Malware Analysis Report

2024-08-06 14:18

Sample ID 240619-z2npes1hng
Target 00847a86f1a44be5289bb40835a2691a_JaffaCakes118
SHA256 19406ad720fb45336138b85ee6c86fcdd27890ac3ffc814228a2bbe1d1d79d11
Tags
modiloader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

19406ad720fb45336138b85ee6c86fcdd27890ac3ffc814228a2bbe1d1d79d11

Threat Level: Known bad

The file 00847a86f1a44be5289bb40835a2691a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader trojan

Modiloader family

ModiLoader, DBatLoader

ModiLoader Second Stage

ModiLoader Second Stage

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-19 21:12

Signatures

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Modiloader family

modiloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 21:12

Reported

2024-06-19 21:15

Platform

win7-20240221-en

Max time kernel

133s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2528 set thread context of 2772 N/A C:\Users\Admin\AppData\Local\Temp\00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\FieleWay.txt C:\Users\Admin\AppData\Local\Temp\00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B4279031-2E80-11EF-AB07-4AE872E97954} = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424993446" C:\program files\internet explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\program files\internet explorer\IEXPLORE.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\program files\internet explorer\IEXPLORE.EXE N/A
N/A N/A C:\program files\internet explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2528 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 2528 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 2528 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 2528 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 2528 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 2772 wrote to memory of 2160 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2772 wrote to memory of 2160 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2772 wrote to memory of 2160 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2772 wrote to memory of 2160 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe"

C:\program files\internet explorer\IEXPLORE.EXE

"C:\program files\internet explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2772 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2772-1-0x0000000000060000-0x000000000011C000-memory.dmp

memory/2528-2-0x0000000000400000-0x00000000004BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab3F93.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar4074.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 172504ed9cbb2c8cb99ee7f2418bf32e
SHA1 15770f09af497a6fa5192debaf7f78c29e47c246
SHA256 32c5731c410ddfadb025f8e9fa70ac9127cef254567ff441284cb451a5ea497f
SHA512 2c08c666b71c180d01c347e723905bd4081dc6c45c8385d3565f58075929b5c4e0c9e709dcba2b8e5ecb6c82383918797cf4e62f05d9a9ff498cdaa83d7ddce1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 526ad3e6ef02fc4843b66eabfe1efd0d
SHA1 fc4cf3f5930ca732262b3d9d5261874d9b56755c
SHA256 679152e1f52b0ea98af96de4437391b7112f00dbd6a80f13b5dc10a244dd5ce4
SHA512 63727032387ca0c787cd68cf514847c88bccd6f754b839979b864171c5595ee8a9ec34080a32ebd1f65e289d40b0e7caaca71bd9e93bb3383d356b3c0cf4aa11

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b2c8e3a71ba42cff40ed79a176d9d59
SHA1 87aceeffa94996b0216fc4bf7bba5b82e1bb4d88
SHA256 f1cb74e50e4856d5516a902c2a7c6c9aa1998a0a922d3e89c42e1518c60a9c93
SHA512 b7d445db8239efaf3198968e9dfcc84abe4f03a9bce7ce125a1b3ff719c3a4824659ce272717a9f94f77b05cbaec0fc966f9c1b9f4d5ad0be23505126e80ddfb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bbcb3c8922aa7dc1288349bbcd5fa259
SHA1 fd9ab2cb76592be6475889ec17a3ce1db6c89b1a
SHA256 d0884cf560a93fe26b128bacafaacc32328b9de37da7c4f48ac7f91d34ace85b
SHA512 f46608102322c0a9a716eaaff3fa223034036c0724ba88cb9c047bdc3baa6020e7bf5be25b47311d06dc8f2e1e1076cd13941db7eb31805fd6dbec4063e19162

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b8ec96c8a3704239280f7fe9e48dcd0
SHA1 e658bbd0c76901977c69ef41a89079aba099fa9a
SHA256 c0110a4d6fc07988509e645e8ad15f7fd1141b8f813295509c4c98993593603c
SHA512 f37ed947cadab36d8451fda385d9c7c3993e727ba2e811b049e9b573214f9fe1ca45fec326743f188a88198c668deba9308266a9ed07053aa5a25148793eb022

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f7eeba7a8e7b4304aa7a2a6b0410959c
SHA1 1e51a168e420aaee7554332d830c2b171c85d1c6
SHA256 90d74d3da4f031550efa38b23aef7f6018a2f5a84f601f937c133151cd3f4f14
SHA512 feef93b68aa9017fc829cee4152ee2938749344ea13270e627e22d4cf8d165197e7d2fae381f334e8f1e84a35fcb1faf5880e1f2e0ad7d562e3d72cf73a1d379

