modiloader | 656e7f65de58471265eb496316b5872aab2e6dae899c2ac872d5878b8f2e19d4

General

Target

JaffaCakes118_76f96f8e8c9f854a53d81625a0d3fe26
Size

459KB
Sample

250104-chg17svqgw
MD5

76f96f8e8c9f854a53d81625a0d3fe26
SHA1

74bb8715260e08be61c0dcfda12897f6e4cb329c
SHA256

656e7f65de58471265eb496316b5872aab2e6dae899c2ac872d5878b8f2e19d4
SHA512

98f45941eb9a4343337d8867cfa2d41a130240ad284c73024a9ff9d7af93ed90ebc09fc5f08403443170b990f8c7f9630b26276cddeca8512a1fff176d18d459
SSDEEP

12288:crFC8npMzWFOvFuTGTI1yIqE/ydohlMsUJh4o:cjEvFuCTxIqBQ2sUJh4o

Score

10^/10

Malware Config

Targets

- Target
  
  JaffaCakes118_76f96f8e8c9f854a53d81625a0d3fe26
- Size
  
  459KB
- MD5
  
  76f96f8e8c9f854a53d81625a0d3fe26
- SHA1
  
  74bb8715260e08be61c0dcfda12897f6e4cb329c
- SHA256
  
  656e7f65de58471265eb496316b5872aab2e6dae899c2ac872d5878b8f2e19d4
- SHA512
  
  98f45941eb9a4343337d8867cfa2d41a130240ad284c73024a9ff9d7af93ed90ebc09fc5f08403443170b990f8c7f9630b26276cddeca8512a1fff176d18d459
- SSDEEP
  
  12288:crFC8npMzWFOvFuTGTI1yIqE/ydohlMsUJh4o:cjEvFuCTxIqBQ2sUJh4o
Score

10^/10

modiloader discovery evasion execution persistence trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modiloader family
  modiloader
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VirtualBox drivers on disk
  evasion
- ModiLoader Second Stage
- Adds policy Run key to start application
  persistence
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
behavioral1 behavioral2