Malware Analysis Report

2024-08-06 14:20

Sample ID 240619-z8fmdswhjl
Target 008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118
SHA256 d0410fd3d546c16e89ad8216993a0a5a8a58da2f7cf909125f5109f649b81619
Tags
modiloader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d0410fd3d546c16e89ad8216993a0a5a8a58da2f7cf909125f5109f649b81619

Threat Level: Known bad

The file 008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader trojan

ModiLoader Second Stage

Modiloader family

ModiLoader, DBatLoader

ModiLoader Second Stage

Loads dropped DLL

Deletes itself

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-19 21:23

Signatures

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Modiloader family

modiloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 21:23

Reported

2024-06-19 21:25

Platform

win7-20240221-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\conim.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\conim.exe C:\Users\Admin\AppData\Local\Temp\008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\conim.exe C:\Users\Admin\AppData\Local\Temp\008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\conim.exe C:\Windows\SysWOW64\conim.exe N/A
File created C:\Windows\SysWOW64\DaverDel.bat C:\Users\Admin\AppData\Local\Temp\008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2752 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe C:\Windows\SysWOW64\conim.exe
PID 2752 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe C:\Windows\SysWOW64\conim.exe
PID 2752 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe C:\Windows\SysWOW64\conim.exe
PID 2752 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe C:\Windows\SysWOW64\conim.exe
PID 2752 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe"

C:\Windows\SysWOW64\conim.exe

C:\Windows\system32\conim.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Windows\system32\DaverDel.bat

Network

N/A

Files

\Windows\SysWOW64\conim.exe

MD5 008ffcd20d2f024ec73058b2e7c11845
SHA1 58edd707567361a9f4976333ab79217be2e7fddf
SHA256 d0410fd3d546c16e89ad8216993a0a5a8a58da2f7cf909125f5109f649b81619
SHA512 c47d2a23cb2350f5b5d4c405da21e2032720278ddf197f2cd3c2420b137cc3869b6881aa964c200056a1df88fe8a7e73bda72b4a5740ed4060ca97af90d01060

memory/1932-10-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Windows\SysWOW64\DaverDel.bat

MD5 e2182b9e278e633a1d7da8d0d95965e9
SHA1 94bc5bbf7f427ff0f0882cc7d8a4724edf86f65b
SHA256 e27df7423e8d71555c1ceffe646d2358b634bc2d220398a46bd254964dcc60cb
SHA512 033371656ed018e5930ea1d7134d9af4ff461a74aa26a54a3230c253fc28bced40ae1675956bed8d0df378bb32bf7f24f1f4f9ecc5cee43fdae3d0f2ca9fff00

memory/2752-18-0x0000000000400000-0x00000000004B4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 21:23

Reported

2024-06-19 21:25

Platform

win10v2004-20240611-en

Max time kernel

139s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\conim.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\conim.exe C:\Windows\SysWOW64\conim.exe N/A
File created C:\Windows\SysWOW64\DaverDel.bat C:\Users\Admin\AppData\Local\Temp\008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\conim.exe C:\Users\Admin\AppData\Local\Temp\008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\conim.exe C:\Users\Admin\AppData\Local\Temp\008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4208 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe C:\Windows\SysWOW64\conim.exe
PID 4208 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe C:\Windows\SysWOW64\conim.exe
PID 4208 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe C:\Windows\SysWOW64\conim.exe
PID 4208 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4208 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4208 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\008ffcd20d2f024ec73058b2e7c11845_JaffaCakes118.exe"

C:\Windows\SysWOW64\conim.exe

C:\Windows\system32\conim.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\system32\DaverDel.bat

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3684,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=4140 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
BE 23.41.178.98:443 www.bing.com tcp
US 8.8.8.8:53 98.178.41.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Windows\SysWOW64\conim.exe

MD5 008ffcd20d2f024ec73058b2e7c11845
SHA1 58edd707567361a9f4976333ab79217be2e7fddf
SHA256 d0410fd3d546c16e89ad8216993a0a5a8a58da2f7cf909125f5109f649b81619
SHA512 c47d2a23cb2350f5b5d4c405da21e2032720278ddf197f2cd3c2420b137cc3869b6881aa964c200056a1df88fe8a7e73bda72b4a5740ed4060ca97af90d01060

memory/3736-6-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4208-8-0x0000000000400000-0x00000000004B4000-memory.dmp

C:\Windows\SysWOW64\DaverDel.bat

MD5 e2182b9e278e633a1d7da8d0d95965e9
SHA1 94bc5bbf7f427ff0f0882cc7d8a4724edf86f65b
SHA256 e27df7423e8d71555c1ceffe646d2358b634bc2d220398a46bd254964dcc60cb
SHA512 033371656ed018e5930ea1d7134d9af4ff461a74aa26a54a3230c253fc28bced40ae1675956bed8d0df378bb32bf7f24f1f4f9ecc5cee43fdae3d0f2ca9fff00