modiloader | dcce71d13f61f3c0dbf69e8a4a57de81d41277b585b057b4ed6e0cf49a4bb3da

Analysis

max time kernel
142s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 13:20

Target

ff5e2863440153305ea8cab67fecb2be_JaffaCakes118.exe
Size

594KB
MD5

ff5e2863440153305ea8cab67fecb2be
SHA1

5179ac947392efd76acf66ca6e2349a394f23b0e
SHA256

dcce71d13f61f3c0dbf69e8a4a57de81d41277b585b057b4ed6e0cf49a4bb3da
SHA512

6c4211f91609ce1eb743b278e70a5b87b22861d0ee3c718bc1d8070df31b25b716668752cb83278f77004287aef1d2ff9adebced9a1ef62b78b861bf45075286
SSDEEP

12288:Hx0FzFNxTG9ppkAUzEFHquQHnF3Z4mxxj7sIcOa/Y91TVK9:Hx0P69+ERQHnQmXnsINwr9

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4616-13-0x0000000000400000-0x000000000050A000-memory.dmp	modiloader_stage2

Drops file in System32 directory 1 IoCs

Processes:

ff5e2863440153305ea8cab67fecb2be_JaffaCakes118.exe

description ioc process

File created C:\Windows\SysWOW64\FieleWay.txt ff5e2863440153305ea8cab67fecb2be_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\FieleWay.txt	ff5e2863440153305ea8cab67fecb2be_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

ff5e2863440153305ea8cab67fecb2be_JaffaCakes118.exe

description	pid	process	target process
PID 4616 wrote to memory of 840	4616	ff5e2863440153305ea8cab67fecb2be_JaffaCakes118.exe	IEXPLORE.EXE
PID 4616 wrote to memory of 840	4616	ff5e2863440153305ea8cab67fecb2be_JaffaCakes118.exe	IEXPLORE.EXE

C:\program files\internet explorer\IEXPLORE.EXE
"C:\program files\internet explorer\IEXPLORE.EXE"
2⤵
PID:840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4340 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:2636

memory/4616-0-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download
memory/4616-1-0x00000000022E0000-0x0000000002334000-memory.dmp

Filesize
336KB

Download
memory/4616-2-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/4616-3-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/4616-4-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/4616-5-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/4616-6-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/4616-7-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/4616-8-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/4616-9-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/4616-10-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/4616-11-0x00000000034A0000-0x00000000034A1000-memory.dmp

Filesize
4KB

Download
memory/4616-13-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download
memory/4616-14-0x00000000022E0000-0x0000000002334000-memory.dmp

Filesize
336KB

Download