modiloader | b97a712a8229a35782d0b926b9b4dcaaef4bd467d32a74f6293152fcb0607a89

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
19-06-2024 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

007876bea65f4c938ea2819f9039bd2e_JaffaCakes118.exe
Size

288KB
MD5

007876bea65f4c938ea2819f9039bd2e
SHA1

3a802470fade9f678402b706ec95399583790f98
SHA256

b97a712a8229a35782d0b926b9b4dcaaef4bd467d32a74f6293152fcb0607a89
SHA512

4fdcdbc2127ac93dca43d88103127cc1dbd684aef080a56b167577e6b98b1e156b6f76fe243f07e5937f7fba28a36d8c79a4b6f2d07f0b5be5f7f3a7450f9918
SSDEEP

6144:V0wTov0igrvJ6GF9Cw6Cv8+w1JEH+A3k5JttvlYn++yOsbHXHHcXyq:Sw0Migt/R8+f+A05J7envnsrHy

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1068-14-0x0000000000400000-0x0000000000549000-memory.dmp	modiloader_stage2
behavioral1/memory/2260-16-0x0000000000400000-0x0000000000549000-memory.dmp	modiloader_stage2
behavioral1/memory/1068-24-0x0000000000400000-0x0000000000549000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2764 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

cmd.bat

pid process

2260 cmd.bat

pid	process
2764	cmd.exe

pid	process
2260	cmd.bat

Drops file in Windows directory 3 IoCs

Processes:

007876bea65f4c938ea2819f9039bd2e_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\cmd.bat	007876bea65f4c938ea2819f9039bd2e_JaffaCakes118.exe
File opened for modification	C:\Windows\cmd.bat	007876bea65f4c938ea2819f9039bd2e_JaffaCakes118.exe
File created	C:\Windows\SgotoDel.bat	007876bea65f4c938ea2819f9039bd2e_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2800 2260 WerFault.exe cmd.bat

pid	pid_target	process	target process
2800	2260	WerFault.exe	cmd.bat

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

007876bea65f4c938ea2819f9039bd2e_JaffaCakes118.execmd.bat

description	pid	process	target process
PID 1068 wrote to memory of 2260	1068	007876bea65f4c938ea2819f9039bd2e_JaffaCakes118.exe	cmd.bat
PID 1068 wrote to memory of 2260	1068	007876bea65f4c938ea2819f9039bd2e_JaffaCakes118.exe	cmd.bat
PID 1068 wrote to memory of 2260	1068	007876bea65f4c938ea2819f9039bd2e_JaffaCakes118.exe	cmd.bat
PID 1068 wrote to memory of 2260	1068	007876bea65f4c938ea2819f9039bd2e_JaffaCakes118.exe	cmd.bat
PID 2260 wrote to memory of 2800	2260	cmd.bat	WerFault.exe
PID 2260 wrote to memory of 2800	2260	cmd.bat	WerFault.exe
PID 2260 wrote to memory of 2800	2260	cmd.bat	WerFault.exe
PID 2260 wrote to memory of 2800	2260	cmd.bat	WerFault.exe
PID 1068 wrote to memory of 2764	1068	007876bea65f4c938ea2819f9039bd2e_JaffaCakes118.exe	cmd.exe
PID 1068 wrote to memory of 2764	1068	007876bea65f4c938ea2819f9039bd2e_JaffaCakes118.exe	cmd.exe
PID 1068 wrote to memory of 2764	1068	007876bea65f4c938ea2819f9039bd2e_JaffaCakes118.exe	cmd.exe
PID 1068 wrote to memory of 2764	1068	007876bea65f4c938ea2819f9039bd2e_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\007876bea65f4c938ea2819f9039bd2e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\007876bea65f4c938ea2819f9039bd2e_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\cmd.bat
C:\Windows\cmd.bat
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 284
3⤵
- Program crash
PID:2800

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SgotoDel.bat
2⤵
- Deletes itself
PID:2764

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SgotoDel.bat

Filesize
212B

MD5
af4f759661efac2a3e682d9d1c0b2122

SHA1
f31d3f3e39d627f7fde146a2e179ccdd05818be9

SHA256
e782b3c8f6e341f18994c3e8efa14067cc170e6130dd45e8f59908a5ce5306c5

SHA512
39a0e0142435f2d8e5e02c714b423163b83108b6062e8792f18342c55bbb66848801ebf366b29da14b4c8116b412d28d3a041e525cad119cffaf901720a6eb7a

Download Submit
C:\Windows\cmd.bat

Filesize
288KB

MD5
007876bea65f4c938ea2819f9039bd2e

SHA1
3a802470fade9f678402b706ec95399583790f98

SHA256
b97a712a8229a35782d0b926b9b4dcaaef4bd467d32a74f6293152fcb0607a89

SHA512
4fdcdbc2127ac93dca43d88103127cc1dbd684aef080a56b167577e6b98b1e156b6f76fe243f07e5937f7fba28a36d8c79a4b6f2d07f0b5be5f7f3a7450f9918

Download Submit
memory/1068-15-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1068-2-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1068-10-0x00000000031A0000-0x00000000032E9000-memory.dmp

Filesize
1.3MB

Download
memory/1068-14-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1068-0-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1068-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1068-24-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2260-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2260-11-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2260-13-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2260-16-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download