modiloader | 9d6deb673f680360e6e174d5e908c01a72de5a25d3d57abeba1a3fe7b3bd5897

General

Target

4ba040cd37c2377080ac0ab46c0e0f29_JaffaCakes118
Size

351KB
Sample

240516-r6zy9ahh59
MD5

4ba040cd37c2377080ac0ab46c0e0f29
SHA1

7e82e62d98df025b1ef7ddd9fbadeaa6d70394d9
SHA256

9d6deb673f680360e6e174d5e908c01a72de5a25d3d57abeba1a3fe7b3bd5897
SHA512

bf282fd2e7c733b70dfd8f52e5d8aa006bf738eea1add3f7b07a0b0729e8c27b8076fe02bf9b6f15dc73c1fd7330762d87e5b5f94f3cc60289333abbb009e181
SSDEEP

6144:dOH7owoxfZMSHMdEyXD1DkoMBulp/vmhGAgcPVdHel3J:dOH7poBxeZD7MBuLmGA565

Score

10^/10

Malware Config

Targets

- Target
  
  4ba040cd37c2377080ac0ab46c0e0f29_JaffaCakes118
- Size
  
  351KB
- MD5
  
  4ba040cd37c2377080ac0ab46c0e0f29
- SHA1
  
  7e82e62d98df025b1ef7ddd9fbadeaa6d70394d9
- SHA256
  
  9d6deb673f680360e6e174d5e908c01a72de5a25d3d57abeba1a3fe7b3bd5897
- SHA512
  
  bf282fd2e7c733b70dfd8f52e5d8aa006bf738eea1add3f7b07a0b0729e8c27b8076fe02bf9b6f15dc73c1fd7330762d87e5b5f94f3cc60289333abbb009e181
- SSDEEP
  
  6144:dOH7owoxfZMSHMdEyXD1DkoMBulp/vmhGAgcPVdHel3J:dOH7poBxeZD7MBuLmGA565
Score

10^/10

modiloader evasion persistence trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VirtualBox drivers on disk
  evasion
- ModiLoader Second Stage
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2