Analysis Overview

score

10^/10

SHA256

0b37d22d6c2d1a191c50f5ee6720e3f1f2db0063787dbbb4b40fa80933ea4365

Threat Level: Known bad

The file 001385ef05b556dbcda822925ea9a8ec_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader trojan

ModiLoader, DBatLoader

ModiLoader Second Stage

Executes dropped EXE

Loads dropped DLL

Deletes itself

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-19 19:02

Signatures

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 19:02

Reported

2024-06-19 19:05

Platform

win7-20240419-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Deletes itself

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	N/A

Suspicious use of SetThreadContext

Description	Indicator	Process	Target
PID 304 set thread context of 2552	N/A	C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe	C:\Windows\SysWOW64\svchost.exe

Drops file in Program Files directory

Description	Indicator	Process	Target
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe	C:\Users\Admin\AppData\Local\Temp\001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	N/A
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe	C:\Users\Admin\AppData\Local\Temp\001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	N/A
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat	C:\Users\Admin\AppData\Local\Temp\001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2208 wrote to memory of 304	N/A	C:\Users\Admin\AppData\Local\Temp\001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe
PID 2208 wrote to memory of 304	N/A	C:\Users\Admin\AppData\Local\Temp\001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe
PID 2208 wrote to memory of 304	N/A	C:\Users\Admin\AppData\Local\Temp\001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe
PID 2208 wrote to memory of 304	N/A	C:\Users\Admin\AppData\Local\Temp\001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe
PID 304 wrote to memory of 2552	N/A	C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe	C:\Windows\SysWOW64\svchost.exe
PID 304 wrote to memory of 2552	N/A	C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe	C:\Windows\SysWOW64\svchost.exe
PID 304 wrote to memory of 2552	N/A	C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe	C:\Windows\SysWOW64\svchost.exe
PID 304 wrote to memory of 2552	N/A	C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe	C:\Windows\SysWOW64\svchost.exe
PID 304 wrote to memory of 2552	N/A	C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe	C:\Windows\SysWOW64\svchost.exe
PID 304 wrote to memory of 2552	N/A	C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe	C:\Windows\SysWOW64\svchost.exe
PID 2208 wrote to memory of 2148	N/A	C:\Users\Admin\AppData\Local\Temp\001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2148	N/A	C:\Users\Admin\AppData\Local\Temp\001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2148	N/A	C:\Users\Admin\AppData\Local\Temp\001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2148	N/A	C:\Users\Admin\AppData\Local\Temp\001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe"

C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe

"C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Windows\system32\svchost.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat""

Network

N/A

Files

memory/2208-0-0x0000000000400000-0x0000000000509000-memory.dmp

memory/2208-1-0x0000000000510000-0x0000000000560000-memory.dmp

memory/2208-2-0x0000000001F00000-0x0000000001F01000-memory.dmp

memory/2208-62-0x0000000002C20000-0x0000000002C21000-memory.dmp

memory/2208-61-0x0000000002C30000-0x0000000002C31000-memory.dmp

memory/2208-60-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/2208-59-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2208-58-0x0000000002C60000-0x0000000002C61000-memory.dmp

