Analysis Overview
SHA256
22dc98f175eb8e091bd4b37b9b0c135323a207c12ff4bef142a673c5fea443e1
Threat Level: Known bad
The file e3660ace68bc814a14f023f2b014a1bc_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
ModiLoader Second Stage
Modiloader family
ModiLoader, DBatLoader
ModiLoader Second Stage
Creates new service(s)
Deletes itself
Drops file in System32 directory
Launches sc.exe
Unsigned PE
Discovers systems in the same network
Runs net.exe
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 22:10
Signatures
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modiloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 22:10
Reported
2024-04-06 22:12
Platform
win7-20240319-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
ModiLoader, DBatLoader
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Creates new service(s)
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\sys_temtray.ini | C:\Users\Admin\AppData\Local\Temp\e3660ace68bc814a14f023f2b014a1bc_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sys_temtray.ini | C:\Users\Admin\AppData\Local\Temp\e3660ace68bc814a14f023f2b014a1bc_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\he.txt | C:\Users\Admin\AppData\Local\Temp\e3660ace68bc814a14f023f2b014a1bc_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\he.txt | C:\Users\Admin\AppData\Local\Temp\e3660ace68bc814a14f023f2b014a1bc_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sys_temtray.exe | C:\Users\Admin\AppData\Local\Temp\e3660ace68bc814a14f023f2b014a1bc_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sys_temtrayr.exe | C:\Users\Admin\AppData\Local\Temp\e3660ace68bc814a14f023f2b014a1bc_JaffaCakes118.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
Runs net.exe
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e3660ace68bc814a14f023f2b014a1bc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e3660ace68bc814a14f023f2b014a1bc_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c sc create WinServerView binpath= "C:\Windows\system32\sys_temtray.exe" type= share start= auto displayname= "systemtray" depend= RPCSS/Tcpip/IPSec
C:\Windows\SysWOW64\sc.exe
sc create WinServerView binpath= "C:\Windows\system32\sys_temtray.exe" type= share start= auto displayname= "systemtray" depend= RPCSS/Tcpip/IPSec
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net start WinServerView
C:\Windows\SysWOW64\net.exe
net start WinServerView
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start WinServerView
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\del.bat
Network
Files
memory/2876-0-0x00000000001B0000-0x00000000001B1000-memory.dmp
C:\del.bat
| MD5 | 80c01008e0a9af951fab6c3c8a255295 |
| SHA1 | f73e3c41c3899c622165e0a28d0a9d21dbffc297 |
| SHA256 | 59d01dcede0107910aeb9e92ed93ccf3eb3ecc3888078ebc4ed23e2c45d71f30 |
| SHA512 | b32f436adfdee5839cec120e4bfe9426ba94f83a2fb40d5517461504df685cd4fb4cd8f44d2ff6a646772d5f6fe9f87e4abf35cf1e92bcabc9fb00fa4ee32ced |
memory/2876-12-0x0000000000400000-0x000000000047C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 22:10
Reported
2024-04-06 22:12
Platform
win10v2004-20231215-en
Max time kernel
91s
Max time network
92s
Command Line
Signatures
ModiLoader, DBatLoader
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Creates new service(s)
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\sys_temtray.exe | C:\Users\Admin\AppData\Local\Temp\e3660ace68bc814a14f023f2b014a1bc_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sys_temtrayr.exe | C:\Users\Admin\AppData\Local\Temp\e3660ace68bc814a14f023f2b014a1bc_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\sys_temtray.ini | C:\Users\Admin\AppData\Local\Temp\e3660ace68bc814a14f023f2b014a1bc_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sys_temtray.ini | C:\Users\Admin\AppData\Local\Temp\e3660ace68bc814a14f023f2b014a1bc_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\he.txt | C:\Users\Admin\AppData\Local\Temp\e3660ace68bc814a14f023f2b014a1bc_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\he.txt | C:\Users\Admin\AppData\Local\Temp\e3660ace68bc814a14f023f2b014a1bc_JaffaCakes118.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
Runs net.exe
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e3660ace68bc814a14f023f2b014a1bc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e3660ace68bc814a14f023f2b014a1bc_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c sc create WinServerView binpath= "C:\Windows\system32\sys_temtray.exe" type= share start= auto displayname= "systemtray" depend= RPCSS/Tcpip/IPSec
C:\Windows\SysWOW64\sc.exe
sc create WinServerView binpath= "C:\Windows\system32\sys_temtray.exe" type= share start= auto displayname= "systemtray" depend= RPCSS/Tcpip/IPSec
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net start WinServerView
C:\Windows\SysWOW64\net.exe
net start WinServerView
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start WinServerView
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\del.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/1680-0-0x0000000002210000-0x0000000002211000-memory.dmp
memory/1680-7-0x0000000000400000-0x000000000047C000-memory.dmp
\??\c:\del.bat
| MD5 | 80c01008e0a9af951fab6c3c8a255295 |
| SHA1 | f73e3c41c3899c622165e0a28d0a9d21dbffc297 |
| SHA256 | 59d01dcede0107910aeb9e92ed93ccf3eb3ecc3888078ebc4ed23e2c45d71f30 |
| SHA512 | b32f436adfdee5839cec120e4bfe9426ba94f83a2fb40d5517461504df685cd4fb4cd8f44d2ff6a646772d5f6fe9f87e4abf35cf1e92bcabc9fb00fa4ee32ced |