Analysis Overview
SHA256
3d13bd742354c37651adaad71091c9510db0e596570bcc8497efbf98e2521bd1
Threat Level: Known bad
The file 00e82d1749e5d636fe123145909535a8_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
ModiLoader, DBatLoader
ModiLoader Second Stage
Loads dropped DLL
Drops file in Program Files directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-19 22:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 22:34
Reported
2024-06-19 22:36
Platform
win7-20240419-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
ModiLoader, DBatLoader
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00e82d1749e5d636fe123145909535a8_JaffaCakes118.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\Microsoft Shared\MSINFO\atmQQ2.dll | C:\Users\Admin\AppData\Local\Temp\00e82d1749e5d636fe123145909535a8_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00e82d1749e5d636fe123145909535a8_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00e82d1749e5d636fe123145909535a8_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00e82d1749e5d636fe123145909535a8_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00e82d1749e5d636fe123145909535a8_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00e82d1749e5d636fe123145909535a8_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\00e82d1749e5d636fe123145909535a8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00e82d1749e5d636fe123145909535a8_JaffaCakes118.exe"
Network
Files
memory/2944-0-0x0000000000400000-0x0000000000425000-memory.dmp
\Program Files\Common Files\Microsoft Shared\MSInfo\atmQQ2.dll
| MD5 | f45fba65ddd38aae9a4b54052d642e11 |
| SHA1 | 6926b3502e007f9cf9dc21eefb03eaca71823a7e |
| SHA256 | eeff588f8f86a4516508d56c80e84ae23509a073fbe707d6fba8f8d7a3a352c4 |
| SHA512 | 5cfce8c1f338dd32a59aa29ef4401c3797e27e577f4275faf665bb537d3f0174ca7e5f2eb448703a46b51f60efc2068da68761de0e708e3500792d2e6fddc3ff |
memory/2944-5-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2944-4-0x0000000000220000-0x000000000023F000-memory.dmp
memory/2944-6-0x0000000000400000-0x0000000000425000-memory.dmp
memory/2944-8-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2944-7-0x0000000000220000-0x000000000023F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 22:34
Reported
2024-06-19 22:36
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
52s
Command Line
Signatures
ModiLoader, DBatLoader
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00e82d1749e5d636fe123145909535a8_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00e82d1749e5d636fe123145909535a8_JaffaCakes118.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\Microsoft Shared\MSINFO\atmQQ2.dll | C:\Users\Admin\AppData\Local\Temp\00e82d1749e5d636fe123145909535a8_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00e82d1749e5d636fe123145909535a8_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\00e82d1749e5d636fe123145909535a8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00e82d1749e5d636fe123145909535a8_JaffaCakes118.exe"
Network
Files
memory/624-0-0x0000000000400000-0x0000000000425000-memory.dmp
C:\Program Files\Common Files\microsoft shared\MSInfo\atmQQ2.dll
| MD5 | f45fba65ddd38aae9a4b54052d642e11 |
| SHA1 | 6926b3502e007f9cf9dc21eefb03eaca71823a7e |
| SHA256 | eeff588f8f86a4516508d56c80e84ae23509a073fbe707d6fba8f8d7a3a352c4 |
| SHA512 | 5cfce8c1f338dd32a59aa29ef4401c3797e27e577f4275faf665bb537d3f0174ca7e5f2eb448703a46b51f60efc2068da68761de0e708e3500792d2e6fddc3ff |
memory/624-10-0x00000000005B0000-0x00000000005B1000-memory.dmp
memory/624-9-0x0000000000590000-0x00000000005AF000-memory.dmp
memory/624-8-0x0000000000590000-0x00000000005AF000-memory.dmp
memory/624-7-0x0000000000590000-0x00000000005AF000-memory.dmp
memory/624-11-0x0000000000400000-0x0000000000425000-memory.dmp
memory/624-12-0x0000000000590000-0x00000000005AF000-memory.dmp
memory/624-13-0x00000000005B0000-0x00000000005B1000-memory.dmp