Analysis Overview
SHA256
6b642779294dbc484846ac080019d3254fef27adcb91941f1365668768f99a28
Threat Level: Known bad
The file 287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modiloader family
ModiLoader, DBatLoader
ModiLoader Second Stage
ModiLoader Second Stage
Loads dropped DLL
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 05:19
Signatures
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modiloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 05:19
Reported
2024-05-09 05:21
Platform
win7-20240221-en
Max time kernel
141s
Max time network
126s
Command Line
Signatures
ModiLoader, DBatLoader
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.dll | C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.dll | C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.wmp | C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.wmp | C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
Network
Files
memory/2648-1-0x0000000002900000-0x0000000002902000-memory.dmp
memory/3004-2-0x00000000001F0000-0x00000000001F2000-memory.dmp
\Program Files\Common Files\Microsoft Shared\MSInfo\SysInfo.wmp
| MD5 | c4e1241f08a79f77098d2373e42a6abd |
| SHA1 | 5f30ffdc1ddf90cee4a924c5a84a22ca29896f19 |
| SHA256 | fb5bf9ecd9e3b840c5d168e568c94c5e73ee961ad4fe476e935040f934b675ff |
| SHA512 | 2c67f0ee3ebe3ec40be1ec8b244b98e62c7721befd8277bb9b66e36e29e46e27b7d37c588099f4376783568e76ae8d3778676a27d205e08cd6309c79015f441a |
memory/3004-8-0x0000000000730000-0x0000000000731000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{6A85DA29-4A00-44FD-82FE-E41420D21943}.BMP
| MD5 | 83ff7b981e81388e22b4f5a44855b29f |
| SHA1 | 1762e76a2ba0646327925e646aa9f0dbc685e312 |
| SHA256 | 596b30d5b0bddcbcc26e945f101d50b02e99aab67f3b44805d82e2eabd19f225 |
| SHA512 | 3846d6e06cd47381941dba6b8d0275c4e3d5aa70f47d71f50c8546e074e8c8d411cf66b50f570853c207e1404441c887bb3feccef20993decd8999dfa086fba2 |
memory/2648-12-0x0000000000400000-0x0000000000419000-memory.dmp
memory/3004-14-0x0000000000730000-0x0000000000731000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 05:19
Reported
2024-05-09 05:21
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
ModiLoader, DBatLoader
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.dll | C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.dll | C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.wmp | C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.wmp | C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\287676aed2a794ab37b5d15e3b8240fc_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
C:\Program Files\Common Files\microsoft shared\MSInfo\SysInfo.wmp
| MD5 | c4e1241f08a79f77098d2373e42a6abd |
| SHA1 | 5f30ffdc1ddf90cee4a924c5a84a22ca29896f19 |
| SHA256 | fb5bf9ecd9e3b840c5d168e568c94c5e73ee961ad4fe476e935040f934b675ff |
| SHA512 | 2c67f0ee3ebe3ec40be1ec8b244b98e62c7721befd8277bb9b66e36e29e46e27b7d37c588099f4376783568e76ae8d3778676a27d205e08cd6309c79015f441a |
memory/2612-7-0x0000000000690000-0x00000000006A1000-memory.dmp
memory/2612-10-0x0000000000400000-0x0000000000419000-memory.dmp
memory/2612-11-0x0000000000690000-0x00000000006A1000-memory.dmp
memory/2612-37-0x0000000000690000-0x00000000006A1000-memory.dmp