memory/2208-57-0x0000000002C60000-0x0000000002C61000-memory.dmp

memory/2208-56-0x0000000002C60000-0x0000000002C61000-memory.dmp

memory/2208-55-0x0000000002C60000-0x0000000002C61000-memory.dmp

memory/2208-54-0x0000000002C60000-0x0000000002C61000-memory.dmp

memory/2208-53-0x0000000002C10000-0x0000000002C13000-memory.dmp

memory/2208-52-0x0000000002C10000-0x0000000002C11000-memory.dmp

memory/2208-51-0x0000000002C10000-0x0000000002C11000-memory.dmp

memory/2208-50-0x0000000002C10000-0x0000000002C11000-memory.dmp

memory/2208-49-0x0000000002C20000-0x0000000002C21000-memory.dmp

memory/2208-48-0x0000000002C10000-0x0000000002C11000-memory.dmp

memory/2208-47-0x0000000002C10000-0x0000000002C11000-memory.dmp

memory/2208-46-0x0000000002C10000-0x0000000002C11000-memory.dmp

memory/2208-45-0x0000000002C10000-0x0000000002C11000-memory.dmp

memory/2208-44-0x0000000002C10000-0x0000000002C11000-memory.dmp

memory/2208-43-0x0000000002C10000-0x0000000002C11000-memory.dmp

memory/2208-42-0x0000000002C10000-0x0000000002C11000-memory.dmp

memory/2208-41-0x0000000002C10000-0x0000000002C11000-memory.dmp

memory/2208-40-0x0000000002C10000-0x0000000002C11000-memory.dmp

memory/2208-39-0x0000000002C10000-0x0000000002C11000-memory.dmp

memory/2208-38-0x0000000002C10000-0x0000000002C11000-memory.dmp

memory/2208-37-0x0000000002C10000-0x0000000002C11000-memory.dmp

memory/2208-36-0x0000000002C10000-0x0000000002C11000-memory.dmp

memory/2208-35-0x0000000002C10000-0x0000000002C11000-memory.dmp

memory/2208-34-0x0000000002C10000-0x0000000002C11000-memory.dmp

memory/2208-33-0x0000000002C10000-0x0000000002C11000-memory.dmp

memory/2208-32-0x0000000002C10000-0x0000000002C11000-memory.dmp

memory/2208-31-0x0000000002C10000-0x0000000002C11000-memory.dmp

memory/2208-30-0x0000000002C10000-0x0000000002C11000-memory.dmp

memory/2208-29-0x0000000002C10000-0x0000000002C11000-memory.dmp

memory/2208-28-0x0000000002C20000-0x0000000002C21000-memory.dmp

memory/2208-27-0x0000000002C20000-0x0000000002C21000-memory.dmp

memory/2208-26-0x0000000002C20000-0x0000000002C21000-memory.dmp

memory/2208-25-0x0000000002C10000-0x0000000002D10000-memory.dmp

memory/2208-24-0x0000000002C20000-0x0000000002C21000-memory.dmp

memory/2208-23-0x0000000002C20000-0x0000000002C21000-memory.dmp

memory/2208-22-0x0000000002C20000-0x0000000002C21000-memory.dmp

memory/2208-21-0x0000000002C20000-0x0000000002C21000-memory.dmp

memory/2208-20-0x0000000002C20000-0x0000000002C21000-memory.dmp

memory/2208-19-0x0000000002C20000-0x0000000002C21000-memory.dmp

memory/2208-18-0x0000000002C20000-0x0000000002C21000-memory.dmp

memory/2208-17-0x0000000002C20000-0x0000000002C21000-memory.dmp

memory/2208-16-0x0000000002C20000-0x0000000002C21000-memory.dmp

memory/2208-15-0x0000000002C20000-0x0000000002C21000-memory.dmp

memory/2208-14-0x0000000002C20000-0x0000000002C21000-memory.dmp

memory/2208-13-0x0000000002C20000-0x0000000002C21000-memory.dmp

memory/2208-12-0x0000000002C20000-0x0000000002C21000-memory.dmp

memory/2208-11-0x0000000002C20000-0x0000000002C21000-memory.dmp

memory/2208-10-0x0000000002C10000-0x0000000002C11000-memory.dmp

memory/2208-9-0x0000000000580000-0x0000000000581000-memory.dmp

memory/2208-8-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

memory/2208-7-0x0000000001F10000-0x0000000001F11000-memory.dmp

memory/2208-6-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

memory/2208-5-0x00000000005A0000-0x00000000005A1000-memory.dmp

memory/2208-3-0x0000000000570000-0x0000000000571000-memory.dmp

memory/2208-4-0x0000000000560000-0x0000000000561000-memory.dmp

\Program Files\Common Files\Microsoft Shared\MSInfo\11151.exe

MD5	001385ef05b556dbcda822925ea9a8ec
SHA1	cc3fdcee65d83153a1da72d8cdaee3f271967594
SHA256	0b37d22d6c2d1a191c50f5ee6720e3f1f2db0063787dbbb4b40fa80933ea4365
