modiloader | b39ccb829a65b59d24a3661bd50425ac211de80234093ad0782ebefc4c8c8a7e

Analysis

max time kernel
141s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 04:39

Target

02de96754f937b113d83753dd16dee3d_JaffaCakes118.exe
Size

26KB
MD5

02de96754f937b113d83753dd16dee3d
SHA1

7687b2428ee867abb0a9f422d5fa47bbe179f43c
SHA256

b39ccb829a65b59d24a3661bd50425ac211de80234093ad0782ebefc4c8c8a7e
SHA512

aa1d0b944593f0998fd74eb8d04688cd2b9ab07a7618e7650bdb8913cc7b5adddd30b5adf5f70c1e9a222fe0177e11f70910c66cc7ac10ce576f2d6a32d9e2e9
SSDEEP

384:7om+8TpFywSLQjzu/RQ+mLyvXYu5+z0Y3hyvkuSVGw0FkiH1D1drqTMqJIuLZ7UQ:7bJpFHSLyupC2/kztVGZF7p2jJrBU+

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4412-1-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/4576-8-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/4412-15-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/4576-18-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

wmsj.exe

pid process

4576 wmsj.exe
Loads dropped DLL 2 IoCs

Processes:

wmsj.exe

pid process

4576 wmsj.exe
4576 wmsj.exe

pid	process
4576	wmsj.exe

pid	process
4576	wmsj.exe
4576	wmsj.exe

Drops file in Windows directory 5 IoCs

Processes:

02de96754f937b113d83753dd16dee3d_JaffaCakes118.exewmsj.exe

description	ioc	process
File created	C:\Windows\video.dll	02de96754f937b113d83753dd16dee3d_JaffaCakes118.exe
File created	C:\Windows\wmsj.exe	02de96754f937b113d83753dd16dee3d_JaffaCakes118.exe
File opened for modification	C:\Windows\wmsj.exe	02de96754f937b113d83753dd16dee3d_JaffaCakes118.exe
File created	C:\Windows\video.dll	wmsj.exe
File created	C:\Windows\wmsj.exe	wmsj.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wmsj.exe

pid process

4576 wmsj.exe

pid	process
4576	wmsj.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

02de96754f937b113d83753dd16dee3d_JaffaCakes118.exe

description	pid	process	target process
PID 4412 wrote to memory of 4576	4412	02de96754f937b113d83753dd16dee3d_JaffaCakes118.exe	wmsj.exe
PID 4412 wrote to memory of 4576	4412	02de96754f937b113d83753dd16dee3d_JaffaCakes118.exe	wmsj.exe
PID 4412 wrote to memory of 4576	4412	02de96754f937b113d83753dd16dee3d_JaffaCakes118.exe	wmsj.exe

C:\Windows\video.dll

Filesize
31KB

MD5
3a9aa44afa973f912667a8b84123c9e4

SHA1
6ef0a374db50aca50bcbf33f06894941bbfcca31

SHA256
29845b6f79790bf8e3220b03ba95d442d0318b3f1c7292a1fcfdc325cde9a622

SHA512
4a02288e54b10be19bdb39c1d1e8ba89a63da794c5bd9e480fb59cb1557a55e14ce7a843c469e8087520e51686f5a6e78469ad48ace9be2d7b3d66556cdc9dc6

Download Submit
C:\Windows\wmsj.exe

Filesize
26KB

MD5
02de96754f937b113d83753dd16dee3d

SHA1
7687b2428ee867abb0a9f422d5fa47bbe179f43c

SHA256
b39ccb829a65b59d24a3661bd50425ac211de80234093ad0782ebefc4c8c8a7e

SHA512
aa1d0b944593f0998fd74eb8d04688cd2b9ab07a7618e7650bdb8913cc7b5adddd30b5adf5f70c1e9a222fe0177e11f70910c66cc7ac10ce576f2d6a32d9e2e9

Download Submit
memory/4412-1-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4412-15-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4576-8-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4576-12-0x0000000002030000-0x000000000203E000-memory.dmp

Filesize
56KB

Download
memory/4576-16-0x0000000002030000-0x000000000203E000-memory.dmp

Filesize
56KB

Download
memory/4576-18-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download