modiloader | 18ddc9b5ae98b6c30b1ff139da7520dbbb8ee0410108b62b6a45c397a4d63cb1

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 23:55

Target

26b63ca40c4e0b6c117a5f29131801d7_JaffaCakes118.exe
Size

793KB
MD5

26b63ca40c4e0b6c117a5f29131801d7
SHA1

41c0bebca37b23eb1cba9187bb1e61a7fa55ef5a
SHA256

18ddc9b5ae98b6c30b1ff139da7520dbbb8ee0410108b62b6a45c397a4d63cb1
SHA512

34553912380a2c670320c7a779b3a53a709b9dc81533cdce21a5bd8639643901e8038bed18aeb7c3e3606030b4ca2915d999a0cb0d32230cbf9d60ec1a51c355
SSDEEP

24576:2j7dEzLqVegFntK82DyptPT3AXKJUHpTagtsRBiFGTX:C7UqVegFUvDy/PT3AXKJUHpTagtsRBiU

Score

10^/10

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
ModiLoader Second Stage 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/2076-4-0x0000000000400000-0x00000000004D0000-memory.dmp modiloader_stage2
Drops file in Program Files directory 1 IoCs

Processes:

26b63ca40c4e0b6c117a5f29131801d7_JaffaCakes118.exe

description ioc process

File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt 26b63ca40c4e0b6c117a5f29131801d7_JaffaCakes118.exe

resource	yara_rule
behavioral1/memory/2076-4-0x0000000000400000-0x00000000004D0000-memory.dmp	modiloader_stage2

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt	26b63ca40c4e0b6c117a5f29131801d7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

26b63ca40c4e0b6c117a5f29131801d7_JaffaCakes118.exe

description	pid	process	target process
PID 2076 wrote to memory of 2384	2076	26b63ca40c4e0b6c117a5f29131801d7_JaffaCakes118.exe	IEXPLORE.EXE
PID 2076 wrote to memory of 2384	2076	26b63ca40c4e0b6c117a5f29131801d7_JaffaCakes118.exe	IEXPLORE.EXE
PID 2076 wrote to memory of 2384	2076	26b63ca40c4e0b6c117a5f29131801d7_JaffaCakes118.exe	IEXPLORE.EXE
PID 2076 wrote to memory of 2384	2076	26b63ca40c4e0b6c117a5f29131801d7_JaffaCakes118.exe	IEXPLORE.EXE

C:\program files\internet explorer\IEXPLORE.EXE
"C:\program files\internet explorer\IEXPLORE.EXE"
2⤵
PID:2384

memory/2076-0-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2076-2-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2076-3-0x0000000000415000-0x0000000000416000-memory.dmp

Filesize
4KB

Download
memory/2076-4-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download