modiloader | 7348733839473285ae7860e7039c626d5ac5ce528230c7fc33911e3d89992ea2 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

e23d36c1d7...18.exe

windows7-x64

e23d36c1d7...18.exe

windows10-2004-x64

Sharing

General

Target

e23d36c1d78e7a26173d92e7d46b6050_JaffaCakes118
Size

934KB
Sample

240915-l8p9yaybmg
MD5

e23d36c1d78e7a26173d92e7d46b6050
SHA1

9ec176a6afaaac7868524db6bc30740b2c106a39
SHA256

7348733839473285ae7860e7039c626d5ac5ce528230c7fc33911e3d89992ea2
SHA512

3c3c3e13d58a119a7e4757e7843e62736f22249a2a1357ac9ba39e9cff7fd0e6224479c336e815d4446ff429f3fd48e9e21ddcce7f512b1e67f99b9eaf280a5e
SSDEEP

12288:S7oA4UawsXCVX1SQ83hdeZqX9IUOty4dRqolkBfCej/WiLDpzEJeyynoKJ92jphQ:sovS9wV3uqyUY3eBv7WO3Xorp+F

Score

10^/10

modiloader discovery evasion persistence trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

e23d36c1d78e7a26173d92e7d46b6050_JaffaCakes118.exe

Resource

win7-20240903-en

modiloader discovery evasion persistence trojan

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

e23d36c1d78e7a26173d92e7d46b6050_JaffaCakes118.exe

Resource

win10v2004-20240802-en

modiloader discovery evasion persistence trojan

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Targets

- Target
  
  e23d36c1d78e7a26173d92e7d46b6050_JaffaCakes118
- Size
  
  934KB
- MD5
  
  e23d36c1d78e7a26173d92e7d46b6050
- SHA1
  
  9ec176a6afaaac7868524db6bc30740b2c106a39
- SHA256
  
  7348733839473285ae7860e7039c626d5ac5ce528230c7fc33911e3d89992ea2
- SHA512
  
  3c3c3e13d58a119a7e4757e7843e62736f22249a2a1357ac9ba39e9cff7fd0e6224479c336e815d4446ff429f3fd48e9e21ddcce7f512b1e67f99b9eaf280a5e
- SSDEEP
  
  12288:S7oA4UawsXCVX1SQ83hdeZqX9IUOty4dRqolkBfCej/WiLDpzEJeyynoKJ92jphQ:sovS9wV3uqyUY3eBv7WO3Xorp+F
Score

10^/10

modiloader discovery evasion persistence trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- UAC bypass
  evasion trojan
- ModiLoader Second Stage
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

modiloaderdiscoveryevasionpersistencetrojan

behavioral2

modiloaderdiscoveryevasionpersistencetrojan

© 2018-2025

Terms | Privacy

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.