Malware Analysis Report

2024-10-19 07:04

Sample ID 240509-fzw38sfe34
Target 287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118
SHA256 6b642779294dbc484846ac080019d3254fef27adcb91941f1365668768f99a28
Tags
modiloader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6b642779294dbc484846ac080019d3254fef27adcb91941f1365668768f99a28

Threat Level: Known bad

The file 287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader trojan

Modiloader family

ModiLoader, DBatLoader

ModiLoader Second Stage

ModiLoader Second Stage

Loads dropped DLL

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 05:19

Signatures

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Modiloader family

modiloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 05:19

Reported

2024-05-09 05:21

Platform

win7-20240221-en

Max time kernel

141s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.dll C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.dll C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.wmp C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.wmp C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

Network

N/A

Files

memory/2648-1-0x0000000002900000-0x0000000002902000-memory.dmp

memory/3004-2-0x00000000001F0000-0x00000000001F2000-memory.dmp

\Program Files\Common Files\Microsoft Shared\MSInfo\SysInfo.wmp

MD5 c4e1241f08a79f77098d2373e42a6abd
SHA1 5f30ffdc1ddf90cee4a924c5a84a22ca29896f19
SHA256 fb5bf9ecd9e3b840c5d168e568c94c5e73ee961ad4fe476e935040f934b675ff
SHA512 2c67f0ee3ebe3ec40be1ec8b244b98e62c7721befd8277bb9b66e36e29e46e27b7d37c588099f4376783568e76ae8d3778676a27d205e08cd6309c79015f441a

memory/3004-8-0x0000000000730000-0x0000000000731000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{6A85DA29-4A00-44FD-82FE-E41420D21943}.BMP

MD5 83ff7b981e81388e22b4f5a44855b29f
SHA1 1762e76a2ba0646327925e646aa9f0dbc685e312
SHA256 596b30d5b0bddcbcc26e945f101d50b02e99aab67f3b44805d82e2eabd19f225
SHA512 3846d6e06cd47381941dba6b8d0275c4e3d5aa70f47d71f50c8546e074e8c8d411cf66b50f570853c207e1404441c887bb3feccef20993decd8999dfa086fba2

memory/2648-12-0x0000000000400000-0x0000000000419000-memory.dmp

memory/3004-14-0x0000000000730000-0x0000000000731000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 05:19

Reported

2024-05-09 05:21

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.dll C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.dll C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.wmp C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.wmp C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

C:\Program Files\Common Files\microsoft shared\MSInfo\SysInfo.wmp

MD5 c4e1241f08a79f77098d2373e42a6abd
SHA1 5f30ffdc1ddf90cee4a924c5a84a22ca29896f19
SHA256 fb5bf9ecd9e3b840c5d168e568c94c5e73ee961ad4fe476e935040f934b675ff
SHA512 2c67f0ee3ebe3ec40be1ec8b244b98e62c7721befd8277bb9b66e36e29e46e27b7d37c588099f4376783568e76ae8d3778676a27d205e08cd6309c79015f441a

memory/2612-7-0x0000000000690000-0x00000000006A1000-memory.dmp

memory/2612-10-0x0000000000400000-0x0000000000419000-memory.dmp

memory/2612-11-0x0000000000690000-0x00000000006A1000-memory.dmp

memory/2612-37-0x0000000000690000-0x00000000006A1000-memory.dmp