modiloader | 0b37d22d6c2d1a191c50f5ee6720e3f1f2db0063787dbbb4b40fa80933ea4365

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
19-06-2024 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe
Size

577KB
MD5

001385ef05b556dbcda822925ea9a8ec
SHA1

cc3fdcee65d83153a1da72d8cdaee3f271967594
SHA256

0b37d22d6c2d1a191c50f5ee6720e3f1f2db0063787dbbb4b40fa80933ea4365
SHA512

18d899a08cd5565fde4d21f963cf46f7dbffc3062cbb15054becf5ed16c7a445047a7b4db0283992b19677ff5da816ac657cf2e8ad8bb118a056c000bc35434c
SSDEEP

12288:W7bkAWVjog6lWPjbUkbxb5GOaTTTTBPTT71cNM1c2obY7bjlTxClWnI96YzbL:EkAUjV6YUklvaTTTTBPTT7qNOocvRt9G

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2208-89-0x0000000000400000-0x0000000000509000-memory.dmp	modiloader_stage2
behavioral1/memory/304-91-0x0000000000400000-0x0000000000509000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2148 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

11151.exe

pid process

304 11151.exe
Loads dropped DLL 2 IoCs

Processes:

001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe

pid process

2208 001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe
2208 001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

11151.exe

description pid process target process

PID 304 set thread context of 2552 304 11151.exe svchost.exe

pid	process
2148	cmd.exe

pid	process
304	11151.exe

pid	process
2208	001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe
2208	001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe

description	pid	process	target process
PID 304 set thread context of 2552	304	11151.exe	svchost.exe

Drops file in Program Files directory 3 IoCs

Processes:

001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe	001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe	001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat	001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe11151.exe

description	pid	process	target process
PID 2208 wrote to memory of 304	2208	001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	11151.exe
PID 2208 wrote to memory of 304	2208	001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	11151.exe
PID 2208 wrote to memory of 304	2208	001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	11151.exe
PID 2208 wrote to memory of 304	2208	001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	11151.exe
PID 304 wrote to memory of 2552	304	11151.exe	svchost.exe
PID 304 wrote to memory of 2552	304	11151.exe	svchost.exe
PID 304 wrote to memory of 2552	304	11151.exe	svchost.exe
PID 304 wrote to memory of 2552	304	11151.exe	svchost.exe
PID 304 wrote to memory of 2552	304	11151.exe	svchost.exe
PID 304 wrote to memory of 2552	304	11151.exe	svchost.exe
PID 2208 wrote to memory of 2148	2208	001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	cmd.exe
PID 2208 wrote to memory of 2148	2208	001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	cmd.exe
PID 2208 wrote to memory of 2148	2208	001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	cmd.exe
PID 2208 wrote to memory of 2148	2208	001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2208

C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:304

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
PID:2552

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat""
2⤵
- Deletes itself
PID:2148

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\Delet.bat
Filesize
212B

MD5
cf8b32b602fa7bc484a03a930a8d2375

SHA1
1fc78bc1ed022f94dbd655cd5e2a190684e95f31

SHA256
a5754221e1df6a36a5f54d23cab6258f8db2fa14abd3956d6654ab927e26504d

SHA512
e3f54423eacf8be23cb20fa202a236be37fda255af4421b9d3523c7c83a16c5eda022b57ee57f7ee753eb2d39843149a3a0c499196e0b2f113f9cd74f4e4c7d8

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\11151.exe
Filesize
577KB

MD5
001385ef05b556dbcda822925ea9a8ec

SHA1
cc3fdcee65d83153a1da72d8cdaee3f271967594

SHA256
0b37d22d6c2d1a191c50f5ee6720e3f1f2db0063787dbbb4b40fa80933ea4365

SHA512
18d899a08cd5565fde4d21f963cf46f7dbffc3062cbb15054becf5ed16c7a445047a7b4db0283992b19677ff5da816ac657cf2e8ad8bb118a056c000bc35434c

Download Submit
memory/304-74-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/304-91-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/2208-33-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/2208-60-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2208-2-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/2208-62-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/2208-61-0x0000000002C30000-0x0000000002C31000-memory.dmp

Filesize
4KB

Download
memory/2208-30-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/2208-59-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2208-58-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/2208-57-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/2208-56-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/2208-29-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/2208-54-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/2208-53-0x0000000002C10000-0x0000000002C13000-memory.dmp

Filesize
12KB

Download
memory/2208-52-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/2208-51-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/2208-50-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/2208-49-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/2208-48-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/2208-47-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/2208-46-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/2208-45-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/2208-44-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/2208-43-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/2208-42-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/2208-41-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/2208-40-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/2208-39-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/2208-38-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/2208-37-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/2208-31-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/2208-35-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/2208-34-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/2208-0-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/2208-32-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/2208-36-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/2208-1-0x0000000000510000-0x0000000000560000-memory.dmp

Filesize
320KB

Download
memory/2208-55-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/2208-28-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/2208-27-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/2208-26-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/2208-25-0x0000000002C10000-0x0000000002D10000-memory.dmp

Filesize
1024KB

Download
memory/2208-24-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/2208-23-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/2208-22-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/2208-21-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/2208-20-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/2208-19-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/2208-18-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/2208-17-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/2208-16-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/2208-15-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/2208-14-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/2208-13-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/2208-12-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/2208-11-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/2208-10-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/2208-9-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2208-8-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

Filesize
4KB

Download
memory/2208-7-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/2208-6-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/2208-5-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2208-3-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2208-4-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2208-72-0x0000000003ED0000-0x0000000003FD9000-memory.dmp

Filesize
1.0MB

Download
memory/2208-73-0x0000000003ED0000-0x0000000003FD9000-memory.dmp

Filesize
1.0MB

Download
memory/2208-89-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/2208-90-0x0000000000510000-0x0000000000560000-memory.dmp

Filesize
320KB

Download
memory/2552-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2552-79-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/2552-77-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads