modiloader | dbf532759371e357703f0438bbfbbcd7c3ff52f60ac4e25aa3aa5443751a4277 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

e12c47566b...18.exe

windows7-x64

e12c47566b...18.exe

windows10-2004-x64

Sharing

General

Target

e12c47566b3b49fc80b3c26f75b50f3d_JaffaCakes118
Size

176KB
Sample

241211-m6kgcazmcy
MD5

e12c47566b3b49fc80b3c26f75b50f3d
SHA1

24979694656bf526aa3da5c776d3ac91a7e00874
SHA256

dbf532759371e357703f0438bbfbbcd7c3ff52f60ac4e25aa3aa5443751a4277
SHA512

21522f270211e96c3cd54a6359364a4c6d1d717c1a0947040ee3b874af1cd19abe040784f36c6d5f250d71b85b08ea58907df557e56c7ff60817216ad5b7f2ff
SSDEEP

3072:2rq0PWhNJaLuxgzGwoqNGuOj3LGm3KHmc6u/gy:w3uuzGuEn34KID

Score

10^/10

modiloader discovery persistence trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

e12c47566b3b49fc80b3c26f75b50f3d_JaffaCakes118.exe

Resource

win7-20240708-en

modiloader discovery persistence trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

e12c47566b3b49fc80b3c26f75b50f3d_JaffaCakes118.exe

Resource

win10v2004-20241007-en

modiloader discovery persistence trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  e12c47566b3b49fc80b3c26f75b50f3d_JaffaCakes118
- Size
  
  176KB
- MD5
  
  e12c47566b3b49fc80b3c26f75b50f3d
- SHA1
  
  24979694656bf526aa3da5c776d3ac91a7e00874
- SHA256
  
  dbf532759371e357703f0438bbfbbcd7c3ff52f60ac4e25aa3aa5443751a4277
- SHA512
  
  21522f270211e96c3cd54a6359364a4c6d1d717c1a0947040ee3b874af1cd19abe040784f36c6d5f250d71b85b08ea58907df557e56c7ff60817216ad5b7f2ff
- SSDEEP
  
  3072:2rq0PWhNJaLuxgzGwoqNGuOj3LGm3KHmc6u/gy:w3uuzGuEn34KID
Score

10^/10

modiloader discovery persistence trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modifies WinLogon for persistence
  persistence
- Modiloader family
  modiloader
- ModiLoader Second Stage
- Adds policy Run key to start application
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

modiloaderdiscoverypersistencetrojan

behavioral2

modiloaderdiscoverypersistencetrojan

© 2018-2025

Terms | Privacy