Analysis Overview
SHA256
7c77d08316b5c698b66bff9640a79f32a1a4ef142c2965a996771baae9b7783f
Threat Level: Known bad
The file 07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
ModiLoader, DBatLoader
ModiLoader Second Stage
Deletes itself
UPX packed file
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-20 15:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 15:00
Reported
2024-06-20 15:02
Platform
win7-20240508-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
ModiLoader, DBatLoader
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netservice.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\netservice.exe | C:\Users\Admin\AppData\Local\Temp\07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\netservice.exe | C:\Users\Admin\AppData\Local\Temp\07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\netservice.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netservice.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe"
C:\Windows\SysWOW64\netservice.exe
C:\Windows\SysWOW64\netservice.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Local\Temp\07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
"svchost.exe"
Network
Files
C:\Windows\SysWOW64\netservice.exe
| MD5 | 07116ec4a84de6a40d1463edd99a80ff |
| SHA1 | b2915fc118e71f39befe7faa12c3ca3c58ebd540 |
| SHA256 | 7c77d08316b5c698b66bff9640a79f32a1a4ef142c2965a996771baae9b7783f |
| SHA512 | 590ce3a26b667427b01121833da2408a8924cb2fdf24cf170b685c9c9e28732b27b960cbf073e7ddca9c3c7162f7a8504e59c5bb7d4584eaa0459de24330d998 |
memory/2912-7-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/2460-13-0x0000000013140000-0x0000000013171000-memory.dmp
memory/2912-12-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2912-4-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2096-3-0x0000000010410000-0x000000001046D000-memory.dmp
memory/2912-207-0x0000000010410000-0x000000001046D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 15:00
Reported
2024-06-20 15:02
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
51s
Command Line
Signatures
ModiLoader, DBatLoader
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netservice.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\netservice.exe | C:\Users\Admin\AppData\Local\Temp\07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\netservice.exe | C:\Users\Admin\AppData\Local\Temp\07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\netservice.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netservice.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe"
C:\Windows\SysWOW64\netservice.exe
C:\Windows\SysWOW64\netservice.exe
C:\Windows\SysWOW64\svchost.exe
"svchost.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Local\Temp\07116ec4a84de6a40d1463edd99a80ff_JaffaCakes118.exe"
Network
Files
C:\Windows\SysWOW64\netservice.exe
| MD5 | 07116ec4a84de6a40d1463edd99a80ff |
| SHA1 | b2915fc118e71f39befe7faa12c3ca3c58ebd540 |
| SHA256 | 7c77d08316b5c698b66bff9640a79f32a1a4ef142c2965a996771baae9b7783f |
| SHA512 | 590ce3a26b667427b01121833da2408a8924cb2fdf24cf170b685c9c9e28732b27b960cbf073e7ddca9c3c7162f7a8504e59c5bb7d4584eaa0459de24330d998 |
memory/376-4-0x0000000010410000-0x000000001046D000-memory.dmp
memory/4392-6-0x0000000000C10000-0x0000000000C11000-memory.dmp
memory/4952-11-0x0000000013140000-0x0000000013171000-memory.dmp
memory/4392-5-0x0000000000B50000-0x0000000000B51000-memory.dmp
memory/376-43-0x0000000010410000-0x000000001046D000-memory.dmp
memory/4392-46-0x0000000003FE0000-0x0000000003FE1000-memory.dmp
memory/4392-47-0x0000000010410000-0x000000001046D000-memory.dmp
memory/4392-48-0x0000000010410000-0x000000001046D000-memory.dmp
memory/4392-49-0x0000000010410000-0x000000001046D000-memory.dmp
memory/4392-63-0x0000000010410000-0x000000001046D000-memory.dmp
memory/376-64-0x0000000013140000-0x0000000013171000-memory.dmp