modiloader | 692878ac81e6439a2af9d3e558b4456a5abae4c029a196b62e8b5b316fd3571b

Sharing

Copy URL

Twitter E-mail

General

Target

309aa62b90a286c54ffcae887aadbf0b_JaffaCakes118
Size

347KB
Sample

240510-xv8d5scf9x
MD5

309aa62b90a286c54ffcae887aadbf0b
SHA1

9194f50d1c11e0bbc7e8b3697ba2f3fac42ee853
SHA256

692878ac81e6439a2af9d3e558b4456a5abae4c029a196b62e8b5b316fd3571b
SHA512

e28840eca6e3c82b5808faed56c7a332515f9fe9ddd7af25b839f6fade25f6a3319e4f8b514d66a10ff1434906bc42a9e2fb18c28acf36ce3e970787a1eea09f
SSDEEP

6144:YZ/qRrMhvBX9YuyY3qj8Qlb5D6WWhJAqDhUNEH09XA4pMj:YBZhvd9Yu5aj8Qld25wcv4pMj

Score

10^/10

Malware Config

Targets

- Target
  
  309aa62b90a286c54ffcae887aadbf0b_JaffaCakes118
- Size
  
  347KB
- MD5
  
  309aa62b90a286c54ffcae887aadbf0b
- SHA1
  
  9194f50d1c11e0bbc7e8b3697ba2f3fac42ee853
- SHA256
  
  692878ac81e6439a2af9d3e558b4456a5abae4c029a196b62e8b5b316fd3571b
- SHA512
  
  e28840eca6e3c82b5808faed56c7a332515f9fe9ddd7af25b839f6fade25f6a3319e4f8b514d66a10ff1434906bc42a9e2fb18c28acf36ce3e970787a1eea09f
- SSDEEP
  
  6144:YZ/qRrMhvBX9YuyY3qj8Qlb5D6WWhJAqDhUNEH09XA4pMj:YBZhvd9Yu5aj8Qld25wcv4pMj
Score

10^/10

modiloader evasion persistence trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VirtualBox drivers on disk
  evasion
- ModiLoader Second Stage
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  ee260c45e97b62a5e42f17460d406068
- SHA1
  
  df35f6300a03c4d3d3bd69752574426296b78695
- SHA256
  
  e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27
- SHA512
  
  a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3
- SSDEEP
  
  192:eF24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol9Sl:h8QIl975eXqlWBrz7YLOl9
Score

3^/10
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/nsDialogs.dll
- Size
  
  9KB
- MD5
  
  477b78e5db22b4e651b6bec39d5c1acf
- SHA1
  
  418038f8d4db22471f55206aa8eb372f3f133d0d
- SHA256
  
  80d84f6c405f4e7b51d3e0c7c10b06ce60b28a43451bbe0e6e464d5e4783fc35
- SHA512
  
  6658a0718a6c15a6f0767d87d604ced9d2f3a1494eb6e44d39507687b9e675a05d026b68a7ef8a311b10863e229a963c8ea6f6efb1d92b0657b32ee836adfe21
- SSDEEP
  
  192:oB8cxzvTyl4tgi8pPjQM0PuAg0YNyPIFtSP:oBxzm+t18pZ0WAg0RPIFg
Score

3^/10
behavioral5 behavioral6
- Target
  
  25
- Size
  
  18KB
- MD5
  
  2f13168269e986740b06d20606e1f184
- SHA1
  
  ccddbaf2d68da81f8ef73112720ac739ea13e8d0
- SHA256
  
  29db1544eb0078b68f92c1dd9a7d4d42691f3662711f2665435cee3e5932a513
- SHA512
  
  874f0ff853c41197394fdd6f4d1b6813ce5ef033283d78e48e58ffd6c39663bc2489388e5562ff9888e6e9a75f0a533c6c673bcb7f20e584c5e99afe0de3f1d1
- SSDEEP
  
