modiloader | 77862e3ff38d5413b595bd4bddf5f2b203e1e07818fb97bf500abf3dc3e913a4

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-06-2024 20:15

Target

004c7f3fa07354703c69c56248fd2905_JaffaCakes118.exe
Size

19KB
MD5

004c7f3fa07354703c69c56248fd2905
SHA1

1601cc17511e4a65df9fef9eb04d4673cff84481
SHA256

77862e3ff38d5413b595bd4bddf5f2b203e1e07818fb97bf500abf3dc3e913a4
SHA512

f28f37488e790e07e67d5c9e5c241cb700b5abd56c6adc33e2defad079c3da4bf85dcff975e11e359b3ba707f49f3e32911ce736e571f585e77d48c259736b5e
SSDEEP

384:B+1dYQqhOE/0aZkEfcSJByj8ZoblMmmdMf8VXuahaD:M11qkE/0ZEUqI8upMmsM6rh

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2664-0-0x0000000010000000-0x000000001000C000-memory.dmp	modiloader_stage2

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1580 2664 WerFault.exe 004c7f3fa07354703c69c56248fd2905_JaffaCakes118.exe

pid	pid_target	process	target process
1580	2664	WerFault.exe	004c7f3fa07354703c69c56248fd2905_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

004c7f3fa07354703c69c56248fd2905_JaffaCakes118.exe

description	pid	process	target process
PID 2664 wrote to memory of 1580	2664	004c7f3fa07354703c69c56248fd2905_JaffaCakes118.exe	WerFault.exe
PID 2664 wrote to memory of 1580	2664	004c7f3fa07354703c69c56248fd2905_JaffaCakes118.exe	WerFault.exe
PID 2664 wrote to memory of 1580	2664	004c7f3fa07354703c69c56248fd2905_JaffaCakes118.exe	WerFault.exe
PID 2664 wrote to memory of 1580	2664	004c7f3fa07354703c69c56248fd2905_JaffaCakes118.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\004c7f3fa07354703c69c56248fd2905_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\004c7f3fa07354703c69c56248fd2905_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 124
2⤵
- Program crash
PID:1580

memory/2664-0-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download