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 761476c8d0a6c4aa4ed82eb9326727e1
SHA1 1d9034e7283dffdc6a0af354c5948fb6ea7fc0a9
SHA256 26855586e638227e7f92fb33d044af4aa5f40d853f8d657ab4c289baa76cbf0b
SHA512 fc5fe183c8cac3b90dfe27461fafab9a86a7e79320133c4c9f3c4834d77fbf7929b044c0c4bbfb09a45d6f088b4502314f6fa807aab8e735b0f2c724f5b17d9f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a8ae2a59cbfb74f7af37b0f37016115
SHA1 c95b577a2fe7e1787297ba08fc11c66f25cf0c1f
SHA256 a3399d94caed1c11bebc0850f6e3b9814d5967ad839bd828bc90a7b38502d3ad
SHA512 f26443e139f1179cb0a7710105f8bb7bc3bb7769dad2dc8d51e33ab723a7e9d496cdb6757aeb281901bc3c5c6020b3a74c8683a53bb149e9ac1479825e76e2f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c541405078a2a315b385db9805f7903
SHA1 30baf141702ad224ecf72194486ca1bddb374768
SHA256 74740cd541ee1837c54ca12513dba48b6af24f9827ba0511405854d0e0aa4fb7
SHA512 ed4b72ca17c85fb2b0bdc2ebef541e176951a188b0e3828ee8b8b16bf0ae3ca4b4c7f6f4dda2250ca1a5598a5cefcf1ccf1571553b880488f6b28428104cfe2d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 012150326ca8a1a8280eda34f29f8cba
SHA1 d771b9474ac758920f39846003bbe80bb0750045
SHA256 8930d274317672339a6cb6854c76df87c85b0e955cb6dabd2756bcea7412b005
SHA512 52674b19cac0ae12220f1f9404fe08a00ab7223d64b6091247690c4194d9062b93aa64bc10709f75492aa7384f003fb6cd0868c3303452fbc4b0b0c22d3db6be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 01f8898fca2c9a1d8e80d584ff9d85fe
SHA1 cd0748a65f2523344c5aaff741748efbb6fada71
SHA256 9aba327177dfe4b798ce96a19e4534c84ed1d1907d478740d76365e3210ad204
SHA512 a15c3e1ee170e3d1516ca11d1e02b0b69b928cc345401c65dad91e3aee1142f36ca37e09de920ccdfede5a1de6ec82f0d4373f728f5450529d34133b3563cd9b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 02524e668b7ef2ba19ea478430704a4d
SHA1 91067990a3d87fa274b34b5460488b5b352faf65
SHA256 877622253d26bed2bcf38c68662ca6491df68343b58f2308672d1808191e29cc
SHA512 a12b36eef71e9dbfe09c8143ce668d8b0559c344a9adfe07f777c7bb13355c5d6285ad4b720698dc604ed1fd40f19c6e95c7595340bf515540db8ba3908eade7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a56e1af3eec8ace245b92cf327cee494
SHA1 05f0eb45c6d51695e815bb39bd24ac0a1250d601
SHA256 78241779e1b89c9eeb301a321489e3816878b27335eb266566e86af12aa3397a
SHA512 57bf78c1f2e262fb83e0fd2fbdcf3da999d71b523acc84f4d99f8e950713e0c10bf513fcac3a91ce7961d650ed7ed95deeeb6d42e8a08ff4946ada844e11c746

