modiloader | b23ef3c239b2296e7cf083b738a6fb7ad32c7125cccbf9c1b4b38bcb5ddad516 | Triage

Submit
Reports

Overview

overview

Static

static

ccd36a7a88...18.exe

windows7-x64

ccd36a7a88...18.exe

windows10-2004-x64

Sharing

General

Target

ccd36a7a88b817167d87e8c321597f4e_JaffaCakes118
Size

2.0MB
Sample

241206-nxbnhswjh1
MD5

ccd36a7a88b817167d87e8c321597f4e
SHA1

a9cfeac34629b89cc1bd484ffa71e85141f54c4e
SHA256

b23ef3c239b2296e7cf083b738a6fb7ad32c7125cccbf9c1b4b38bcb5ddad516
SHA512

e176044f65c9288e008b3f8c0a1546b2c108b2be133209c84f1d402bb21db4793f5ed762a570ad16eadb2c99a7a8b7270487a46b5b7f793e0020946f1567bb49
SSDEEP

49152:EhNDQ14n+tTb52LVucsFaBgv4TV6JzMsJIz2Ee08O3kp:yDQ14+52huX+oMbz33u

Score

10^/10

modiloader bootkit discovery evasion persistence trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

ccd36a7a88b817167d87e8c321597f4e_JaffaCakes118.exe

Resource

win7-20241010-en

modiloader bootkit discovery evasion persistence trojan

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

ccd36a7a88b817167d87e8c321597f4e_JaffaCakes118.exe

Resource

win10v2004-20241007-en

modiloader bootkit discovery evasion persistence trojan

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Targets

- Target
  
  ccd36a7a88b817167d87e8c321597f4e_JaffaCakes118
- Size
  
  2.0MB
- MD5
  
  ccd36a7a88b817167d87e8c321597f4e
- SHA1
  
  a9cfeac34629b89cc1bd484ffa71e85141f54c4e
- SHA256
  
  b23ef3c239b2296e7cf083b738a6fb7ad32c7125cccbf9c1b4b38bcb5ddad516
- SHA512
  
  e176044f65c9288e008b3f8c0a1546b2c108b2be133209c84f1d402bb21db4793f5ed762a570ad16eadb2c99a7a8b7270487a46b5b7f793e0020946f1567bb49
- SSDEEP
  
  49152:EhNDQ14n+tTb52LVucsFaBgv4TV6JzMsJIz2Ee08O3kp:yDQ14+52huX+oMbz33u
Score

10^/10

modiloader bootkit discovery evasion persistence trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modifies WinLogon for persistence
  persistence
- Modifies visibility of file extensions in Explorer
  evasion
- Modiloader family
  modiloader
- ModiLoader Second Stage
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Boot or Logon Autostart Execution

Winlogon Helper DLL

Pre-OS Boot

Bootkit

Privilege Escalation

Boot or Logon Autostart Execution

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Pre-OS Boot

Bootkit

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

modiloaderbootkitdiscoveryevasionpersistencetrojan

behavioral2

modiloaderbootkitdiscoveryevasionpersistencetrojan

© 2018-2025

Terms | Privacy