modiloader | 2bf5f4082b7757cbc313b9e85b989c95e7895f5648b987643a5bc39cdc811b93

Analysis

max time kernel
141s
max time network
126s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 01:36

Target

2e8cc536440b2d80389016cc139794e6_JaffaCakes118.exe
Size

397KB
MD5

2e8cc536440b2d80389016cc139794e6
SHA1

b7ce1b251540ac70b1bef09023d1bfb8c1c3c0d0
SHA256

2bf5f4082b7757cbc313b9e85b989c95e7895f5648b987643a5bc39cdc811b93
SHA512

c19d45a4b3d064d2e9845a603ab2abf4c7091e944d18017c72a8b86bac28101296411c97cf46eb90abc70601e292d3c75b295ef518cd1cea03bd020f3032d4ae
SSDEEP

12288:uN2ZoBRQpiYuz4jOL5mNPFw2TJs3Dux5ogbBh:aWoQpiYJ2MPFgih

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2712-7-0x0000000000400000-0x000000000046B000-memory.dmp	modiloader_stage2

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\FNTemper.exe	2e8cc536440b2d80389016cc139794e6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\FNTemper.exe	2e8cc536440b2d80389016cc139794e6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\advpeck.dll	2e8cc536440b2d80389016cc139794e6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\advpeck.dll	2e8cc536440b2d80389016cc139794e6_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2712	2e8cc536440b2d80389016cc139794e6_JaffaCakes118.exe
2712	2e8cc536440b2d80389016cc139794e6_JaffaCakes118.exe

memory/2712-6-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2712-7-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download