Malware Analysis Report

2024-10-23 19:31

Sample ID 240620-12bwastcpl
Target 09b08ef9cc21337e994d034e0d89fcb9_JaffaCakes118
SHA256 44f7f0b048b37ccde8b257eeca4156e96aee9e3e8b43ad0a23de8215c46459e2
Tags
modiloader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

44f7f0b048b37ccde8b257eeca4156e96aee9e3e8b43ad0a23de8215c46459e2

Threat Level: Known bad

The file 09b08ef9cc21337e994d034e0d89fcb9_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader trojan

ModiLoader, DBatLoader

ModiLoader Second Stage

Loads dropped DLL

Executes dropped EXE

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Program crash

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 22:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 22:08

Reported

2024-06-20 22:10

Platform

win7-20240419-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\09b08ef9cc21337e994d034e0d89fcb9_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\System.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\System.exe C:\Users\Admin\AppData\Local\Temp\09b08ef9cc21337e994d034e0d89fcb9_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\System.exe C:\Users\Admin\AppData\Local\Temp\09b08ef9cc21337e994d034e0d89fcb9_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\09b08ef9cc21337e994d034e0d89fcb9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\09b08ef9cc21337e994d034e0d89fcb9_JaffaCakes118.exe"

C:\Program Files\Common Files\Microsoft Shared\MSINFO\System.exe

"C:\Program Files\Common Files\Microsoft Shared\MSINFO\System.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 304

Network

N/A

Files

memory/2012-0-0x0000000000400000-0x00000000007BF000-memory.dmp

memory/2012-1-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2012-2-0x00000000003A0000-0x00000000003F4000-memory.dmp

memory/2012-18-0x0000000003640000-0x0000000003641000-memory.dmp

memory/2012-17-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2012-16-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2012-15-0x0000000003670000-0x0000000003671000-memory.dmp

memory/2012-14-0x0000000003720000-0x0000000003721000-memory.dmp

memory/2012-13-0x0000000003620000-0x0000000003623000-memory.dmp

memory/2012-12-0x0000000003630000-0x0000000003631000-memory.dmp

memory/2012-11-0x0000000002270000-0x0000000002271000-memory.dmp

memory/2012-10-0x00000000026D0000-0x00000000026D1000-memory.dmp

memory/2012-9-0x00000000026A0000-0x00000000026A1000-memory.dmp

memory/2012-8-0x00000000026B0000-0x00000000026B1000-memory.dmp

memory/2012-7-0x0000000002250000-0x0000000002251000-memory.dmp

memory/2012-6-0x0000000002260000-0x0000000002261000-memory.dmp

memory/2012-5-0x00000000026C0000-0x00000000026C1000-memory.dmp

memory/2012-4-0x0000000002280000-0x0000000002281000-memory.dmp

memory/2012-3-0x0000000002690000-0x0000000002691000-memory.dmp

\Program Files\Common Files\Microsoft Shared\MSInfo\System.exe

MD5 09b08ef9cc21337e994d034e0d89fcb9
SHA1 e0bdb668fc9641aabf48084b09b8f8e88cef1043
SHA256 44f7f0b048b37ccde8b257eeca4156e96aee9e3e8b43ad0a23de8215c46459e2
SHA512 b8f68263167f57ba33844618f8ef754b3c81a5cc8c57b3a3c64e69b474714ac42b07e8dda0e66eaa23a21210943df27d266191d0acf00bd3dce82ec9619e1b92

memory/2764-30-0x0000000000400000-0x00000000007BF000-memory.dmp

memory/2012-29-0x0000000004960000-0x0000000004D1F000-memory.dmp

memory/2012-28-0x0000000004960000-0x0000000004D1F000-memory.dmp

memory/2012-34-0x0000000000400000-0x00000000007BF000-memory.dmp

memory/2012-35-0x00000000003A0000-0x00000000003F4000-memory.dmp

memory/2764-36-0x0000000000400000-0x00000000007BF000-memory.dmp

memory/2012-37-0x0000000000400000-0x00000000007BF000-memory.dmp

memory/2012-38-0x00000000003A0000-0x00000000003F4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 22:08

Reported

2024-06-20 22:10

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\09b08ef9cc21337e994d034e0d89fcb9_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\System.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1952 set thread context of 1068 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\System.exe C:\program files\internet explorer\IEXPLORE.EXE

