modiloader | 00c86e33547653b9940f1065f3b23cad2f01323615862241370340b1a8787f2e

Analysis

max time kernel
13s
max time network
20s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06-07-2024 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

289af9ba7bc8838783f43eb478429464_JaffaCakes118.exe
Size

409KB
MD5

289af9ba7bc8838783f43eb478429464
SHA1

abf831debeac646da9fc7a3ce05a108d552284be
SHA256

00c86e33547653b9940f1065f3b23cad2f01323615862241370340b1a8787f2e
SHA512

93513a4d10372de69046a9d9063f610f1287ea21677d6f76bfe9057bce65a7dc5a02b6ff2082ea3b8c7e7add183ac760cceb1ac5a27cd1396e5832cbaac82e70
SSDEEP

12288:zQ+mznKsAvW13q86j7e4UYtqOthJNlYKG7L:zl21F65TlDI

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral1/files/0x000d000000018b54-5.dat	modiloader_stage2
behavioral1/memory/840-15-0x0000000000400000-0x00000000004C1000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
840	18.exe

Loads dropped DLL 2 IoCs

pid	Process
3004	289af9ba7bc8838783f43eb478429464_JaffaCakes118.exe
3004	289af9ba7bc8838783f43eb478429464_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\SetupWay.txt	18.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 840	3004	289af9ba7bc8838783f43eb478429464_JaffaCakes118.exe	29
PID 3004 wrote to memory of 840	3004	289af9ba7bc8838783f43eb478429464_JaffaCakes118.exe	29
PID 3004 wrote to memory of 840	3004	289af9ba7bc8838783f43eb478429464_JaffaCakes118.exe	29
PID 3004 wrote to memory of 840	3004	289af9ba7bc8838783f43eb478429464_JaffaCakes118.exe	29
PID 840 wrote to memory of 1492	840	18.exe	30
PID 840 wrote to memory of 1492	840	18.exe	30
PID 840 wrote to memory of 1492	840	18.exe	30
PID 840 wrote to memory of 1492	840	18.exe	30

C:\Users\Admin\AppData\Local\Temp\289af9ba7bc8838783f43eb478429464_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\289af9ba7bc8838783f43eb478429464_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\18.exe
  "C:\Users\Admin\AppData\Local\Temp\18.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\program files\internet explorer\IEXPLORE.EXE
    "C:\program files\internet explorer\IEXPLORE.EXE"
    3⤵
    PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\18.exe

Filesize
688KB

MD5
5ec2c854ee8df2ce0e23858ec8e17742

SHA1
39e5e5783d89c09778c29a95f6b06a293d2d56ef

SHA256
bfacbe7bb65ada08f9f6bad16324bc054daa0c7bd24f3ccc8143e5937f84481c

SHA512
08da00f01c6f8c1620ff26aba07400b7c7d6e7ed9058772ba93a448d2555cc17973152bdb75ba14bdc498995b5393f919d8d4a1d108b99e6e34dc37af719a0da

Download Submit
memory/840-12-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/840-15-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/3004-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download