modiloader | c0d4c80934148933630a26ad5d49bf6e8e795762a44ab4263f7ccab500fb7458

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19-06-2024 21:21

Target

008da0644316ad4ddbf8a27c1fb920b7_JaffaCakes118.dll
Size

25KB
MD5

008da0644316ad4ddbf8a27c1fb920b7
SHA1

7626679b503b0b6c4a4ffc140ff367d17fa9a1d9
SHA256

c0d4c80934148933630a26ad5d49bf6e8e795762a44ab4263f7ccab500fb7458
SHA512

159a1749f671e0a177e5570c4598cf99ed8ceb547c77bb10ddf081085acef12aaa2a8a0e3ddae0b8ad86c57bdabc475e621cd1bb611f038d852c978b1afe5c0f
SSDEEP

768:PxEd2IwKbR/cGz7DJ8I5U8CoPnaR7+FuHxE+6KyW16S:5Ed2IwKbR/cA7nCosyaE+7yWR

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2408-0-0x0000000000360000-0x000000000037F000-memory.dmp	modiloader_stage2

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2392 wrote to memory of 2408	2392	regsvr32.exe	regsvr32.exe
PID 2392 wrote to memory of 2408	2392	regsvr32.exe	regsvr32.exe
PID 2392 wrote to memory of 2408	2392	regsvr32.exe	regsvr32.exe
PID 2392 wrote to memory of 2408	2392	regsvr32.exe	regsvr32.exe
PID 2392 wrote to memory of 2408	2392	regsvr32.exe	regsvr32.exe
PID 2392 wrote to memory of 2408	2392	regsvr32.exe	regsvr32.exe
PID 2392 wrote to memory of 2408	2392	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\008da0644316ad4ddbf8a27c1fb920b7_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\008da0644316ad4ddbf8a27c1fb920b7_JaffaCakes118.dll
2⤵
PID:2408

memory/2408-0-0x0000000000360000-0x000000000037F000-memory.dmp

Filesize
124KB

Download