modiloader | 8c98a311d935e8bc990f488d1922aba25601283f689f41f0833651c5f2794f02

Analysis

max time kernel
91s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2024, 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e255418bfbf5beed0bbacb6b13c24cdc_JaffaCakes118.exe
Size

609KB
MD5

e255418bfbf5beed0bbacb6b13c24cdc
SHA1

6d5dadd1e964f6fc2414c0715ec1ef3516be706e
SHA256

8c98a311d935e8bc990f488d1922aba25601283f689f41f0833651c5f2794f02
SHA512

601832395cf55b49137f632a25cb5cada9c4b6cd8164da9c614f7e03340e4d82126dcaf3d8986ea55b30dfed1f077a7c7b482a9db65d8822e0c9e8e32a8c9f16
SSDEEP

12288:5X5BLqnsn3K1SOXAtnWjQgOtT9+VOF3Z4mxxhPkwKRov0uS2rH:5jLqnsnspanmQBR9+wQmXhPOWvTfH

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/memory/4992-60-0x0000000000400000-0x000000000056D000-memory.dmp	modiloader_stage2
behavioral2/memory/1468-66-0x0000000000400000-0x000000000056D000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
4992	Indxiwg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Indxiwg.exe	e255418bfbf5beed0bbacb6b13c24cdc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Indxiwg.exe	e255418bfbf5beed0bbacb6b13c24cdc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Indxiwg.exe	Indxiwg.exe
File created	C:\Windows\SysWOW64\Deleteme.bat	e255418bfbf5beed0bbacb6b13c24cdc_JaffaCakes118.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1404	1468	WerFault.exe	83
3900	4992	WerFault.exe	90

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 4992	1468	e255418bfbf5beed0bbacb6b13c24cdc_JaffaCakes118.exe	90
PID 1468 wrote to memory of 4992	1468	e255418bfbf5beed0bbacb6b13c24cdc_JaffaCakes118.exe	90
PID 1468 wrote to memory of 4992	1468	e255418bfbf5beed0bbacb6b13c24cdc_JaffaCakes118.exe	90
PID 1468 wrote to memory of 212	1468	e255418bfbf5beed0bbacb6b13c24cdc_JaffaCakes118.exe	93
PID 1468 wrote to memory of 212	1468	e255418bfbf5beed0bbacb6b13c24cdc_JaffaCakes118.exe	93
PID 1468 wrote to memory of 212	1468	e255418bfbf5beed0bbacb6b13c24cdc_JaffaCakes118.exe	93

C:\Users\Admin\AppData\Local\Temp\e255418bfbf5beed0bbacb6b13c24cdc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e255418bfbf5beed0bbacb6b13c24cdc_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 332
  2⤵
  - Program crash
  PID:1404
- C:\Windows\SysWOW64\Indxiwg.exe
  C:\Windows\system32\Indxiwg.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 324
    3⤵
    - Program crash
    PID:3900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\Deleteme.bat
  2⤵
  PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1468 -ip 1468
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4992 -ip 4992
1⤵
PID:2836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Deleteme.bat

Filesize
212B

MD5
81bd6a420041af7f3b916b61ed6b8639

SHA1
bf7dc76c3611b7e269dbec10acf7507d2b8fdc20

SHA256
9472f7fe80478a12cd79259b1c7addc9a210862bdb3a7f16e488c66e4157a658

SHA512
892b69f4fa53376334c53c0607e6d866392bc56e00d6be5181f6dcdd7d2adc7a18fb40a132140dd45ac3e56a4c83ec30eab7b432096f80f7b4e8c7e680f29cae

Download Submit
C:\Windows\SysWOW64\Indxiwg.exe

Filesize
609KB

MD5
e255418bfbf5beed0bbacb6b13c24cdc

SHA1
6d5dadd1e964f6fc2414c0715ec1ef3516be706e

SHA256
8c98a311d935e8bc990f488d1922aba25601283f689f41f0833651c5f2794f02

SHA512
601832395cf55b49137f632a25cb5cada9c4b6cd8164da9c614f7e03340e4d82126dcaf3d8986ea55b30dfed1f077a7c7b482a9db65d8822e0c9e8e32a8c9f16

Download Submit
memory/1468-0-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download
memory/1468-1-0x0000000000B70000-0x0000000000BC4000-memory.dmp

Filesize
336KB

Download
memory/1468-2-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/1468-3-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/1468-4-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/1468-5-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1468-6-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/1468-7-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/1468-8-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/1468-9-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1468-10-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/1468-11-0x00000000034F0000-0x0000000003500000-memory.dmp

Filesize
64KB

Download
memory/1468-12-0x00000000034F0000-0x0000000003500000-memory.dmp

Filesize
64KB

Download
memory/1468-13-0x00000000034F0000-0x0000000003500000-memory.dmp

Filesize
64KB

Download
memory/1468-14-0x00000000034F0000-0x0000000003500000-memory.dmp

Filesize
64KB

Download
memory/1468-15-0x00000000034F0000-0x0000000003500000-memory.dmp

Filesize
64KB

Download
memory/1468-16-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1468-17-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1468-18-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1468-21-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1468-22-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1468-23-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1468-25-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1468-24-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1468-26-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1468-28-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1468-27-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1468-29-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1468-30-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1468-31-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1468-32-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1468-33-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1468-34-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1468-35-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1468-36-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1468-37-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1468-38-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1468-39-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1468-40-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1468-41-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1468-42-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1468-43-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1468-44-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1468-45-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1468-46-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1468-47-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1468-48-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1468-49-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/1468-50-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/1468-52-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/1468-51-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1468-66-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download
memory/1468-67-0x0000000000B70000-0x0000000000BC4000-memory.dmp

Filesize
336KB

Download
memory/4992-56-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download
memory/4992-57-0x0000000000A50000-0x0000000000AA4000-memory.dmp

Filesize
336KB

Download
memory/4992-58-0x00000000033E0000-0x00000000033FB000-memory.dmp

Filesize
108KB

Download
memory/4992-59-0x00000000033E0000-0x00000000033FB000-memory.dmp

Filesize
108KB

Download
memory/4992-60-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download
memory/4992-65-0x0000000000A50000-0x0000000000AA4000-memory.dmp

Filesize
336KB

Download
memory/4992-64-0x00000000033E0000-0x00000000033FB000-memory.dmp

Filesize
108KB

Download
memory/4992-63-0x00000000033E0000-0x00000000033FB000-memory.dmp

Filesize
108KB

Download