd99906d52a48c8a67cc68ab0934c1d91fcec148d1fe49bdb23eb5f630a1a02cc02c34deae1a9b352fc6f2107ac74650f007b043f402a92
SSDEEP

6144:Zi0F1cBEtu/lzj/GS59IUw2IIGkrvdaAD9YDXCh6YCHV2uH2YPFu+Mf:PFwNzj/GSA65xYD52u3g+a

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2120-17-0x0000000000400000-0x0000000000560000-memory.dmp	modiloader_stage2
behavioral1/memory/2540-18-0x0000000000400000-0x0000000000560000-memory.dmp	modiloader_stage2
behavioral1/memory/2120-26-0x0000000000400000-0x0000000000560000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2948 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

explorer.bat

pid process

2540 explorer.bat
Loads dropped DLL 4 IoCs

Processes:

269d98d6d42b52375626fde61db67281_JaffaCakes118.exeWerFault.exe

pid process

2120 269d98d6d42b52375626fde61db67281_JaffaCakes118.exe
2120 269d98d6d42b52375626fde61db67281_JaffaCakes118.exe
1980 WerFault.exe
1980 WerFault.exe

pid	process
2948	cmd.exe

pid	process
2540	explorer.bat

pid	process
2120	269d98d6d42b52375626fde61db67281_JaffaCakes118.exe
2120	269d98d6d42b52375626fde61db67281_JaffaCakes118.exe
1980	WerFault.exe
1980	WerFault.exe

Drops file in Program Files directory 3 IoCs

Processes:

269d98d6d42b52375626fde61db67281_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\explorer.bat	269d98d6d42b52375626fde61db67281_JaffaCakes118.exe
File opened for modification	C:\Program Files\explorer.bat	269d98d6d42b52375626fde61db67281_JaffaCakes118.exe
File created	C:\Program Files\SxDel.bat	269d98d6d42b52375626fde61db67281_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1980 2540 WerFault.exe explorer.bat

pid	pid_target	process	target process
1980	2540	WerFault.exe	explorer.bat

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

269d98d6d42b52375626fde61db67281_JaffaCakes118.exeexplorer.bat

description	pid	process	target process
PID 2120 wrote to memory of 2540	2120	269d98d6d42b52375626fde61db67281_JaffaCakes118.exe	explorer.bat
PID 2120 wrote to memory of 2540	2120	269d98d6d42b52375626fde61db67281_JaffaCakes118.exe	explorer.bat
PID 2120 wrote to memory of 2540	2120	269d98d6d42b52375626fde61db67281_JaffaCakes118.exe	explorer.bat
PID 2120 wrote to memory of 2540	2120	269d98d6d42b52375626fde61db67281_JaffaCakes118.exe	explorer.bat
PID 2540 wrote to memory of 1980	2540	explorer.bat	WerFault.exe
PID 2540 wrote to memory of 1980	2540	explorer.bat	WerFault.exe
PID 2540 wrote to memory of 1980	2540	explorer.bat	WerFault.exe
PID 2540 wrote to memory of 1980	2540	explorer.bat	WerFault.exe
PID 2120 wrote to memory of 2948	2120	269d98d6d42b52375626fde61db67281_JaffaCakes118.exe	cmd.exe
PID 2120 wrote to memory of 2948	2120	269d98d6d42b52375626fde61db67281_JaffaCakes118.exe	cmd.exe
PID 2120 wrote to memory of 2948	2120	269d98d6d42b52375626fde61db67281_JaffaCakes118.exe	cmd.exe
PID 2120 wrote to memory of 2948	2120	269d98d6d42b52375626fde61db67281_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\269d98d6d42b52375626fde61db67281_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\269d98d6d42b52375626fde61db67281_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2120

C:\Program Files\explorer.bat
"C:\Program Files\explorer.bat"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 284
3⤵
- Loads dropped DLL
- Program crash
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files\SxDel.bat""
2⤵
- Deletes itself
PID:2948

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\SxDel.bat
Filesize
212B

MD5
ecbf366f066e24ad1ad0a3327d5bf7e5

SHA1
17659d754cf7056616c9e9ee893cf5b0499ee292

SHA256
21ca435bcd4c523e6e4b2dfed71e2271e11926aab964754c806d0c492e195db6

SHA512
a5f9743470f4ab844b23506e2022a6a55f6616d364fb0de651688233f02f49ec68c29f0688cc915bde9a7e0736ee7391d8149659057a5f0ed607fe3d436ffba6

Download Submit
\Program Files\explorer.bat
Filesize
320KB

MD5
269d98d6d42b52375626fde61db67281

SHA1
d972078d8bfcadfd3ccb2e494c58d65035d341eb

SHA256
de46075e7db5cd35c194ef352bcfacd63541ef87e26ac475ee571d6ec2490637

SHA512
2780fe3814ee974c2cd99906d52a48c8a67cc68ab0934c1d91fcec148d1fe49bdb23eb5f630a1a02cc02c34deae1a9b352fc6f2107ac74650f007b043f402a92

Download Submit
memory/2120-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2120-0-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/2120-4-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2120-12-0x0000000003150000-0x00000000032B0000-memory.dmp

Filesize
1.4MB

Download
memory/2120-17-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/2120-26-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/2540-13-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/2540-14-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2540-18-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads