Malware Analysis Report

2024-10-19 07:00

Sample ID 240620-s3wcbsvepb
Target 0760147f732c272dac755b5a411b85ba_JaffaCakes118
SHA256 26758e119a2c083476f27c2538a8dec2dfdfaee4de0d9ca7dd5f08dfe23e544c
Tags
modiloader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

26758e119a2c083476f27c2538a8dec2dfdfaee4de0d9ca7dd5f08dfe23e544c

Threat Level: Known bad

The file 0760147f732c272dac755b5a411b85ba_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader trojan

ModiLoader Second Stage

Modiloader family

ModiLoader, DBatLoader

ModiLoader Second Stage

Drops file in System32 directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-20 15:39

Signatures

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Modiloader family

modiloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 15:39

Reported

2024-06-20 15:42

Platform

win7-20240419-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0760147f732c272dac755b5a411b85ba_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\FNTemper.exe C:\Users\Admin\AppData\Local\Temp\0760147f732c272dac755b5a411b85ba_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\advpacck.dll C:\Users\Admin\AppData\Local\Temp\0760147f732c272dac755b5a411b85ba_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\advpacck.dll C:\Users\Admin\AppData\Local\Temp\0760147f732c272dac755b5a411b85ba_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\FNTemper.exe C:\Users\Admin\AppData\Local\Temp\0760147f732c272dac755b5a411b85ba_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0760147f732c272dac755b5a411b85ba_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0760147f732c272dac755b5a411b85ba_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0760147f732c272dac755b5a411b85ba_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.libraryk.com udp

Files

memory/2320-6-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2320-7-0x0000000000400000-0x0000000000467000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 15:39

Reported

2024-06-20 15:42

Platform

win10v2004-20240508-en

Max time kernel

125s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0760147f732c272dac755b5a411b85ba_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\advpacck.dll C:\Users\Admin\AppData\Local\Temp\0760147f732c272dac755b5a411b85ba_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\FNTemper.exe C:\Users\Admin\AppData\Local\Temp\0760147f732c272dac755b5a411b85ba_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\FNTemper.exe C:\Users\Admin\AppData\Local\Temp\0760147f732c272dac755b5a411b85ba_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\advpacck.dll C:\Users\Admin\AppData\Local\Temp\0760147f732c272dac755b5a411b85ba_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0760147f732c272dac755b5a411b85ba_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0760147f732c272dac755b5a411b85ba_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3704,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=4192 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.libraryk.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

memory/4308-6-0x0000000002200000-0x0000000002201000-memory.dmp

memory/4308-7-0x0000000000400000-0x0000000000467000-memory.dmp