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b6f559ecc57cc33c3151576620cc630
SHA1 176d30dfe74f86bd53e98ea630653abd5ddf95a0
SHA256 805f7e9a5897e323e4f49e36981724bd8d6c79e05e2c78df36c0a528bac288d0
SHA512 2dca0dd37304f6748049e7844c0ce9f49a7e1daa51eec98e06346578d5c2ff58e7a32a9b7ef08f85512be281eaaaf7799c5ad1be7beef41fafcd839a841d54c0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4566aebcb73dd4e683a0900e06bfc5bb
SHA1 89edae409ccb87bec39e75aa274150d62d1620e7
SHA256 3d695dd7782bb7d0a94e74a35c8fe31e43403f040935efd02258dae26d51526a
SHA512 037d95e77a51112b460a092966a88c8fceef965a91aed7d76b5dd123c6affd8404f0cee1740d7899ab27ff59e8974d696a0ffb13ac658b261d9021b3fd33131b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a3ab2dc1384b82c73bb453b65de8eef7
SHA1 f204c8820b4b0b872ffcb2e4502492916555af39
SHA256 f09fa2aa90848cb881ce8fa6d0b1dd86f52c6874e594c716166692f0329e61fb
SHA512 bb999b6cd9083d71a3ca520fdc6749cf7475c5f7d374c866f90a8d27ebbca15c772435f5e7952c1a36dafbdb979b24da9fb0757875fdb34154d04cc9290d66cb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8330734289e799418c28785e15b8e7ec
SHA1 56ccdb3ac5bf2e8892bc94ea56332fa37d82209c
SHA256 2490b042408c03ac42b9a09b4122e2a11237dcb337808b823a2ef2c85f282c5b
SHA512 25a0b462518aa70402025eadb7ceb74ee5083b27f98d1b99f373e552c12d5df540dbd5e804fb3e102ff3c8b1eade0945280d9cb62a58c27f5bfd88f379929f10

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4c9ca68ff374aa7e5967057ab3ef7c23
SHA1 82797ee4dbf7c9664108f551d9e606a9580ff4c8
SHA256 ded9d1e675b0edc595c700ae5c2ce99770f7168add9b2ea340b2c407e61b9cda
SHA512 47edc7fc8e0b0cf7cdb07c39c831858bd615d023fb3e130f00ed12927fad1088ba7509fea3bb967e5e511a35b74379d5e9051c150648d34998701db8ea32182d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d3e21ab828e2d510706adf673bc266b0
SHA1 579870c032613457ab608d96662ac7a5cd61ef18
SHA256 0c98c344badb73c0ea4081dc8713280a9f57dfdeb11c692325f5ad774bc7f14d
SHA512 8295f35f1ffc27f725ff766197c28118cd32bf6e49f2fbdb8fb457b7a62afae59a4a9a4299bec9ef356c31a3c6b550558f8af218fc5f30df779d2d31c04cd9a7

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 21:12

Reported

2024-06-19 21:15

Platform

win10v2004-20240611-en

Max time kernel

140s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4776 set thread context of 4948 N/A C:\Users\Admin\AppData\Local\Temp\00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\FieleWay.txt C:\Users\Admin\AppData\Local\Temp\00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31113869" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2300067240" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B4A2C52D-2E80-11EF-86EC-F2F05A85BDCE} = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31113869" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425596553" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2301629933" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2301629933" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Main C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2300067240" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31113869" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\VersionManager C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31113869" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\program files\internet explorer\IEXPLORE.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\program files\internet explorer\IEXPLORE.EXE N/A
N/A N/A C:\program files\internet explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4776 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 4776 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 4776 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 4948 wrote to memory of 2996 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4948 wrote to memory of 2996 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4948 wrote to memory of 2996 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\00847a86f1a44be5289bb40835a2691a_JaffaCakes118.exe"

C:\program files\internet explorer\IEXPLORE.EXE

"C:\program files\internet explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4948 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 23.41.178.82:443 www.bing.com tcp
US 8.8.8.8:53 82.178.41.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

memory/4776-0-0x0000000002490000-0x0000000002491000-memory.dmp

memory/4948-2-0x0000000000C50000-0x0000000000D0C000-memory.dmp

memory/4776-3-0x0000000000400000-0x00000000004BC000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 a20dcdd581a69f44e7dcbeeab5084fb4
SHA1 61e152b89ab8a04af1843bbfee557d193924ec51
SHA256 009768e52ded8da33ac7d96d521e882eef9765278997f2ce47311f637696d9c7
SHA512 77de84bf9c5480e704991bc16d8f555dc10891e3a5a7044fe2b133cc49d20ebb78c68bbdd4c9a4acd8e7424bce28a00bd3651f3b852a2a726f3f879a741cc7ae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 0e519fa6c861ca3f581448ccf547fc36
SHA1 a148f4c7f3f0c5ab2b89a4cb0a711a7d42f19984
SHA256 5bdae3b80bda43457dfb56846b3245c9e135e6c634530fc9f5fd9c0e842895dc
SHA512 a4b7910e9ac99be865054fabf3fe8f3e24f26d4b3454f12656b84b408470dc32e91d3e1b0256853e6a05a332d481bee1e888d3412ac9c7617ed05504867c164a

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verE36B.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GU2A83AM\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee