modiloader | bb5883e8b4d6e8242a50addb4ac6e1f4e8b4773fc0ca60137efa37e18cb7651d

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 12:21

Target

1a1871d24c9a060974d7ea8e1ee2f3be_JaffaCakes118.exe
Size

60KB
MD5

1a1871d24c9a060974d7ea8e1ee2f3be
SHA1

5cc14cd80cf0ff2b167d569f7abeaa4ad4edd263
SHA256

bb5883e8b4d6e8242a50addb4ac6e1f4e8b4773fc0ca60137efa37e18cb7651d
SHA512

eae61512c7bcfd138c1a9cfbe31522fb114472708daa1793f7333f88486f63828584fadcda744c50f2310f147723061ade6b562f8ff0b42d75db4da0a4716bf3
SSDEEP

1536:7m7wjsVTJ+p3JrkGLawHE/E2j+Ei+Hj2aBzybXNEH8YcdVuP:A+sVT45mn/bjni8DBebXNA8YuuP

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/memory/2180-3-0x0000000000400000-0x000000000042102D-memory.dmp	modiloader_stage2
behavioral1/files/0x000c00000001227b-7.dat	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
2208	temp.exe
2248	tcpip.exe

Loads dropped DLL 2 IoCs

pid	Process
760	cmd.exe
760	cmd.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\tcpip.exe	temp.exe
File created	C:\Windows\SysWOW64\bbbbbbbbbbb.bat	temp.exe
File created	C:\Windows\SysWOW64\wwinsystem.dll	tcpip.exe
File created	C:\Windows\SysWOW64\tcpip.exe	temp.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2180	1a1871d24c9a060974d7ea8e1ee2f3be_JaffaCakes118.exe
2180	1a1871d24c9a060974d7ea8e1ee2f3be_JaffaCakes118.exe
2208	temp.exe
2208	temp.exe
2208	temp.exe
2208	temp.exe
2248	tcpip.exe
2248	tcpip.exe
2248	tcpip.exe
2248	tcpip.exe
2208	temp.exe
2208	temp.exe
2208	temp.exe
2208	temp.exe
2248	tcpip.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	temp.exe
Token: SeDebugPrivilege	2248	tcpip.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 760	2180	1a1871d24c9a060974d7ea8e1ee2f3be_JaffaCakes118.exe	28
PID 2180 wrote to memory of 760	2180	1a1871d24c9a060974d7ea8e1ee2f3be_JaffaCakes118.exe	28
PID 2180 wrote to memory of 760	2180	1a1871d24c9a060974d7ea8e1ee2f3be_JaffaCakes118.exe	28
PID 2180 wrote to memory of 760	2180	1a1871d24c9a060974d7ea8e1ee2f3be_JaffaCakes118.exe	28
PID 760 wrote to memory of 2208	760	cmd.exe	30
PID 760 wrote to memory of 2208	760	cmd.exe	30
PID 760 wrote to memory of 2208	760	cmd.exe	30
PID 760 wrote to memory of 2208	760	cmd.exe	30
PID 2208 wrote to memory of 2120	2208	temp.exe	32
PID 2208 wrote to memory of 2120	2208	temp.exe	32
PID 2208 wrote to memory of 2120	2208	temp.exe	32
PID 2208 wrote to memory of 2120	2208	temp.exe	32
PID 2248 wrote to memory of 1200	2248	tcpip.exe	21

C:\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
44KB

MD5
525bad80767be776bad88b697a878b09

SHA1
f9d1b62f325b86346224f1d206d1a9b062957bfd

SHA256
f96c1d02cda03f85e2bb00c91934e3b11566c2f0ec018756045b732a033ba97f

SHA512
b31a86463f28156a07661484c54a40619d88c7aa6f3b412e7fa66a11494470ad5b32276a177235b30a010173708205bd413f736face69606dbabe45ca9adaed9

Download Submit
C:\Windows\SysWOW64\bbbbbbbbbbb.bat

Filesize
142B

MD5
53c15f9d357cfc1f0225894d022d38a0

SHA1
8072a611daf361d643d68d541a7201b7b9deda61

SHA256
6addadfa58eb068cc0d7a34fd225855168a1efc7e52ca6a6400c12b1a492f274

SHA512
5dfa29e8fca646e0faadf4632e301be4918d256e7a9713f689b3d082ca2922843d12bad825516f02916b2405e1741a08bd8cb1944880ded175271b5f2541e407

Download Submit
memory/1200-19-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/2180-0-0x0000000000400000-0x000000000042102D-memory.dmp

Filesize
132KB

Download
memory/2180-3-0x0000000000400000-0x000000000042102D-memory.dmp

Filesize
132KB

Download