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\System.exe C:\Users\Admin\AppData\Local\Temp\09b08ef9cc21337e994d034e0d89fcb9_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\System.exe C:\Users\Admin\AppData\Local\Temp\09b08ef9cc21337e994d034e0d89fcb9_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9BAF9002-2F51-11EF-9519-FEF50CB5D633} = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425083181" C:\program files\internet explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\program files\internet explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\09b08ef9cc21337e994d034e0d89fcb9_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\System.exe
PID 2112 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\09b08ef9cc21337e994d034e0d89fcb9_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\System.exe
PID 2112 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\09b08ef9cc21337e994d034e0d89fcb9_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\System.exe
PID 1952 wrote to memory of 1068 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\System.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 1952 wrote to memory of 1068 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\System.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 1952 wrote to memory of 1068 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\System.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 1952 wrote to memory of 1068 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\System.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 1068 wrote to memory of 3404 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1068 wrote to memory of 3404 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1068 wrote to memory of 3404 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\09b08ef9cc21337e994d034e0d89fcb9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\09b08ef9cc21337e994d034e0d89fcb9_JaffaCakes118.exe"

C:\Program Files\Common Files\Microsoft Shared\MSINFO\System.exe

"C:\Program Files\Common Files\Microsoft Shared\MSINFO\System.exe"

C:\program files\internet explorer\IEXPLORE.EXE

"C:\program files\internet explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1068 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp

Files

memory/2112-1-0x0000000002520000-0x0000000002521000-memory.dmp

memory/2112-0-0x0000000000400000-0x00000000007BF000-memory.dmp

memory/2112-2-0x0000000002580000-0x00000000025D4000-memory.dmp

memory/2112-6-0x0000000002670000-0x0000000002671000-memory.dmp

memory/2112-18-0x0000000003860000-0x0000000003861000-memory.dmp

memory/2112-17-0x0000000003860000-0x0000000003861000-memory.dmp

memory/2112-16-0x0000000003860000-0x0000000003861000-memory.dmp

memory/2112-15-0x0000000003860000-0x0000000003861000-memory.dmp

memory/2112-14-0x0000000003860000-0x0000000003861000-memory.dmp

memory/2112-19-0x00000000037B0000-0x00000000037B1000-memory.dmp

memory/2112-21-0x0000000002530000-0x0000000002531000-memory.dmp

memory/2112-22-0x0000000003780000-0x0000000003781000-memory.dmp

memory/2112-20-0x0000000002520000-0x0000000002521000-memory.dmp

memory/2112-13-0x0000000003760000-0x0000000003763000-memory.dmp

memory/2112-12-0x0000000003770000-0x0000000003771000-memory.dmp

memory/2112-11-0x0000000002680000-0x0000000002681000-memory.dmp

memory/2112-10-0x0000000002800000-0x0000000002801000-memory.dmp

memory/2112-9-0x00000000027D0000-0x00000000027D1000-memory.dmp

memory/2112-8-0x00000000027E0000-0x00000000027E1000-memory.dmp

memory/2112-7-0x0000000002660000-0x0000000002661000-memory.dmp

memory/2112-5-0x00000000027F0000-0x00000000027F1000-memory.dmp

memory/2112-4-0x0000000002690000-0x0000000002691000-memory.dmp

memory/2112-3-0x00000000026B0000-0x00000000026B1000-memory.dmp

C:\Program Files\Common Files\microsoft shared\MSInfo\System.exe

MD5 09b08ef9cc21337e994d034e0d89fcb9
SHA1 e0bdb668fc9641aabf48084b09b8f8e88cef1043
SHA256 44f7f0b048b37ccde8b257eeca4156e96aee9e3e8b43ad0a23de8215c46459e2
SHA512 b8f68263167f57ba33844618f8ef754b3c81a5cc8c57b3a3c64e69b474714ac42b07e8dda0e66eaa23a21210943df27d266191d0acf00bd3dce82ec9619e1b92

memory/2112-28-0x0000000000400000-0x00000000007BF000-memory.dmp

memory/1952-29-0x0000000000400000-0x00000000007BF000-memory.dmp

memory/1068-30-0x00000000002B0000-0x000000000066F000-memory.dmp

memory/1952-32-0x0000000000400000-0x00000000007BF000-memory.dmp

memory/2112-31-0x0000000002580000-0x00000000025D4000-memory.dmp

memory/2112-33-0x0000000000400000-0x00000000007BF000-memory.dmp