modiloader | f95eeab379aa98475a1ec134b4067c7cf0f61575d5f17fef54ec0c1355f340d5

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 02:04

Target

3fc4bf23d6f00f94ea81fa5684381ae0_JaffaCakes118.exe
Size

115KB
MD5

3fc4bf23d6f00f94ea81fa5684381ae0
SHA1

b5a4d50bc85eaa08483f388caadcb947f8548e14
SHA256

f95eeab379aa98475a1ec134b4067c7cf0f61575d5f17fef54ec0c1355f340d5
SHA512

eec9dacaeb73ebf0f0018cb99adfa668b56021bfbcf5b67cfd0af7bb56153f506cec3e318fd54ceda3f97a9ceb839834f938adfbec21d0e9390cadd441a8553d
SSDEEP

1536:jJzWQbJyKvfL1Kck/xkLGPw8SQo/Au+tB+A7cq+8+j0M5DFSlJYWtttSLIFhJT9F:jpd4KHRKTSMpB+X8QkYMXS0hJh5OKqq

Score

10^/10

modiloader trojan

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/1596-5-0x0000000013140000-0x000000001318A000-memory.dmp	modiloader_stage2

Loads dropped DLL 2 IoCs

pid	Process
2292	3fc4bf23d6f00f94ea81fa5684381ae0_JaffaCakes118.exe
2292	3fc4bf23d6f00f94ea81fa5684381ae0_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\sporder.dll	3fc4bf23d6f00f94ea81fa5684381ae0_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\rsvp32_2.dll	3fc4bf23d6f00f94ea81fa5684381ae0_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1596 set thread context of 2292	1596	3fc4bf23d6f00f94ea81fa5684381ae0_JaffaCakes118.exe	30

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
2292	3fc4bf23d6f00f94ea81fa5684381ae0_JaffaCakes118.exe
476	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2292	3fc4bf23d6f00f94ea81fa5684381ae0_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2292	3fc4bf23d6f00f94ea81fa5684381ae0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 2292	1596	3fc4bf23d6f00f94ea81fa5684381ae0_JaffaCakes118.exe	30
PID 1596 wrote to memory of 2292	1596	3fc4bf23d6f00f94ea81fa5684381ae0_JaffaCakes118.exe	30
PID 1596 wrote to memory of 2292	1596	3fc4bf23d6f00f94ea81fa5684381ae0_JaffaCakes118.exe	30
PID 1596 wrote to memory of 2292	1596	3fc4bf23d6f00f94ea81fa5684381ae0_JaffaCakes118.exe	30
PID 1596 wrote to memory of 2292	1596	3fc4bf23d6f00f94ea81fa5684381ae0_JaffaCakes118.exe	30
PID 1596 wrote to memory of 2292	1596	3fc4bf23d6f00f94ea81fa5684381ae0_JaffaCakes118.exe	30

\Windows\SysWOW64\rsvp32_2.dll

Filesize
76KB

MD5
c3dbc101b538e7cfd81d8899ef4bb72a

SHA1
11416d526310acb46d4decf399311f805d41ade9

SHA256
03b7b5fcdd3193862528e039cb87d0ae2c254fc9112742ed2ba0493fd1be3f0f

SHA512
0fd7dd5e61ec0e2e9aaae40370e576bc2c6147fb924132078e7e7d1be4366deeb2cdd1706a1740fbd08ec591303349581c00e7915d4edda5be24e01b0574dc59

Download Submit
\Windows\SysWOW64\sporder.dll

Filesize
8KB

MD5
a082e5473b2a9a4d846ed7ddf637ac76

SHA1
1703f7969a6e76f8458eda3e8e40fd115c0bfdc3

SHA256
73f7171c2af70ccf8ee4c49626fb456807a6a668f6a967298dcd5ed29773bd2a

SHA512
abc1ea5a46d0784db23ddd9bd984527913c3e40a3896cfa43e9f4f999e4064038b24aed78e27bf2e705c8c55482e801f520987c2a74be6f01edc32df3d235eaa

Download Submit
memory/1596-5-0x0000000013140000-0x000000001318A000-memory.dmp

Filesize
296KB

Download
memory/2292-3-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2292-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2292-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2292-6-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2292-9-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2292-14-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download