Malware Analysis Report

2024-10-23 19:32

Sample ID 240620-21efgawbpj
Target 09f9e19317c180f9ca5234665494d27e_JaffaCakes118
SHA256 4083cfd7c4e71a102705336eff734b1caff36ffebc0e8121d22e6f58707d1fa7
Tags
modiloader persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4083cfd7c4e71a102705336eff734b1caff36ffebc0e8121d22e6f58707d1fa7

Threat Level: Known bad

The file 09f9e19317c180f9ca5234665494d27e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader persistence trojan

ModiLoader, DBatLoader

ModiLoader Second Stage

Modiloader family

ModiLoader Second Stage

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

NTFS ADS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 23:02

Signatures

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Modiloader family

modiloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 23:02

Reported

2024-06-20 23:05

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\09f9e19317c180f9ca5234665494d27e_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\09f9e19317c180f9ca5234665494d27e_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\smaka.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PARTY_~1.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\smaka.EXE N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\OLE1EmbedStrm.wav:Zone.Identifier C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PARTY_~1.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PARTY_~1.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\09f9e19317c180f9ca5234665494d27e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\09f9e19317c180f9ca5234665494d27e_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\smaka.EXE

"C:\Users\Admin\AppData\Local\Temp\smaka.EXE"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PARTY_~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PARTY_~1.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\smaka.EXE

MD5 ae6af24501520d8e9e069cf6e85fb87a
SHA1 58168f1960c0c8b3110e5e1d682ce9d00a1b17f4
SHA256 da0a0ab047599de47b204359f9ffe81b307025ff53c233efeac32d4841a2ad60
SHA512 a8817db8cbbd86adce2083110fd54faef28ccd1786417f493b3a8f8e6b6a2ed5340b5458c186f638e6d416359589924b29f479facc06ee1f838b456b4fb23ee5

memory/856-11-0x0000000000400000-0x00000000004F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PARTY_~1.EXE

MD5 c1fff78ef0e5f8ff82e69247f52b331e
SHA1 a0ce4d4bbdb9b373be725832952215196ff962fd
SHA256 ef3b48ce5b56ce1cbaa0b3a3cdf6be8c81aca6be10adafb5ea3f2c39893d811b
SHA512 a5733383a2ab84b4cf46cbb10c422bcdc498053f8b394a672ba669f7dfa128e2f673dee7f90b1da074651e400a761bda9340453d9136bdb3c3f3f53083bd4731

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 23:02

Reported

2024-06-20 23:05

Platform

win7-20240419-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\09f9e19317c180f9ca5234665494d27e_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\smaka.EXE N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PARTY_~1.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\09f9e19317c180f9ca5234665494d27e_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\smaka.EXE N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PARTY_~1.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\09f9e19317c180f9ca5234665494d27e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\09f9e19317c180f9ca5234665494d27e_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\smaka.EXE

"C:\Users\Admin\AppData\Local\Temp\smaka.EXE"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PARTY_~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PARTY_~1.EXE

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\smaka.EXE

MD5 ae6af24501520d8e9e069cf6e85fb87a
SHA1 58168f1960c0c8b3110e5e1d682ce9d00a1b17f4
SHA256 da0a0ab047599de47b204359f9ffe81b307025ff53c233efeac32d4841a2ad60
SHA512 a8817db8cbbd86adce2083110fd54faef28ccd1786417f493b3a8f8e6b6a2ed5340b5458c186f638e6d416359589924b29f479facc06ee1f838b456b4fb23ee5

memory/1884-5-0x0000000000400000-0x00000000004F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PARTY_~1.EXE

MD5 c1fff78ef0e5f8ff82e69247f52b331e
SHA1 a0ce4d4bbdb9b373be725832952215196ff962fd
SHA256 ef3b48ce5b56ce1cbaa0b3a3cdf6be8c81aca6be10adafb5ea3f2c39893d811b
SHA512 a5733383a2ab84b4cf46cbb10c422bcdc498053f8b394a672ba669f7dfa128e2f673dee7f90b1da074651e400a761bda9340453d9136bdb3c3f3f53083bd4731