modiloader | bb5883e8b4d6e8242a50addb4ac6e1f4e8b4773fc0ca60137efa37e18cb7651d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 12:21

Target

1a1871d24c9a060974d7ea8e1ee2f3be_JaffaCakes118.exe
Size

60KB
MD5

1a1871d24c9a060974d7ea8e1ee2f3be
SHA1

5cc14cd80cf0ff2b167d569f7abeaa4ad4edd263
SHA256

bb5883e8b4d6e8242a50addb4ac6e1f4e8b4773fc0ca60137efa37e18cb7651d
SHA512

eae61512c7bcfd138c1a9cfbe31522fb114472708daa1793f7333f88486f63828584fadcda744c50f2310f147723061ade6b562f8ff0b42d75db4da0a4716bf3
SSDEEP

1536:7m7wjsVTJ+p3JrkGLawHE/E2j+Ei+Hj2aBzybXNEH8YcdVuP:A+sVT45mn/bjni8DBebXNA8YuuP

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

resource	yara_rule
behavioral2/memory/4060-0-0x0000000000400000-0x000000000042102D-memory.dmp	modiloader_stage2
behavioral2/memory/4060-3-0x0000000000400000-0x000000000042102D-memory.dmp	modiloader_stage2
behavioral2/files/0x000800000002328e-5.dat	modiloader_stage2

Executes dropped EXE 2 IoCs

pid	Process
348	temp.exe
1448	tcpip.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tcpip.exe	temp.exe
File opened for modification	C:\Windows\SysWOW64\tcpip.exe	temp.exe
File created	C:\Windows\SysWOW64\bbbbbbbbbbb.bat	temp.exe
File created	C:\Windows\SysWOW64\wwinsystem.dll	tcpip.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
4060	1a1871d24c9a060974d7ea8e1ee2f3be_JaffaCakes118.exe
4060	1a1871d24c9a060974d7ea8e1ee2f3be_JaffaCakes118.exe
4060	1a1871d24c9a060974d7ea8e1ee2f3be_JaffaCakes118.exe
4060	1a1871d24c9a060974d7ea8e1ee2f3be_JaffaCakes118.exe
348	temp.exe
348	temp.exe
348	temp.exe
348	temp.exe
348	temp.exe
348	temp.exe
348	temp.exe
348	temp.exe
1448	tcpip.exe
1448	tcpip.exe
1448	tcpip.exe
1448	tcpip.exe
1448	tcpip.exe
1448	tcpip.exe
1448	tcpip.exe
1448	tcpip.exe
348	temp.exe
348	temp.exe
348	temp.exe
348	temp.exe
348	temp.exe
348	temp.exe
348	temp.exe
348	temp.exe
1448	tcpip.exe
1448	tcpip.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	348	temp.exe
Token: SeDebugPrivilege	1448	tcpip.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 1352	4060	1a1871d24c9a060974d7ea8e1ee2f3be_JaffaCakes118.exe	81
PID 4060 wrote to memory of 1352	4060	1a1871d24c9a060974d7ea8e1ee2f3be_JaffaCakes118.exe	81
PID 4060 wrote to memory of 1352	4060	1a1871d24c9a060974d7ea8e1ee2f3be_JaffaCakes118.exe	81
PID 1352 wrote to memory of 348	1352	cmd.exe	83
PID 1352 wrote to memory of 348	1352	cmd.exe	83
PID 1352 wrote to memory of 348	1352	cmd.exe	83
PID 348 wrote to memory of 4764	348	temp.exe	85
PID 348 wrote to memory of 4764	348	temp.exe	85
PID 348 wrote to memory of 4764	348	temp.exe	85
PID 1448 wrote to memory of 3500	1448	tcpip.exe	56

C:\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
44KB

MD5
525bad80767be776bad88b697a878b09

SHA1
f9d1b62f325b86346224f1d206d1a9b062957bfd

SHA256
f96c1d02cda03f85e2bb00c91934e3b11566c2f0ec018756045b732a033ba97f

SHA512
b31a86463f28156a07661484c54a40619d88c7aa6f3b412e7fa66a11494470ad5b32276a177235b30a010173708205bd413f736face69606dbabe45ca9adaed9

Download Submit
C:\Windows\SysWOW64\bbbbbbbbbbb.bat

Filesize
142B

MD5
53c15f9d357cfc1f0225894d022d38a0

SHA1
8072a611daf361d643d68d541a7201b7b9deda61

SHA256
6addadfa58eb068cc0d7a34fd225855168a1efc7e52ca6a6400c12b1a492f274

SHA512
5dfa29e8fca646e0faadf4632e301be4918d256e7a9713f689b3d082ca2922843d12bad825516f02916b2405e1741a08bd8cb1944880ded175271b5f2541e407

Download Submit
memory/4060-0-0x0000000000400000-0x000000000042102D-memory.dmp

Filesize
132KB

Download
memory/4060-3-0x0000000000400000-0x000000000042102D-memory.dmp

Filesize
132KB

Download