Malware Analysis Report

2024-08-06 14:18

Sample ID 240619-12ay1atfnc
Target 00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118
SHA256 7e58ad24abda3f5b2aacf90eaa120e4508e65ac73df0ae54c40003fd8da59974
Tags
modiloader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7e58ad24abda3f5b2aacf90eaa120e4508e65ac73df0ae54c40003fd8da59974

Threat Level: Known bad

The file 00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader trojan

ModiLoader, DBatLoader

ModiLoader Second Stage

Suspicious use of SetThreadContext

Drops file in Program Files directory

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-19 22:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 22:08

Reported

2024-06-19 22:10

Platform

win7-20240221-en

Max time kernel

140s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2192 set thread context of 3040 N/A C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe
PID 2192 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe
PID 2192 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe
PID 2192 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe
PID 2192 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe
PID 2192 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe
PID 3040 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 3040 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 3040 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 3040 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 3040 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 3040 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 3040 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 3040 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe

C:\program files\internet explorer\IEXPLORE.EXE

"C:\program files\internet explorer\IEXPLORE.EXE"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 292

Network

N/A

Files

memory/2192-0-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/2192-1-0x00000000004C0000-0x0000000000514000-memory.dmp

memory/2192-11-0x00000000031E0000-0x00000000031E1000-memory.dmp

memory/2192-12-0x00000000031D0000-0x00000000031D1000-memory.dmp

memory/2192-10-0x00000000005F0000-0x00000000005F1000-memory.dmp

memory/2192-9-0x0000000001E90000-0x0000000001E91000-memory.dmp

memory/2192-8-0x0000000001E60000-0x0000000001E61000-memory.dmp

memory/2192-7-0x0000000001E70000-0x0000000001E71000-memory.dmp

memory/2192-6-0x00000000005D0000-0x00000000005D1000-memory.dmp

memory/2192-5-0x00000000005E0000-0x00000000005E1000-memory.dmp

memory/2192-4-0x0000000001E80000-0x0000000001E81000-memory.dmp

memory/2192-3-0x0000000000600000-0x0000000000601000-memory.dmp

memory/2192-2-0x0000000001E50000-0x0000000001E51000-memory.dmp

memory/3040-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2192-17-0x00000000004C0000-0x0000000000514000-memory.dmp

memory/2192-18-0x0000000003BE0000-0x0000000003CA0000-memory.dmp

memory/2192-16-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/3040-20-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/3040-21-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/2192-24-0x0000000003BE0000-0x0000000003CA0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 22:08

Reported

2024-06-19 22:10

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 660 set thread context of 900 N/A C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 660 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe
PID 660 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe
PID 660 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe
PID 660 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe
PID 660 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe
PID 900 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 900 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\00c9bd656120b99ea11ed3bb55fa0e4a_JaffaCakes118.exe

C:\program files\internet explorer\IEXPLORE.EXE

"C:\program files\internet explorer\IEXPLORE.EXE"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 900 -ip 900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 604

Network

Files

memory/660-0-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/660-1-0x0000000000760000-0x00000000007B4000-memory.dmp

memory/660-4-0x0000000002270000-0x0000000002271000-memory.dmp

memory/660-5-0x0000000002200000-0x0000000002201000-memory.dmp

memory/660-11-0x0000000003300000-0x0000000003301000-memory.dmp

memory/660-12-0x00000000032F0000-0x00000000032F1000-memory.dmp

memory/660-10-0x0000000002210000-0x0000000002211000-memory.dmp

memory/660-9-0x0000000002390000-0x0000000002391000-memory.dmp

memory/660-8-0x0000000002250000-0x0000000002251000-memory.dmp

memory/660-7-0x0000000002260000-0x0000000002261000-memory.dmp

memory/660-6-0x00000000021F0000-0x00000000021F1000-memory.dmp

memory/660-3-0x0000000002220000-0x0000000002221000-memory.dmp

memory/660-2-0x0000000002240000-0x0000000002241000-memory.dmp

memory/660-13-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/660-14-0x0000000000760000-0x00000000007B4000-memory.dmp

memory/900-15-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/900-17-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/900-18-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/900-19-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/900-20-0x0000000000400000-0x00000000004C0000-memory.dmp