Malware Analysis Report

2024-10-23 19:32

Sample ID 240620-1xhs2sygna
Target 09a503f7b57e4914b42d3e93c7f2dcc4_JaffaCakes118
SHA256 4585a83befe0a27607fc8a05c7776bdf165a9e60b8b15b7fe2fee74fa4353fb2
Tags
modiloader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4585a83befe0a27607fc8a05c7776bdf165a9e60b8b15b7fe2fee74fa4353fb2

Threat Level: Known bad

The file 09a503f7b57e4914b42d3e93c7f2dcc4_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader trojan

ModiLoader, DBatLoader

ModiLoader Second Stage

Deletes itself

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-20 22:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 22:01

Reported

2024-06-20 22:04

Platform

win7-20240611-en

Max time kernel

141s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\09a503f7b57e4914b42d3e93c7f2dcc4_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\_rejoice51.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe N/A
File opened for modification C:\Windows\SysWOW64\_rejoice51.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2788 set thread context of 2072 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe C:\Windows\SysWOW64\calc.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe C:\Users\Admin\AppData\Local\Temp\09a503f7b57e4914b42d3e93c7f2dcc4_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe C:\Users\Admin\AppData\Local\Temp\09a503f7b57e4914b42d3e93c7f2dcc4_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat C:\Users\Admin\AppData\Local\Temp\09a503f7b57e4914b42d3e93c7f2dcc4_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1412 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\09a503f7b57e4914b42d3e93c7f2dcc4_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe
PID 1412 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\09a503f7b57e4914b42d3e93c7f2dcc4_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe
PID 1412 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\09a503f7b57e4914b42d3e93c7f2dcc4_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe
PID 1412 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\09a503f7b57e4914b42d3e93c7f2dcc4_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe
PID 2788 wrote to memory of 2072 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe C:\Windows\SysWOW64\calc.exe
PID 2788 wrote to memory of 2072 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe C:\Windows\SysWOW64\calc.exe
PID 2788 wrote to memory of 2072 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe C:\Windows\SysWOW64\calc.exe
PID 2788 wrote to memory of 2072 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe C:\Windows\SysWOW64\calc.exe
PID 2788 wrote to memory of 2072 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe C:\Windows\SysWOW64\calc.exe
PID 2788 wrote to memory of 2072 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe C:\Windows\SysWOW64\calc.exe
PID 2788 wrote to memory of 2784 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe C:\Windows\SysWOW64\WerFault.exe
PID 2788 wrote to memory of 2784 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe C:\Windows\SysWOW64\WerFault.exe
PID 2788 wrote to memory of 2784 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe C:\Windows\SysWOW64\WerFault.exe
PID 2788 wrote to memory of 2784 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe C:\Windows\SysWOW64\WerFault.exe
PID 1412 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\09a503f7b57e4914b42d3e93c7f2dcc4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1412 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\09a503f7b57e4914b42d3e93c7f2dcc4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1412 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\09a503f7b57e4914b42d3e93c7f2dcc4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1412 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\09a503f7b57e4914b42d3e93c7f2dcc4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\09a503f7b57e4914b42d3e93c7f2dcc4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\09a503f7b57e4914b42d3e93c7f2dcc4_JaffaCakes118.exe"

C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe

"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe"

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 300

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat""

