modiloader | 10a651dee5da12ef3ecadfd4a877e20ddedd67f894cacd5c7be76c3590458d43 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

JaffaCakes...a0.exe

windows7-x64

JaffaCakes...a0.exe

windows10-2004-x64

Sharing

General

Target

JaffaCakes118_61f0705cdb5cdbaa5b3fb3f27b6f37a0
Size

288KB
Sample

250102-cavbkayqck
MD5

61f0705cdb5cdbaa5b3fb3f27b6f37a0
SHA1

5c46436feb125eeb4773f55654f754eac4f6e406
SHA256

10a651dee5da12ef3ecadfd4a877e20ddedd67f894cacd5c7be76c3590458d43
SHA512

a52638c567fb1e9f06865963342b0968affbb255bcd77becd11d82f78bb269d4c52d3226770e625ae8b071a465dd00c347e20be7ba59e786507f4364cb616b85
SSDEEP

6144:Q0xJazG5XnxlXyDKeNdKW+FIzE/jI3uzFIR3ikfdliycN:Q0xFDX0NaLI3uzFIZK

Score

10^/10

modiloader discovery evasion persistence trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

JaffaCakes118_61f0705cdb5cdbaa5b3fb3f27b6f37a0.exe

Resource

win7-20240903-en

modiloader discovery evasion persistence trojan

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

JaffaCakes118_61f0705cdb5cdbaa5b3fb3f27b6f37a0.exe

Resource

win10v2004-20241007-en

modiloader discovery evasion persistence trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Targets

- Target
  
  JaffaCakes118_61f0705cdb5cdbaa5b3fb3f27b6f37a0
- Size
  
  288KB
- MD5
  
  61f0705cdb5cdbaa5b3fb3f27b6f37a0
- SHA1
  
  5c46436feb125eeb4773f55654f754eac4f6e406
- SHA256
  
  10a651dee5da12ef3ecadfd4a877e20ddedd67f894cacd5c7be76c3590458d43
- SHA512
  
  a52638c567fb1e9f06865963342b0968affbb255bcd77becd11d82f78bb269d4c52d3226770e625ae8b071a465dd00c347e20be7ba59e786507f4364cb616b85
- SSDEEP
  
  6144:Q0xJazG5XnxlXyDKeNdKW+FIzE/jI3uzFIR3ikfdliycN:Q0xFDX0NaLI3uzFIZK
Score

10^/10

modiloader discovery evasion persistence trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modiloader family
  modiloader
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- ModiLoader Second Stage
- Adds policy Run key to start application
  persistence
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Software Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

modiloaderdiscoveryevasionpersistencetrojan

behavioral2

modiloaderdiscoveryevasionpersistencetrojan

© 2018-2025

Terms | Privacy

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.