  384:dAEupuEmbK0wmKEYKYSKIIKKhS+53S/Pu:dAE/EhX5S/Pu
Score

1^/10
behavioral7 behavioral8
- Target
  
  catalog.js
- Size
  
  232KB
- MD5
  
  0759e460631a88f2f46f36b0954d24bb
- SHA1
  
  dd924ba22da028c3857e2b8c432837298b60e11a
- SHA256
  
  0026486014599cbfa992b89ab7c8e878577647145834a67b1be43f2e5eba925e
- SHA512
  
  5e7cddc223ad1dabb6dcac43e40c47027013431e654948c73021509e6953e2c9443a7e60a91441c71794eb5b4fd52c23861137dedf664ecc4f8a1ad5385eb26c
- SSDEEP
  
  6144:t56ZvBQaU36p4MqlnaE23TQORbNMbWqKP:twZ/1uBaJbCM
Score

3^/10

execution
behavioral10 behavioral9
- Target
  
  [email protected]
- Size
  
  17KB
- MD5
  
  3961c07ede89c2c21256afbbaf4564fd
- SHA1
  
  d9233d2bdd0df4bfa897089faaf7d63a7853491a
- SHA256
  
  e746fe00bae0393218a42c108e0fcf23583c7968be7e42021d89d3b6681c4395
- SHA512
  
  71776d86c58e0bb8e5dee9f33ccb05b04cf07d5f52435cb9ee5d81d357e54b86bd8aab3d48654cab799d8b385822e586ce531fe616da87ebdaaab6aa23c0390f
- SSDEEP
  
  384:DzfaKLETZDSbS/BtCtR2az8QqNEth9VIqcoRcqjV5agyps5VffOROxCIi8sjR+r4:DraKLETZDSntRfQith9V1coRZRUgyG5U
Score

3^/10

execution
behavioral11 behavioral12
- Target
  
  cua700985938.html
- Size
  
  10KB
- MD5
  
  32e1ef831f384a8248fcddcfb4b9fb53
- SHA1
  
  e18c83465a7e1936fcae87c53c7de94443fee50c
- SHA256
  
  129efa33173b666dbfb023fcc62c27d20df33c1ff409fee480f9d901b4ed7881
- SHA512
  
  61327f3ff4222101ca3563c36b51fed2f28c89422edbe0e50be5d02d6076e715243712fd17640d8a369c46e9a41f9fd6a02f2bbe5e55105e924086c5ed5fd69c
- SSDEEP
  
  96:6svd1l+hpC+O8PG8vWSwICn+BntinVTKqNr2Z3NEvHgjF+inJi4FJASkrMY2:xd1l+hpCMwIC+Bnt2tivEvHUF5HFfBY2
Score

1^/10
behavioral13 behavioral14
- Target
  
  cua768556328.html
- Size
  
  10KB
- MD5
  
  46ba2fd6093bf7ef95d57782a37a895c
- SHA1
  
  6911b87db5e1b978e3158899275199bd1bf79049
- SHA256
  
  0ff31c1960f5fba0eb3e80f6d58c9ad7e46267e8472fe534a4f2abc89d2230ee
- SHA512
  
  feacfdf9166eb759eaedf5807ceba82825dc6074e740695aa9d5dcca86b007742178309fed97616de54adaaa8dcdf45188f0116942fed742473b6080c9d45199
- SSDEEP
  
  96:6svd1l+hpC+O8PG8vWS8ICn+BntinVTKqNr2Z3NEvHgjF+irJi4FJASkrMY2:xd1l+hpCM8IC+Bnt2tivEvHUFdHFfBY2
Score

