Malware Analysis Report

2024-10-23 19:32

Sample ID 240620-2rdsksvgjk
Target 09ece6119a134cb32145ae3c6e75cb1e_JaffaCakes118
SHA256 0a127eb252be79162eb8dd92b000d4a5ec3420d2a2995e33e5847a1b07b27be6
Tags
modiloader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0a127eb252be79162eb8dd92b000d4a5ec3420d2a2995e33e5847a1b07b27be6

Threat Level: Known bad

The file 09ece6119a134cb32145ae3c6e75cb1e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader trojan

ModiLoader, DBatLoader

ModiLoader Second Stage

Deletes itself

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-20 22:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 22:48

Reported

2024-06-20 22:51

Platform

win7-20240508-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\09ece6119a134cb32145ae3c6e75cb1e_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\zp.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\zp.exe C:\Users\Admin\AppData\Local\Temp\09ece6119a134cb32145ae3c6e75cb1e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\zp.exe C:\Users\Admin\AppData\Local\Temp\09ece6119a134cb32145ae3c6e75cb1e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\zp.exe C:\Windows\SysWOW64\zp.exe N/A
File created C:\Windows\SysWOW64\SetupDel.bat C:\Users\Admin\AppData\Local\Temp\09ece6119a134cb32145ae3c6e75cb1e_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1232 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\09ece6119a134cb32145ae3c6e75cb1e_JaffaCakes118.exe C:\Windows\SysWOW64\zp.exe
PID 1232 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\09ece6119a134cb32145ae3c6e75cb1e_JaffaCakes118.exe C:\Windows\SysWOW64\zp.exe
PID 1232 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\09ece6119a134cb32145ae3c6e75cb1e_JaffaCakes118.exe C:\Windows\SysWOW64\zp.exe
PID 1232 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\09ece6119a134cb32145ae3c6e75cb1e_JaffaCakes118.exe C:\Windows\SysWOW64\zp.exe
PID 1232 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\09ece6119a134cb32145ae3c6e75cb1e_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\09ece6119a134cb32145ae3c6e75cb1e_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\09ece6119a134cb32145ae3c6e75cb1e_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\09ece6119a134cb32145ae3c6e75cb1e_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\09ece6119a134cb32145ae3c6e75cb1e_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\09ece6119a134cb32145ae3c6e75cb1e_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\09ece6119a134cb32145ae3c6e75cb1e_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\09ece6119a134cb32145ae3c6e75cb1e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\09ece6119a134cb32145ae3c6e75cb1e_JaffaCakes118.exe"

C:\Windows\SysWOW64\zp.exe

C:\Windows\system32\zp.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Windows\system32\SetupDel.bat

Network

N/A

Files

memory/1232-1-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/1232-4-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/1232-5-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/1232-3-0x000000000054E000-0x0000000000594000-memory.dmp

memory/1232-2-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/1232-6-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/1232-7-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/1232-8-0x0000000000400000-0x00000000005DB000-memory.dmp

\Windows\SysWOW64\zp.exe

MD5 09ece6119a134cb32145ae3c6e75cb1e
SHA1 9f59e48647457d5dd1e2abe21fc2cc4c92b22e1a
SHA256 0a127eb252be79162eb8dd92b000d4a5ec3420d2a2995e33e5847a1b07b27be6
SHA512 f9191c8149a624e56cd1512073ff2eb7a11bed81566863679c59750df19207ff1820a372164f0e3849080bc6150060ebdb6ae30b487366cf17ed66d192f72a80

memory/1232-12-0x00000000031D0000-0x00000000033AB000-memory.dmp

memory/1232-21-0x00000000031D0000-0x00000000033AB000-memory.dmp

memory/2348-26-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/2348-25-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/2348-24-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/2348-23-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/2348-22-0x0000000000400000-0x00000000005DB000-memory.dmp

C:\Windows\SysWOW64\SetupDel.bat

MD5 c1f70305b3b1f3895e9229d6778bad56
SHA1 d9c38cf2cf79bcdbc6d2a1507af0403a68308af1
SHA256 fd81ddfe71d07d972e6bf1e50676114f362c0863f9ffd674ef1ed84598ef1a9f
SHA512 b1313d5f8fe26937f5fea7bc3237fc36c79b9fc995a5f92af2ff1df83430126e864317624b3ae651b7133f29ff22cc2047aee65d1ebee1dce01477afaa635a71

memory/2348-37-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/1232-39-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/2348-27-0x0000000000400000-0x00000000005DB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 22:48

Reported

2024-06-20 22:51

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\09ece6119a134cb32145ae3c6e75cb1e_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\zp.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\SetupDel.bat C:\Users\Admin\AppData\Local\Temp\09ece6119a134cb32145ae3c6e75cb1e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\zp.exe C:\Users\Admin\AppData\Local\Temp\09ece6119a134cb32145ae3c6e75cb1e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\zp.exe C:\Users\Admin\AppData\Local\Temp\09ece6119a134cb32145ae3c6e75cb1e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\zp.exe C:\Windows\SysWOW64\zp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\09ece6119a134cb32145ae3c6e75cb1e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\09ece6119a134cb32145ae3c6e75cb1e_JaffaCakes118.exe"

C:\Windows\SysWOW64\zp.exe

C:\Windows\system32\zp.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\system32\SetupDel.bat

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3920 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 142.250.178.10:443 tcp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 209.80.50.20.in-addr.arpa udp

Files

memory/4444-0-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/4444-1-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/4444-3-0x000000000054E000-0x0000000000594000-memory.dmp

memory/4444-4-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/4444-5-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/4444-6-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/4444-7-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/4444-8-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/4444-11-0x0000000000400000-0x00000000005DB000-memory.dmp

C:\Windows\SysWOW64\zp.exe

MD5 09ece6119a134cb32145ae3c6e75cb1e
SHA1 9f59e48647457d5dd1e2abe21fc2cc4c92b22e1a
SHA256 0a127eb252be79162eb8dd92b000d4a5ec3420d2a2995e33e5847a1b07b27be6
SHA512 f9191c8149a624e56cd1512073ff2eb7a11bed81566863679c59750df19207ff1820a372164f0e3849080bc6150060ebdb6ae30b487366cf17ed66d192f72a80

memory/4444-16-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/1568-19-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/1568-18-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/1568-20-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/1568-21-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/4444-22-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/1568-23-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/4444-27-0x0000000000400000-0x00000000005DB000-memory.dmp

C:\Windows\SysWOW64\SetupDel.bat

MD5 c1f70305b3b1f3895e9229d6778bad56
SHA1 d9c38cf2cf79bcdbc6d2a1507af0403a68308af1
SHA256 fd81ddfe71d07d972e6bf1e50676114f362c0863f9ffd674ef1ed84598ef1a9f
SHA512 b1313d5f8fe26937f5fea7bc3237fc36c79b9fc995a5f92af2ff1df83430126e864317624b3ae651b7133f29ff22cc2047aee65d1ebee1dce01477afaa635a71