modiloader | 03d596c4e2ec8536abb673e0629fc31d4c5df8863f378a1372546cd8cae7caf8

Sharing

Copy URL

Twitter E-mail

General

Target

9e20a516f7cc4eaecffcc0808b50fb64_JaffaCakes118
Size

314KB
Sample

241125-1wth6aylbv
MD5

9e20a516f7cc4eaecffcc0808b50fb64
SHA1

1681838951cffa50dbb5c61bb686ecc424b24a94
SHA256

03d596c4e2ec8536abb673e0629fc31d4c5df8863f378a1372546cd8cae7caf8
SHA512

c0a5d56faa997cca2536031e0a1ce56ac0b9bb926b8e65f7e2209097453845058249e515f9a9d89fc873173af22bb916382cb3516317efea4d253cfd7a5a2776
SSDEEP

6144:TB+pgUmaidOrFsPlz67WoiAoMYC/yc2MbsLQcSQj2qzZyc76K:TgOaoyuPlzo3i7/QyfI+QRc7X

Score

10^/10

Malware Config

Targets

- Target
  
  9e20a516f7cc4eaecffcc0808b50fb64_JaffaCakes118
- Size
  
  314KB
- MD5
  
  9e20a516f7cc4eaecffcc0808b50fb64
- SHA1
  
  1681838951cffa50dbb5c61bb686ecc424b24a94
- SHA256
  
  03d596c4e2ec8536abb673e0629fc31d4c5df8863f378a1372546cd8cae7caf8
- SHA512
  
  c0a5d56faa997cca2536031e0a1ce56ac0b9bb926b8e65f7e2209097453845058249e515f9a9d89fc873173af22bb916382cb3516317efea4d253cfd7a5a2776
- SSDEEP
  
  6144:TB+pgUmaidOrFsPlz67WoiAoMYC/yc2MbsLQcSQj2qzZyc76K:TgOaoyuPlzo3i7/QyfI+QRc7X
Score

10^/10

modiloader discovery evasion execution persistence trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modiloader family
  modiloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VirtualBox drivers on disk
  evasion
- ModiLoader Second Stage
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/InstallOptions.dll
- Size
  
  15KB
- MD5
  
  5b3edb39fe9c026322caf37ea10f6733
- SHA1
  
  3caf8b5b38feb87bfeb0e01e59d4e36f110c9e9e
- SHA256
  
  a96b1c95f51b088ed5ec476485a6aa562cbe68a88d0261ce88bcb3dca1f1c8b0
- SHA512
  
  7930e12c72744c9cf5e2f9b93236526289ed3f9773b92c865228ad33ab45d64e73ee5604a74e49630e066d802a5ca4602d4b986131d267ce17a8ce5d3b5f054c
- SSDEEP
  
  384:EfC43tPegZ3eBaRwCPOYY7nNYXC7/Yosa:EKTgZ3eBTCmrnNAh
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  a4dd044bcd94e9b3370ccf095b31f896
- SHA1
  
  17c78201323ab2095bc53184aa8267c9187d5173
- SHA256
  
  2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
- SHA512
  
  87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a
- SSDEEP
  
  192:em24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35OlESl:m8QIl975eXqlWBrz7YLOlE
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  contact.php
- Size
  
  319B
- MD5
  
  48b7875eddf3913382a3c299e84a27f1
- SHA1
  
  6a05bcea4829a70ce0e1c105d0568ac5031d3e89
- SHA256
  
  88332868551ed40475c1d8b88613910b60773ccb5760083b2037c55a21c002f5
- SHA512
  
  d5b3a2f141d07242f9b6fdb71d77b821df76edb9677a2992ddfd16f242afc9df12ce5ae0dbd4c029d1c9dd7dc92b4069467c0ee4816c61e1693c46a8857d4a04
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  privacy_policy.php
- Size
  
  3KB
- MD5
  
  dab2f129c75c2369479d341a4f754e52
- SHA1
  
  b88958b6379579bd380661ed83625114a41c1a5b
- SHA256
  
  136ac48f0f2c86d9ba706455349703f76b9097271e8c61c94efa00a882ffc985
- SHA512
  
  63058fd68daf8f02b4e0d7dea32ce8fb9fd456188878ebbe626bc354a394a8ca16f7aec2617d585e6e799801058775c29c6c08891fa77b05de857d409762e87e
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  uninstall.exe
- Size
  
  53KB
- MD5
  
  8ac175edf71a4fa85c1b63e7767475ac
- SHA1
  
  cd3ad22fa01af49731bde4092eba295a03fe545d
- SHA256
  
  7a3a438b9d9966a29766c5b2680af99840a440682b1ce97650f8e056e1622689
- SHA512
  
  c8971ce82da2c5caf1282c8620d294864f64e1cf91cd91aeea3cd1d94ff62cd949af7cddc8478d88da3be2a3455a85baee2b20de219e614d2dbaf875e3b9296b
- SSDEEP
  
  1536:oMaAWOz2YOFw3ae4ptaq5qHSlTBu5gdLeAyN0h9ws:oAe+3aJpgWXTBu5ceA3ws
Score

7^/10

discovery
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
behavioral11 behavioral12