modiloader | bb41dddfefc9a6129c46645fcfaba2ea90cf4f55f6f54df2702c7c553ba61952 | Triage

Sharing

General

Target

fc03dd697d1e1e6a3854b08b6495aff9_JaffaCakes118
Size

719KB
Sample

240928-lmnh8a1elb
MD5

fc03dd697d1e1e6a3854b08b6495aff9
SHA1

8bcbeaab1428a488403a383984ea908a52ff568d
SHA256

bb41dddfefc9a6129c46645fcfaba2ea90cf4f55f6f54df2702c7c553ba61952
SHA512

e9a4328be43e6221537e595f26f69b4a66b8b242ad16576c48f3dd9f3e6f239ad746b2b16a69e12ab657c87c536ccc97c8d0fe0bd0a2f4a84f99e82d77307b81
SSDEEP

12288:6XgPVmsO7H+JeYkZQors8sEyMGXxe/lX4EEPSwDfAmgBJbf8AwnBrRm8dZ/X:AoZ3J78GQX4bEmCb+rRvZ/X

Score

10^/10

modiloader bootkit defense_evasion discovery persistence trojan

Malware Config

Targets

- Target
  
  fc03dd697d1e1e6a3854b08b6495aff9_JaffaCakes118
- Size
  
  719KB
- MD5
  
  fc03dd697d1e1e6a3854b08b6495aff9
- SHA1
  
  8bcbeaab1428a488403a383984ea908a52ff568d
- SHA256
  
  bb41dddfefc9a6129c46645fcfaba2ea90cf4f55f6f54df2702c7c553ba61952
- SHA512
  
  e9a4328be43e6221537e595f26f69b4a66b8b242ad16576c48f3dd9f3e6f239ad746b2b16a69e12ab657c87c536ccc97c8d0fe0bd0a2f4a84f99e82d77307b81
- SSDEEP
  
  12288:6XgPVmsO7H+JeYkZQors8sEyMGXxe/lX4EEPSwDfAmgBJbf8AwnBrRm8dZ/X:AoZ3J78GQX4bEmCb+rRvZ/X
Score

10^/10

modiloader bootkit defense_evasion discovery persistence trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- ModiLoader Second Stage
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Pre-OS Boot

Bootkit

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Indicator Removal

File Deletion

Modify Registry

Pre-OS Boot

Bootkit

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

modiloaderbootkitdefense_evasiondiscoverypersistencetrojan

behavioral2

modiloaderbootkitdefense_evasiondiscoverypersistencetrojan