Malware Analysis Report

2024-10-23 19:31

Sample ID 240620-1a75esxfpd
Target 0971d66032eea65229912a66a407f0f4_JaffaCakes118
SHA256 4f2fa7465b436705948981e5d7857513c41246750ac01bc06d5298193f328f71
Tags
modiloader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4f2fa7465b436705948981e5d7857513c41246750ac01bc06d5298193f328f71

Threat Level: Known bad

The file 0971d66032eea65229912a66a407f0f4_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader trojan

ModiLoader, DBatLoader

ModiLoader Second Stage

Drops file in Drivers directory

Executes dropped EXE

Loads dropped DLL

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-20 21:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 21:27

Reported

2024-06-20 21:30

Platform

win7-20240611-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0971d66032eea65229912a66a407f0f4_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\sysdt.sys C:\Users\Admin\AppData\Local\Temp\0971d66032eea65229912a66a407f0f4_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tempdir.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt C:\Users\Admin\AppData\Local\Temp\tempdir.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0971d66032eea65229912a66a407f0f4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0971d66032eea65229912a66a407f0f4_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\tempdir.exe

C:\Users\Admin\AppData\Local\Temp\tempdir.exe

C:\program files\internet explorer\IEXPLORE.EXE

"C:\program files\internet explorer\IEXPLORE.EXE"

Network

N/A

Files

memory/1696-0-0x0000000000400000-0x0000000000460000-memory.dmp

\Users\Admin\AppData\Local\Temp\tempdir.exe

MD5 e93b9cb0d9258820eb108889327d1284
SHA1 5384059f00d378aabf9bd5082d100f75ca442cbf
SHA256 450ecac14e98b43be31d8672d0f48bf3ebc2dfd3a7edfc8bb80629bf3b1139e5
SHA512 8677067371868f3ba509d1322748c78baa0207b3918c7513dc11ec39987cecc1f564ed79e8fd07559a378c847ac3742ef66e89c042f97f25338b63d20210c6a8

memory/2168-12-0x0000000000400000-0x00000000004B7400-memory.dmp

memory/1696-11-0x0000000001C30000-0x0000000001CE8000-memory.dmp

memory/1696-10-0x0000000001C30000-0x0000000001CE8000-memory.dmp

memory/2168-15-0x0000000000260000-0x0000000000261000-memory.dmp

memory/1696-17-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2168-18-0x0000000000400000-0x00000000004B7400-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 21:27

Reported

2024-06-20 21:30

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0971d66032eea65229912a66a407f0f4_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\sysdt.sys C:\Users\Admin\AppData\Local\Temp\0971d66032eea65229912a66a407f0f4_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tempdir.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt C:\Users\Admin\AppData\Local\Temp\tempdir.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0971d66032eea65229912a66a407f0f4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0971d66032eea65229912a66a407f0f4_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\tempdir.exe

C:\Users\Admin\AppData\Local\Temp\tempdir.exe

C:\program files\internet explorer\IEXPLORE.EXE

"C:\program files\internet explorer\IEXPLORE.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 88.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\tempdir.exe

MD5 e93b9cb0d9258820eb108889327d1284
SHA1 5384059f00d378aabf9bd5082d100f75ca442cbf
SHA256 450ecac14e98b43be31d8672d0f48bf3ebc2dfd3a7edfc8bb80629bf3b1139e5
SHA512 8677067371868f3ba509d1322748c78baa0207b3918c7513dc11ec39987cecc1f564ed79e8fd07559a378c847ac3742ef66e89c042f97f25338b63d20210c6a8

memory/4924-3-0x0000000000400000-0x0000000000460000-memory.dmp

memory/4796-6-0x0000000000400000-0x00000000004B7400-memory.dmp

memory/4796-8-0x0000000000630000-0x0000000000631000-memory.dmp

memory/4796-9-0x0000000000400000-0x00000000004B7400-memory.dmp