Network

N/A

Files

memory/1412-0-0x0000000000400000-0x000000000050B000-memory.dmp

memory/1412-1-0x0000000000880000-0x00000000008DB000-memory.dmp

memory/1412-2-0x0000000002110000-0x0000000002111000-memory.dmp

memory/1412-9-0x0000000003220000-0x0000000003221000-memory.dmp

memory/1412-23-0x0000000003260000-0x0000000003261000-memory.dmp

memory/1412-34-0x00000000006B0000-0x00000000006B1000-memory.dmp

memory/1412-33-0x0000000003310000-0x0000000003311000-memory.dmp

memory/1412-32-0x0000000003230000-0x0000000003231000-memory.dmp

memory/1412-31-0x00000000006A0000-0x00000000006A1000-memory.dmp

memory/1412-30-0x0000000003260000-0x0000000003261000-memory.dmp

memory/1412-29-0x0000000003260000-0x0000000003261000-memory.dmp

memory/1412-28-0x0000000003260000-0x0000000003261000-memory.dmp

memory/1412-27-0x0000000003260000-0x0000000003261000-memory.dmp

memory/1412-26-0x0000000003260000-0x0000000003261000-memory.dmp

memory/1412-25-0x0000000003260000-0x0000000003261000-memory.dmp

memory/1412-24-0x0000000003260000-0x0000000003261000-memory.dmp

memory/1412-22-0x0000000003260000-0x0000000003261000-memory.dmp

memory/1412-21-0x0000000003260000-0x0000000003261000-memory.dmp

memory/1412-20-0x0000000003260000-0x0000000003261000-memory.dmp

memory/1412-19-0x0000000003260000-0x0000000003261000-memory.dmp

memory/1412-18-0x0000000003260000-0x0000000003261000-memory.dmp

memory/1412-17-0x0000000003260000-0x0000000003261000-memory.dmp

memory/1412-16-0x0000000003260000-0x0000000003261000-memory.dmp

memory/1412-15-0x0000000003260000-0x0000000003261000-memory.dmp

memory/1412-14-0x0000000003260000-0x0000000003261000-memory.dmp

memory/1412-13-0x0000000003310000-0x0000000003311000-memory.dmp

memory/1412-12-0x0000000003210000-0x0000000003213000-memory.dmp

memory/1412-11-0x0000000003220000-0x0000000003221000-memory.dmp

memory/1412-10-0x0000000003220000-0x0000000003221000-memory.dmp

memory/1412-8-0x0000000003210000-0x0000000003310000-memory.dmp

memory/1412-7-0x00000000020A0000-0x00000000020A1000-memory.dmp

memory/1412-6-0x0000000002080000-0x0000000002081000-memory.dmp

memory/1412-5-0x00000000020C0000-0x00000000020C1000-memory.dmp

memory/1412-4-0x00000000020E0000-0x00000000020E1000-memory.dmp

memory/1412-3-0x0000000002100000-0x0000000002101000-memory.dmp

\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice51.exe

MD5 09a503f7b57e4914b42d3e93c7f2dcc4
SHA1 297bd886a5bf37912c9a76813ca5ad0ba9087ee0
SHA256 4585a83befe0a27607fc8a05c7776bdf165a9e60b8b15b7fe2fee74fa4353fb2
SHA512 7750fc23f9403d9a3dd535b746e63435ca39d73e75954c7863ead62b5c2b81d074057e42128dfab1e7dccfacd4633c647aa8da140dbc4a453857b18331f34d18

memory/1412-44-0x00000000044E0000-0x00000000045EB000-memory.dmp

memory/1412-43-0x00000000044E0000-0x00000000045EB000-memory.dmp

memory/2788-46-0x0000000000400000-0x000000000050B000-memory.dmp

memory/2072-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2072-53-0x0000000000400000-0x000000000050B000-memory.dmp

memory/1412-58-0x0000000000400000-0x000000000050B000-memory.dmp

memory/2788-59-0x0000000000400000-0x000000000050B000-memory.dmp

memory/1412-60-0x0000000000880000-0x00000000008DB000-memory.dmp

memory/1412-61-0x0000000003210000-0x0000000003310000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\MSInfo\Delet.bat

MD5 9d57fae662a7f18c972ba3039d8f8f34
SHA1 9a46e3a59264331f869ed5ffba1a88780dedad7c
SHA256 6e5a934124fa469c8a61cb6be68486d49a9d3029db006adb5980016a9e3fc5e1
SHA512 af2c18eadee6178562b2f6a06630c0710a7c6918ced766c48ee3274a51b1b8454cd8d0961a616154151f388f147b6f72033bccfd57afcf327a0a58de14dd375b

memory/1412-64-0x0000000000400000-0x000000000050B000-memory.dmp

memory/1412-74-0x0000000000400000-0x000000000050B000-memory.dmp

memory/1412-75-0x0000000000880000-0x00000000008DB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 22:01