SHA512	18d899a08cd5565fde4d21f963cf46f7dbffc3062cbb15054becf5ed16c7a445047a7b4db0283992b19677ff5da816ac657cf2e8ad8bb118a056c000bc35434c

memory/2208-72-0x0000000003ED0000-0x0000000003FD9000-memory.dmp

memory/304-74-0x0000000000400000-0x0000000000509000-memory.dmp

memory/2208-73-0x0000000003ED0000-0x0000000003FD9000-memory.dmp

memory/2552-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2552-79-0x0000000000400000-0x0000000000509000-memory.dmp

memory/2552-77-0x0000000000400000-0x0000000000509000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\MSInfo\Delet.bat

MD5	cf8b32b602fa7bc484a03a930a8d2375
SHA1	1fc78bc1ed022f94dbd655cd5e2a190684e95f31
SHA256	a5754221e1df6a36a5f54d23cab6258f8db2fa14abd3956d6654ab927e26504d
SHA512	e3f54423eacf8be23cb20fa202a236be37fda255af4421b9d3523c7c83a16c5eda022b57ee57f7ee753eb2d39843149a3a0c499196e0b2f113f9cd74f4e4c7d8

memory/2208-89-0x0000000000400000-0x0000000000509000-memory.dmp

memory/304-91-0x0000000000400000-0x0000000000509000-memory.dmp

memory/2208-90-0x0000000000510000-0x0000000000560000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 19:02

Reported

2024-06-19 19:05

Platform

win10v2004-20240611-en

Max time kernel

140s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe	N/A

Suspicious use of SetThreadContext

Description	Indicator	Process	Target
PID 2792 set thread context of 3312	N/A	C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe	C:\Windows\SysWOW64\svchost.exe

Drops file in Program Files directory

Description	Indicator	Process	Target
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe	C:\Users\Admin\AppData\Local\Temp\001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	N/A
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe	C:\Users\Admin\AppData\Local\Temp\001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	N/A
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat	C:\Users\Admin\AppData\Local\Temp\001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	N/A

Program crash

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Windows\SysWOW64\svchost.exe

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 3032 wrote to memory of 2792	N/A	C:\Users\Admin\AppData\Local\Temp\001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe
PID 3032 wrote to memory of 2792	N/A	C:\Users\Admin\AppData\Local\Temp\001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe
PID 3032 wrote to memory of 2792	N/A	C:\Users\Admin\AppData\Local\Temp\001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe
PID 2792 wrote to memory of 3312	N/A	C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe	C:\Windows\SysWOW64\svchost.exe
PID 2792 wrote to memory of 3312	N/A	C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe	C:\Windows\SysWOW64\svchost.exe
PID 2792 wrote to memory of 3312	N/A	C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe	C:\Windows\SysWOW64\svchost.exe
PID 2792 wrote to memory of 3312	N/A	C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe	C:\Windows\SysWOW64\svchost.exe
PID 2792 wrote to memory of 3312	N/A	C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe	C:\Windows\SysWOW64\svchost.exe
PID 3032 wrote to memory of 2972	N/A	C:\Users\Admin\AppData\Local\Temp\001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 2972	N/A	C:\Users\Admin\AppData\Local\Temp\001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 2972	N/A	C:\Users\Admin\AppData\Local\Temp\001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe	C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\001385ef05b556dbcda822925ea9a8ec_JaffaCakes118.exe"

C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe

"C:\Program Files\Common Files\Microsoft Shared\MSINFO\11151.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Windows\system32\svchost.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat""

