Analysis Overview
SHA256
4f2fa7465b436705948981e5d7857513c41246750ac01bc06d5298193f328f71
Threat Level: Known bad
The file 0971d66032eea65229912a66a407f0f4_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
ModiLoader, DBatLoader
ModiLoader Second Stage
Drops file in Drivers directory
Executes dropped EXE
Loads dropped DLL
Drops file in Program Files directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-20 21:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 21:27
Reported
2024-06-20 21:30
Platform
win7-20240611-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
ModiLoader, DBatLoader
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\drivers\sysdt.sys | C:\Users\Admin\AppData\Local\Temp\0971d66032eea65229912a66a407f0f4_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tempdir.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0971d66032eea65229912a66a407f0f4_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0971d66032eea65229912a66a407f0f4_JaffaCakes118.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt | C:\Users\Admin\AppData\Local\Temp\tempdir.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0971d66032eea65229912a66a407f0f4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0971d66032eea65229912a66a407f0f4_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\tempdir.exe
C:\Users\Admin\AppData\Local\Temp\tempdir.exe
C:\program files\internet explorer\IEXPLORE.EXE
"C:\program files\internet explorer\IEXPLORE.EXE"
Network
Files
memory/1696-0-0x0000000000400000-0x0000000000460000-memory.dmp
\Users\Admin\AppData\Local\Temp\tempdir.exe
| MD5 | e93b9cb0d9258820eb108889327d1284 |
| SHA1 | 5384059f00d378aabf9bd5082d100f75ca442cbf |
| SHA256 | 450ecac14e98b43be31d8672d0f48bf3ebc2dfd3a7edfc8bb80629bf3b1139e5 |
| SHA512 | 8677067371868f3ba509d1322748c78baa0207b3918c7513dc11ec39987cecc1f564ed79e8fd07559a378c847ac3742ef66e89c042f97f25338b63d20210c6a8 |
memory/2168-12-0x0000000000400000-0x00000000004B7400-memory.dmp
memory/1696-11-0x0000000001C30000-0x0000000001CE8000-memory.dmp
memory/1696-10-0x0000000001C30000-0x0000000001CE8000-memory.dmp
memory/2168-15-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1696-17-0x0000000000400000-0x0000000000460000-memory.dmp
memory/2168-18-0x0000000000400000-0x00000000004B7400-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 21:27
Reported
2024-06-20 21:30
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
ModiLoader, DBatLoader
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\drivers\sysdt.sys | C:\Users\Admin\AppData\Local\Temp\0971d66032eea65229912a66a407f0f4_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tempdir.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt | C:\Users\Admin\AppData\Local\Temp\tempdir.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4924 wrote to memory of 4796 | N/A | C:\Users\Admin\AppData\Local\Temp\0971d66032eea65229912a66a407f0f4_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\tempdir.exe |
| PID 4924 wrote to memory of 4796 | N/A | C:\Users\Admin\AppData\Local\Temp\0971d66032eea65229912a66a407f0f4_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\tempdir.exe |
| PID 4924 wrote to memory of 4796 | N/A | C:\Users\Admin\AppData\Local\Temp\0971d66032eea65229912a66a407f0f4_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\tempdir.exe |
| PID 4796 wrote to memory of 3192 | N/A | C:\Users\Admin\AppData\Local\Temp\tempdir.exe | C:\program files\internet explorer\IEXPLORE.EXE |
| PID 4796 wrote to memory of 3192 | N/A | C:\Users\Admin\AppData\Local\Temp\tempdir.exe | C:\program files\internet explorer\IEXPLORE.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\0971d66032eea65229912a66a407f0f4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0971d66032eea65229912a66a407f0f4_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\tempdir.exe
C:\Users\Admin\AppData\Local\Temp\tempdir.exe
C:\program files\internet explorer\IEXPLORE.EXE
"C:\program files\internet explorer\IEXPLORE.EXE"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\tempdir.exe
| MD5 | e93b9cb0d9258820eb108889327d1284 |
| SHA1 | 5384059f00d378aabf9bd5082d100f75ca442cbf |
| SHA256 | 450ecac14e98b43be31d8672d0f48bf3ebc2dfd3a7edfc8bb80629bf3b1139e5 |
| SHA512 | 8677067371868f3ba509d1322748c78baa0207b3918c7513dc11ec39987cecc1f564ed79e8fd07559a378c847ac3742ef66e89c042f97f25338b63d20210c6a8 |
memory/4924-3-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4796-6-0x0000000000400000-0x00000000004B7400-memory.dmp
memory/4796-8-0x0000000000630000-0x0000000000631000-memory.dmp
memory/4796-9-0x0000000000400000-0x00000000004B7400-memory.dmp