Reported

2024-06-20 22:04

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\09a503f7b57e4914b42d3e93c7f2dcc4_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\_rejoice51.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe N/A
File opened for modification C:\Windows\SysWOW64\_rejoice51.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe C:\Users\Admin\AppData\Local\Temp\09a503f7b57e4914b42d3e93c7f2dcc4_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe C:\Users\Admin\AppData\Local\Temp\09a503f7b57e4914b42d3e93c7f2dcc4_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat C:\Users\Admin\AppData\Local\Temp\09a503f7b57e4914b42d3e93c7f2dcc4_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\09a503f7b57e4914b42d3e93c7f2dcc4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\09a503f7b57e4914b42d3e93c7f2dcc4_JaffaCakes118.exe"

C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe

"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe"

C:\Windows\SysWOW64\calc.exe

"C:\Windows\system32\calc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5040 -ip 5040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 692

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat""

Network

Files

memory/4796-0-0x0000000000400000-0x000000000050B000-memory.dmp

memory/4796-1-0x00000000022F0000-0x000000000234B000-memory.dmp

memory/4796-6-0x00000000023B0000-0x00000000023B1000-memory.dmp

memory/4796-14-0x0000000003370000-0x0000000003371000-memory.dmp

memory/4796-13-0x00000000006F0000-0x00000000006F1000-memory.dmp

memory/4796-12-0x00000000006E0000-0x00000000006E1000-memory.dmp

memory/4796-11-0x00000000033A0000-0x00000000033A1000-memory.dmp

memory/4796-10-0x0000000003450000-0x0000000003451000-memory.dmp

memory/4796-9-0x0000000003350000-0x0000000003353000-memory.dmp

memory/4796-8-0x0000000003360000-0x0000000003361000-memory.dmp

memory/4796-7-0x00000000023D0000-0x00000000023D1000-memory.dmp

memory/4796-5-0x0000000002500000-0x0000000002501000-memory.dmp

memory/4796-4-0x0000000002520000-0x0000000002521000-memory.dmp

memory/4796-3-0x0000000002540000-0x0000000002541000-memory.dmp

memory/4796-2-0x0000000002550000-0x0000000002551000-memory.dmp

C:\Program Files\Common Files\microsoft shared\MSInfo\rejoice51.exe

MD5 09a503f7b57e4914b42d3e93c7f2dcc4
SHA1 297bd886a5bf37912c9a76813ca5ad0ba9087ee0
SHA256 4585a83befe0a27607fc8a05c7776bdf165a9e60b8b15b7fe2fee74fa4353fb2
SHA512 7750fc23f9403d9a3dd535b746e63435ca39d73e75954c7863ead62b5c2b81d074057e42128dfab1e7dccfacd4633c647aa8da140dbc4a453857b18331f34d18

memory/5040-20-0x0000000000400000-0x000000000050B000-memory.dmp

memory/4796-27-0x00000000022F0000-0x000000000234B000-memory.dmp

memory/4796-26-0x0000000000400000-0x000000000050B000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat

MD5 9d57fae662a7f18c972ba3039d8f8f34
SHA1 9a46e3a59264331f869ed5ffba1a88780dedad7c
SHA256 6e5a934124fa469c8a61cb6be68486d49a9d3029db006adb5980016a9e3fc5e1
SHA512 af2c18eadee6178562b2f6a06630c0710a7c6918ced766c48ee3274a51b1b8454cd8d0961a616154151f388f147b6f72033bccfd57afcf327a0a58de14dd375b

memory/5040-29-0x0000000000400000-0x000000000050B000-memory.dmp