1^/10
behavioral15 behavioral16
- Target
  
  cua811702334.html
- Size
  
  10KB
- MD5
  
  4a9527531ef78bda1e662e74014f3569
- SHA1
  
  29c076b36209c5166b4acc442c5a41b57706e509
- SHA256
  
  8886ce6cde355684ffab78f27744fdacc0cb38160e593cb466ea495e80ab5cd9
- SHA512
  
  6eb7896f13543a817880e8a24e8f3a58c65052b81b5f166399a9df1e8183180a1491b265996318d1a71717112c7d309688a75755756ed34ed25e142603dcac8a
- SSDEEP
  
  96:6svd1l+hpC+O8PG8vWSBICn+BntinVTKqNr2Z3NEvHgjF+i8Ji4FJASkrMY2:xd1l+hpCMBIC+Bnt2tivEvHUFyHFfBY2
Score

1^/10
behavioral17 behavioral18
- Target
  
  gkamus-uninst.exe
- Size
  
  63KB
- MD5
  
  6305547a12e0e04228d42228ad6a504d
- SHA1
  
  f0b4d68c40a5738acc4ce718e14751d67446b165
- SHA256
  
  1e9db3d7ce31b8804ed9768621de21cd1144c0a1b8ed7e916eeb91dca13475de
- SHA512
  
  ad5a4aaca3d5b70c7a0f0dd82f4f71b5f80193411720ad8812ede6a3f996efb786309566c7f22c5beca2d1b1985ade15b7fb298d24d15333756e6fe183b42378
- SSDEEP
  
  1536:BmZw+QfiexLgJ/RQGcrnfDjuNgdLeAyN7BcT3hoVz:BmpQFx8/qGOnfDjuNceAYcF0
Score

7^/10
- Executes dropped EXE
- Loads dropped DLL
behavioral19 behavioral20
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  ee260c45e97b62a5e42f17460d406068
- SHA1
  
  df35f6300a03c4d3d3bd69752574426296b78695
- SHA256
  
  e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27
- SHA512
  
  a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3
- SSDEEP
  
  192:eF24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol9Sl:h8QIl975eXqlWBrz7YLOl9
Score

3^/10
behavioral21 behavioral22
- Target
  
  navigation.js
- Size
  
  490B
- MD5
  
  b4241d8dbda47fdeb0edd47f41b885ba
- SHA1
  
  9586723ba58539945d6702d903cf5e37b08be8b6
- SHA256
  
  ddc2807beaf2abf1fe34f4286bdc0c6cdc2c9077d37053045495708048a23aa6
- SHA512
  
  db0779ee7edd1e1d55d9adafabd2045679319f48e642f67e584a30221882697899065f487b1a0d4bd6be9790984c4266ce1f5da002c09ecd82171ef049bf96ef
Score

3^/10

execution
behavioral23 behavioral24
- Target
  
  writing
- Size
  
  15KB
- MD5
  
  ae9ac06c9bb7ad6cc583199cb7ddddfa
- SHA1
  
  83ed092b0a0d622956b0560ec1966192a7a9637b
- SHA256
  
  61768702d1008fb71cf52446a92a5d18842357487c31c4ac7f019a09e5ce11e2
- SHA512
  
  abb5c1b9116b2274613ae7ca970b3bed85ce2d5c3b7370b2bcb99db17da15e850ba40345118b08e87db28437f5ceb36ac221ffdfd5f6524c57314250f8cae317
- SSDEEP
  
  384:RmzICDWiQqX/nzQ/W3w3cSOQdKSsyvEMI1bTqjjdyF1:nEzwxcMIlqjdyF1
Score

1^/10
behavioral25 behavioral26

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

File and Directory Discovery

T1083

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

ModiLoader, DBatLoader

Process spawned unexpected child process

Checks for common network interception software

Looks for VirtualBox Guest Additions in registry

Looks for VirtualBox drivers on disk

ModiLoader Second Stage

Looks for VMWare Tools registry key

Checks BIOS information in registry

Checks computer location settings

Deletes itself

Loads dropped DLL

Adds Run key to start application

Maps connected drives based on registry

Drops file in System32 directory

Suspicious use of SetThreadContext

Executes dropped EXE

Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26