modiloader | 2195abfd0cb42d42d198cc1aeb4ba6404c6a954a0d1c5efbdcc0b5c75a314b5e

Analysis

max time kernel
51s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-06-2024 21:28

Target

009630426f2274a881a496e9a7846859_JaffaCakes118.dll
Size

89KB
MD5

009630426f2274a881a496e9a7846859
SHA1

34b121ba6cad5a3de7c77892acc1ae1035cd7a4b
SHA256

2195abfd0cb42d42d198cc1aeb4ba6404c6a954a0d1c5efbdcc0b5c75a314b5e
SHA512

c07e5338f0668321486414067c25157b22d4e384336bd676d3793714c89a12fd3902e34ed2bcdee578d721f91e66a851234402ca61219bb8bf1e9f0ee27aed62
SSDEEP

1536:c9qSQ4pmwgvv/iNIeB8tUOLd1AH75YKpO/Y6kJji+GcxmsE70j:MTmDvTeB4USd1AH75YKA8QefE70j

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/264-0-0x0000000001F70000-0x0000000001F8B000-memory.dmp	modiloader_stage2

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2160 wrote to memory of 264	2160	regsvr32.exe	regsvr32.exe
PID 2160 wrote to memory of 264	2160	regsvr32.exe	regsvr32.exe
PID 2160 wrote to memory of 264	2160	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\009630426f2274a881a496e9a7846859_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\009630426f2274a881a496e9a7846859_JaffaCakes118.dll
2⤵
PID:264

memory/264-0-0x0000000001F70000-0x0000000001F8B000-memory.dmp

Filesize
108KB

Download