Malware Analysis Report

2025-04-13 20:45

Sample ID 240407-21jp7ahb6v
Target e60f3e023405f91bf40a324441163477_JaffaCakes118
SHA256 62b524c500c62010924f1d1affb3b47e7e5dd1e84519ec2e5f35ffc6a11cfe01
Tags
modiloader evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

62b524c500c62010924f1d1affb3b47e7e5dd1e84519ec2e5f35ffc6a11cfe01

Threat Level: Known bad

The file e60f3e023405f91bf40a324441163477_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader evasion trojan

ModiLoader, DBatLoader

ModiLoader Second Stage

Identifies Wine through registry keys

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:02

Reported

2024-04-07 23:05

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e60f3e023405f91bf40a324441163477_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\e60f3e023405f91bf40a324441163477_JaffaCakes118.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\e60f3e023405f91bf40a324441163477_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e60f3e023405f91bf40a324441163477_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e60f3e023405f91bf40a324441163477_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\e60f3e023405f91bf40a324441163477_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e60f3e023405f91bf40a324441163477_JaffaCakes118.exe

Network

N/A

Files

memory/2880-0-0x0000000020000000-0x00000000204E6000-memory.dmp

memory/2880-2-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2880-1-0x0000000001C30000-0x0000000001D87000-memory.dmp

memory/2880-3-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2880-6-0x0000000020000000-0x00000000204E6000-memory.dmp

memory/2880-7-0x0000000004210000-0x0000000004211000-memory.dmp

memory/2880-9-0x0000000004220000-0x0000000004221000-memory.dmp

memory/2880-11-0x0000000004200000-0x0000000004201000-memory.dmp

memory/2880-13-0x0000000004230000-0x0000000004231000-memory.dmp

memory/2880-17-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2880-18-0x0000000000680000-0x0000000000681000-memory.dmp

memory/2732-19-0x0000000000400000-0x0000000000737000-memory.dmp

memory/2880-21-0x00000000048F0000-0x0000000004DD6000-memory.dmp

memory/2732-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2880-22-0x0000000003EB0000-0x0000000003EB1000-memory.dmp

memory/2880-15-0x0000000004240000-0x0000000004241000-memory.dmp

memory/2732-25-0x0000000000400000-0x0000000000737000-memory.dmp

memory/2732-29-0x0000000020000000-0x00000000204E6000-memory.dmp

memory/2732-28-0x0000000000400000-0x0000000000737000-memory.dmp

memory/2880-27-0x0000000020000000-0x00000000204E6000-memory.dmp

memory/2732-31-0x0000000000400000-0x0000000000737000-memory.dmp

memory/2732-33-0x0000000000400000-0x0000000000737000-memory.dmp

memory/2732-34-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2732-32-0x0000000001ED0000-0x0000000002016000-memory.dmp

memory/2732-30-0x0000000000400000-0x0000000000737000-memory.dmp

memory/2732-36-0x0000000000400000-0x0000000000737000-memory.dmp

memory/2732-37-0x0000000000400000-0x0000000000737000-memory.dmp

memory/2732-35-0x0000000000400000-0x0000000000737000-memory.dmp

memory/2732-38-0x0000000000400000-0x0000000000737000-memory.dmp

memory/2732-39-0x0000000000400000-0x0000000000737000-memory.dmp

memory/2732-40-0x0000000000400000-0x0000000000737000-memory.dmp

memory/2732-41-0x0000000000400000-0x0000000000737000-memory.dmp

memory/2732-42-0x0000000000400000-0x0000000000737000-memory.dmp

memory/2732-43-0x0000000000400000-0x0000000000737000-memory.dmp

memory/2732-44-0x0000000000400000-0x0000000000737000-memory.dmp

memory/2732-45-0x0000000000400000-0x0000000000737000-memory.dmp

memory/2732-46-0x0000000000400000-0x0000000000737000-memory.dmp

memory/2732-48-0x0000000000400000-0x0000000000737000-memory.dmp

memory/2732-49-0x0000000000400000-0x0000000000737000-memory.dmp

memory/2732-50-0x0000000000400000-0x0000000000737000-memory.dmp

memory/2732-51-0x0000000000400000-0x0000000000737000-memory.dmp

memory/2732-47-0x0000000000400000-0x0000000000737000-memory.dmp

memory/2732-53-0x0000000000400000-0x0000000000737000-memory.dmp

memory/2732-52-0x0000000000400000-0x0000000000737000-memory.dmp

memory/2732-55-0x0000000000400000-0x0000000000737000-memory.dmp

memory/2732-54-0x0000000000400000-0x0000000000737000-memory.dmp

memory/2732-56-0x0000000000400000-0x0000000000737000-memory.dmp

memory/2732-58-0x0000000000400000-0x0000000000737000-memory.dmp

memory/2732-57-0x0000000000400000-0x0000000000737000-memory.dmp

memory/2732-62-0x0000000000400000-0x0000000000737000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:02

Reported

2024-04-07 23:05

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e60f3e023405f91bf40a324441163477_JaffaCakes118.exe"

Signatures

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\e60f3e023405f91bf40a324441163477_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e60f3e023405f91bf40a324441163477_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e60f3e023405f91bf40a324441163477_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

memory/4800-0-0x0000000020000000-0x00000000204E6000-memory.dmp

memory/4800-1-0x0000000002050000-0x0000000002051000-memory.dmp

memory/4800-2-0x00000000020F0000-0x0000000002247000-memory.dmp

memory/4800-3-0x0000000020000000-0x00000000204E6000-memory.dmp

memory/4800-4-0x0000000002050000-0x0000000002051000-memory.dmp