Malware Analysis Report

2024-10-19 06:59

Sample ID 240620-vkctdasejr
Target 0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118
SHA256 6a190bcafe9cc319f49062f37afb7ab5cd0abd61b95a7cd027c61edb1c16ba09
Tags
modiloader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a190bcafe9cc319f49062f37afb7ab5cd0abd61b95a7cd027c61edb1c16ba09

Threat Level: Known bad

The file 0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader trojan

ModiLoader, DBatLoader

ModiLoader Second Stage

Deletes itself

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Program crash

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 17:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 17:02

Reported

2024-06-20 17:05

Platform

win10v2004-20240508-en

Max time kernel

79s

Max time network

88s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\explorer.bat N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 528 set thread context of 3036 N/A C:\Program Files\explorer.bat C:\program files\internet explorer\IEXPLORE.EXE

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\explorer.bat C:\Users\Admin\AppData\Local\Temp\0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\explorer.bat C:\Users\Admin\AppData\Local\Temp\0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe N/A
File created C:\Program Files\SxDel.bat C:\Users\Admin\AppData\Local\Temp\0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425064832" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E2F7D3CC-2F26-11EF-BCA5-C2748A3A93CE} = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\program files\internet explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 264 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe C:\Program Files\explorer.bat
PID 264 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe C:\Program Files\explorer.bat
PID 264 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe C:\Program Files\explorer.bat
PID 528 wrote to memory of 3036 N/A C:\Program Files\explorer.bat C:\program files\internet explorer\IEXPLORE.EXE
PID 528 wrote to memory of 3036 N/A C:\Program Files\explorer.bat C:\program files\internet explorer\IEXPLORE.EXE
PID 528 wrote to memory of 3036 N/A C:\Program Files\explorer.bat C:\program files\internet explorer\IEXPLORE.EXE
PID 528 wrote to memory of 3036 N/A C:\Program Files\explorer.bat C:\program files\internet explorer\IEXPLORE.EXE
PID 264 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 264 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 264 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 4964 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3036 wrote to memory of 4964 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3036 wrote to memory of 4964 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe"

C:\Program Files\explorer.bat

"C:\Program Files\explorer.bat"

C:\program files\internet explorer\IEXPLORE.EXE

"C:\program files\internet explorer\IEXPLORE.EXE"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files\SxDel.bat""

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3036 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp

Files

memory/264-1-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/264-0-0x0000000000400000-0x0000000000553210-memory.dmp

memory/264-2-0x00000000006F0000-0x00000000006F1000-memory.dmp

C:\Program Files\explorer.bat

MD5 0804a8a96641c1fdf34a7bace3e631df
SHA1 b186a9d3fec5a3ce2ff60ae77692baf86d1eecb6
SHA256 6a190bcafe9cc319f49062f37afb7ab5cd0abd61b95a7cd027c61edb1c16ba09
SHA512 f1f97cfc503f0b35d8ab1e069cc948e21536baa701babb319045ad84bec14060e2854477e31fb6dc9146de0ff9ad440822b5f3835acafcd1b4470a5be5c49e6f

memory/528-9-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/528-8-0x0000000000400000-0x0000000000553210-memory.dmp

memory/528-10-0x0000000000810000-0x0000000000811000-memory.dmp

memory/3036-11-0x00000000000D0000-0x0000000000224000-memory.dmp

memory/528-14-0x0000000000400000-0x0000000000553210-memory.dmp

memory/264-15-0x0000000000400000-0x0000000000553210-memory.dmp

C:\Program Files\SxDel.bat

MD5 cffbdc82ea4f571f35ca41fa2bfa1ff9
SHA1 32c6529c26d0843009c1e58f9cea3c02acf39daf
SHA256 8676c9c15ec3f311a20f08ea45d4b1b8e9cd8c8207ed881fbb7669a63caf1bb7
SHA512 51b4b96d504f03797efd6dc5d1b756f16563fc414d483bc3900f7c8d59abe2e0c307aa888d85d23179dc59fa9720dff23dafe7870de4b096b953ce2142eb9702

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 17:02

Reported

2024-06-20 17:05

Platform

win7-20240508-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\explorer.bat N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\explorer.bat C:\Users\Admin\AppData\Local\Temp\0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\explorer.bat C:\Users\Admin\AppData\Local\Temp\0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe N/A
File created C:\Program Files\SxDel.bat C:\Users\Admin\AppData\Local\Temp\0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files\explorer.bat

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1776 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe C:\Program Files\explorer.bat
PID 1776 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe C:\Program Files\explorer.bat
PID 1776 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe C:\Program Files\explorer.bat
PID 1776 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe C:\Program Files\explorer.bat
PID 2424 wrote to memory of 3036 N/A C:\Program Files\explorer.bat C:\Windows\SysWOW64\WerFault.exe
PID 2424 wrote to memory of 3036 N/A C:\Program Files\explorer.bat C:\Windows\SysWOW64\WerFault.exe
PID 2424 wrote to memory of 3036 N/A C:\Program Files\explorer.bat C:\Windows\SysWOW64\WerFault.exe
PID 2424 wrote to memory of 3036 N/A C:\Program Files\explorer.bat C:\Windows\SysWOW64\WerFault.exe
PID 1776 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0804a8a96641c1fdf34a7bace3e631df_JaffaCakes118.exe"

C:\Program Files\explorer.bat

"C:\Program Files\explorer.bat"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 284

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files\SxDel.bat""

Network

N/A

Files

memory/1776-1-0x0000000000020000-0x0000000000021000-memory.dmp

memory/1776-0-0x0000000000400000-0x0000000000553210-memory.dmp

memory/1776-2-0x0000000000020000-0x0000000000021000-memory.dmp

\Program Files\explorer.bat

MD5 0804a8a96641c1fdf34a7bace3e631df
SHA1 b186a9d3fec5a3ce2ff60ae77692baf86d1eecb6
SHA256 6a190bcafe9cc319f49062f37afb7ab5cd0abd61b95a7cd027c61edb1c16ba09
SHA512 f1f97cfc503f0b35d8ab1e069cc948e21536baa701babb319045ad84bec14060e2854477e31fb6dc9146de0ff9ad440822b5f3835acafcd1b4470a5be5c49e6f

memory/1776-11-0x0000000003110000-0x0000000003264000-memory.dmp

memory/2424-14-0x0000000000400000-0x0000000000553210-memory.dmp

memory/1776-12-0x0000000003110000-0x0000000003264000-memory.dmp

memory/2424-15-0x0000000000020000-0x0000000000021000-memory.dmp

memory/1776-18-0x0000000000400000-0x0000000000553210-memory.dmp

memory/1776-19-0x0000000003110000-0x0000000003264000-memory.dmp

memory/2424-20-0x0000000000400000-0x0000000000553210-memory.dmp

C:\Program Files\SxDel.bat

MD5 cffbdc82ea4f571f35ca41fa2bfa1ff9
SHA1 32c6529c26d0843009c1e58f9cea3c02acf39daf
SHA256 8676c9c15ec3f311a20f08ea45d4b1b8e9cd8c8207ed881fbb7669a63caf1bb7
SHA512 51b4b96d504f03797efd6dc5d1b756f16563fc414d483bc3900f7c8d59abe2e0c307aa888d85d23179dc59fa9720dff23dafe7870de4b096b953ce2142eb9702

memory/1776-28-0x0000000000400000-0x0000000000553210-memory.dmp