modiloader | 28b82aa7ee854eb30ca8f791b5ba411afc6fd5b9a5190cc928aca03288b7f4e1

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05-07-2024 07:51

Target

26c5af423909b0a4f6c927ba476d3f03_JaffaCakes118.exe
Size

148KB
MD5

26c5af423909b0a4f6c927ba476d3f03
SHA1

6e45b73fe1dc36547795c6364fa5877cc706bc38
SHA256

28b82aa7ee854eb30ca8f791b5ba411afc6fd5b9a5190cc928aca03288b7f4e1
SHA512

39991ef9b19af99070c7be05abfeb1887588cdcaba3391a4e1b412a541f3479fba0ff455860bd16595d678cb7a6a7c89c01b5279d4774a14bb37e4d86e1a4b88
SSDEEP

1536:oNsCqYOQXNCQbkZJhquPB0GQweJUAuc4fHLq7JpFHSOuopcyhN/hY6w:eOmNKTe6Av4fHLqlp1SacyXrw

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 5 IoCs

resource	yara_rule
behavioral1/memory/1740-7-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral1/memory/1740-14-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral1/memory/1796-13-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral1/files/0x000700000001878c-12.dat	modiloader_stage2
behavioral1/memory/1796-10-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
1796	winwm.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\winwm.exe	winwm.exe
File created	C:\Windows\kulionwm.dll	26c5af423909b0a4f6c927ba476d3f03_JaffaCakes118.exe
File created	C:\Windows\winwm.exe	26c5af423909b0a4f6c927ba476d3f03_JaffaCakes118.exe
File opened for modification	C:\Windows\winwm.exe	26c5af423909b0a4f6c927ba476d3f03_JaffaCakes118.exe
File created	C:\Windows\kulionwm.dll	winwm.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 1796	1740	26c5af423909b0a4f6c927ba476d3f03_JaffaCakes118.exe	30
PID 1740 wrote to memory of 1796	1740	26c5af423909b0a4f6c927ba476d3f03_JaffaCakes118.exe	30
PID 1740 wrote to memory of 1796	1740	26c5af423909b0a4f6c927ba476d3f03_JaffaCakes118.exe	30
PID 1740 wrote to memory of 1796	1740	26c5af423909b0a4f6c927ba476d3f03_JaffaCakes118.exe	30

C:\Windows\kulionwm.dll

Filesize
27KB

MD5
c3f7c9336d0fbaa8d08917bcb419c015

SHA1
018d756f7402c55464d6f0f81c92c584be09aa5a

SHA256
fb0d6e32b212bcbeb406d6a596447b3f3396a8389aa1925a282dbea8911d6803

SHA512
9be7e3933e3ae9d27345b9d269d1f10accc2197926cd2fcf719f034acf1d4f3f91e130092c96290b70dc0b6fa171944ab89a62d8e010ea9752251377eeb81b75

Download Submit
C:\Windows\winwm.exe

Filesize
148KB

MD5
26c5af423909b0a4f6c927ba476d3f03

SHA1
6e45b73fe1dc36547795c6364fa5877cc706bc38

SHA256
28b82aa7ee854eb30ca8f791b5ba411afc6fd5b9a5190cc928aca03288b7f4e1

SHA512
39991ef9b19af99070c7be05abfeb1887588cdcaba3391a4e1b412a541f3479fba0ff455860bd16595d678cb7a6a7c89c01b5279d4774a14bb37e4d86e1a4b88

Download Submit
memory/1740-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1740-14-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1740-9-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/1740-8-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/1796-13-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1796-10-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download