modiloader | 33857fe0bfc9ace2ff86b661a5150ef4e179c7f41e9d65cc910c1d668476d1f2

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
Size

24KB
MD5

330a688744f20f40abd9ffdf407a975d
SHA1

dd950ed5b41c094c550bea67daf5f80eabd3f6c5
SHA256

33857fe0bfc9ace2ff86b661a5150ef4e179c7f41e9d65cc910c1d668476d1f2
SHA512

120a0e4e562bfd17b0fa4d313127ea5e16a817a814cb2c50d67b028b0d005487d2491af03d9924cbab1e1dee50253cd878b3ccff034531ac9adc71a17df5c7f3
SSDEEP

384:VnHtbAcIi89orgM0NE2DwQPsC7s9BoTNQgNbzivQcsEIr8O5fkOErxqJDpFna3ly:VHtsMgpNpwv99BoKgNQQ9X5sOE8Tna1Q

Score

10^/10

modiloader trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

resource	yara_rule
behavioral2/memory/4384-6-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral2/memory/4568-9-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

pid	Process
4568	tcpip.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4384-0-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/files/0x0009000000023444-2.dat	upx
behavioral2/memory/4384-6-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/4568-9-0x0000000000400000-0x0000000000411000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\tcpip.exe	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\llldbww.bat	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msiupdata.dll	tcpip.exe
File created	C:\Windows\SysWOW64\tcpip.exe	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
4568	tcpip.exe
4568	tcpip.exe
4568	tcpip.exe
4568	tcpip.exe
4568	tcpip.exe
4568	tcpip.exe
4568	tcpip.exe
4568	tcpip.exe
4568	tcpip.exe
4568	tcpip.exe
4568	tcpip.exe
4568	tcpip.exe
4568	tcpip.exe
4568	tcpip.exe
4568	tcpip.exe
4568	tcpip.exe
4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
4568	tcpip.exe
4568	tcpip.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
Token: SeDebugPrivilege	4568	tcpip.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 3108	4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe	81
PID 4384 wrote to memory of 3108	4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe	81
PID 4384 wrote to memory of 3108	4384	330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe	81
PID 4568 wrote to memory of 3344	4568	tcpip.exe	55

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3344
- C:\Users\Admin\AppData\Local\Temp\330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\330a688744f20f40abd9ffdf407a975d_JaffaCakes118.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\system32\llldbww.bat
    3⤵
    PID:3108

C:\Windows\SysWOW64\tcpip.exe
C:\Windows\SysWOW64\tcpip.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4568

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\llldbww.bat

Filesize
218B

MD5
93f56f708a1895db5e41f60d07676fdb

SHA1
c42129a1c454a9bce500ae802a4e633117a652b3

SHA256
4eb38b7138cad97f87b26ec8d835b77b2d6eb18c2e16ecd46c669a6dbcd2d1c7

SHA512
4fe29cda89231e02dd74312c75527b1cbfe5d95cd158e2e9513a10f9154f9419d4e2fc7cae84a619269a48a660994b2ee1d95af605ec4af0b07341dab124520a

Download Submit
C:\Windows\SysWOW64\tcpip.exe

Filesize
24KB

MD5
330a688744f20f40abd9ffdf407a975d

SHA1
dd950ed5b41c094c550bea67daf5f80eabd3f6c5

SHA256
33857fe0bfc9ace2ff86b661a5150ef4e179c7f41e9d65cc910c1d668476d1f2

SHA512
120a0e4e562bfd17b0fa4d313127ea5e16a817a814cb2c50d67b028b0d005487d2491af03d9924cbab1e1dee50253cd878b3ccff034531ac9adc71a17df5c7f3

Download Submit
memory/4384-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4384-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4568-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download