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3312 -ip 3312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 12

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	196.249.167.52.in-addr.arpa	udp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	8.8.8.8:53	26.35.223.20.in-addr.arpa	udp
US	8.8.8.8:53	104.219.191.52.in-addr.arpa	udp
US	8.8.8.8:53	103.169.127.40.in-addr.arpa	udp
US	8.8.8.8:53	171.39.242.20.in-addr.arpa	udp
US	8.8.8.8:53	92.12.20.2.in-addr.arpa	udp
US	8.8.8.8:53	138.107.17.2.in-addr.arpa	udp
US	8.8.8.8:53	23.236.111.52.in-addr.arpa	udp
US	8.8.8.8:53	tse1.mm.bing.net	udp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	8.8.8.8:53	10.28.171.150.in-addr.arpa	udp

Files

memory/3032-0-0x0000000000400000-0x0000000000509000-memory.dmp

memory/3032-11-0x0000000002D60000-0x0000000002D61000-memory.dmp

memory/3032-10-0x0000000002D50000-0x0000000002D53000-memory.dmp

memory/3032-9-0x00000000023B0000-0x00000000023B1000-memory.dmp

memory/3032-8-0x0000000002500000-0x0000000002501000-memory.dmp

memory/3032-7-0x0000000002530000-0x0000000002531000-memory.dmp

memory/3032-6-0x00000000023E0000-0x00000000023E1000-memory.dmp

memory/3032-5-0x00000000023D0000-0x00000000023D1000-memory.dmp

memory/3032-4-0x0000000002390000-0x0000000002391000-memory.dmp

memory/3032-3-0x00000000023A0000-0x00000000023A1000-memory.dmp

memory/3032-2-0x0000000002520000-0x0000000002521000-memory.dmp

memory/3032-1-0x00000000022C0000-0x0000000002310000-memory.dmp

memory/3032-12-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

memory/3032-15-0x0000000002D70000-0x0000000002D71000-memory.dmp

memory/3032-14-0x0000000002280000-0x0000000002281000-memory.dmp

memory/3032-13-0x0000000002270000-0x0000000002271000-memory.dmp

C:\Program Files\Common Files\microsoft shared\MSInfo\11151.exe

MD5	001385ef05b556dbcda822925ea9a8ec
SHA1	cc3fdcee65d83153a1da72d8cdaee3f271967594
SHA256	0b37d22d6c2d1a191c50f5ee6720e3f1f2db0063787dbbb4b40fa80933ea4365
SHA512	18d899a08cd5565fde4d21f963cf46f7dbffc3062cbb15054becf5ed16c7a445047a7b4db0283992b19677ff5da816ac657cf2e8ad8bb118a056c000bc35434c

memory/3312-21-0x0000000000400000-0x0000000000509000-memory.dmp

memory/2792-24-0x0000000000400000-0x0000000000509000-memory.dmp

memory/3032-27-0x00000000022C0000-0x0000000002310000-memory.dmp

memory/3032-26-0x0000000000400000-0x0000000000509000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat

MD5	cf8b32b602fa7bc484a03a930a8d2375
SHA1	1fc78bc1ed022f94dbd655cd5e2a190684e95f31
SHA256	a5754221e1df6a36a5f54d23cab6258f8db2fa14abd3956d6654ab927e26504d
SHA512	e3f54423eacf8be23cb20fa202a236be37fda255af4421b9d3523c7c83a16c5eda022b57ee57f7ee753eb2d39843149a3a0c499196e0b2f113f9cd74f4e4c7d8

Sample ID	240619-xp3ayaxdjh
Target	001385ef05b556dbcda822925ea9a8ec_JaffaCakes118
SHA256	0b37d22d6c2d1a191c50f5ee6720e3f1f2db0063787dbbb4b40fa80933ea4365
Tags	modiloader trojan

Malware Analysis Report

2024-08-06 14:19

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files