modiloader | 3113a1e17395e8837709bbbd899f272ea080e3aaa4f48ec683f545aa4d877d73

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
20-06-2024 08:21

Target

04517afc89d8a0fedef81df73a0c6b44_JaffaCakes118.exe
Size

156KB
MD5

04517afc89d8a0fedef81df73a0c6b44
SHA1

256ad3857f610a0bbf63a17afb01f93e03e55b0e
SHA256

3113a1e17395e8837709bbbd899f272ea080e3aaa4f48ec683f545aa4d877d73
SHA512

f92f2562cec3c8fcaee85c7613b6b1d95c268f502eb51cdc4c2b37ea138654a1de031f1f7c4551e3c6b4e80b81b0d01601efbb93650b1dc8da5768a611acc08d
SSDEEP

1536:5sCqYOQXNCOLdE0qJQhLTg7Z+gGN5JpFHSOuopPZArSWNu58:jOmN14ULTg7sfNbp1SaPZArjU58

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1720-2-0x0000000000400000-0x0000000000427000-memory.dmp	modiloader_stage2
\RECYCLER\wmsj.exe	modiloader_stage2
behavioral1/memory/2704-11-0x0000000000400000-0x0000000000427000-memory.dmp	modiloader_stage2
behavioral1/memory/1720-15-0x0000000000400000-0x0000000000427000-memory.dmp	modiloader_stage2
behavioral1/memory/2704-14-0x0000000000400000-0x0000000000427000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

wmsj.exe

pid process

2704 wmsj.exe
Loads dropped DLL 2 IoCs

Processes:

04517afc89d8a0fedef81df73a0c6b44_JaffaCakes118.exe

pid process

1720 04517afc89d8a0fedef81df73a0c6b44_JaffaCakes118.exe
1720 04517afc89d8a0fedef81df73a0c6b44_JaffaCakes118.exe

pid	process
2704	wmsj.exe

pid	process
1720	04517afc89d8a0fedef81df73a0c6b44_JaffaCakes118.exe
1720	04517afc89d8a0fedef81df73a0c6b44_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

04517afc89d8a0fedef81df73a0c6b44_JaffaCakes118.exe

description	pid	process	target process
PID 1720 wrote to memory of 2704	1720	04517afc89d8a0fedef81df73a0c6b44_JaffaCakes118.exe	wmsj.exe
PID 1720 wrote to memory of 2704	1720	04517afc89d8a0fedef81df73a0c6b44_JaffaCakes118.exe	wmsj.exe
PID 1720 wrote to memory of 2704	1720	04517afc89d8a0fedef81df73a0c6b44_JaffaCakes118.exe	wmsj.exe
PID 1720 wrote to memory of 2704	1720	04517afc89d8a0fedef81df73a0c6b44_JaffaCakes118.exe	wmsj.exe

C:\RECYCLER\video.dll
Filesize
37KB

MD5
8f0be165d590c05ca5c03dee097f423c

SHA1
116310848129af5812b71b931c6ee0af829edae2

SHA256
98706d0a8a177975d4294b56a77d54c62d3152e852288695dbaf3aeb6d2e0019

SHA512
47a0e9514baf8bdfe555991c54ec212f35b3a7e746bbdb0534fd8eb633d6f20378384e919d3d2fca96c5d39085fc5ed5bd4fc092ade42fac0c77ec39c80e651a

Download Submit
\RECYCLER\wmsj.exe
Filesize
156KB

MD5
04517afc89d8a0fedef81df73a0c6b44

SHA1
256ad3857f610a0bbf63a17afb01f93e03e55b0e

SHA256
3113a1e17395e8837709bbbd899f272ea080e3aaa4f48ec683f545aa4d877d73

SHA512
f92f2562cec3c8fcaee85c7613b6b1d95c268f502eb51cdc4c2b37ea138654a1de031f1f7c4551e3c6b4e80b81b0d01601efbb93650b1dc8da5768a611acc08d

Download Submit
memory/1720-2-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1720-9-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1720-15-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2704-11-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2704-14-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download