Analysis Overview
SHA256
dc0e8b5d7ab1dfc366eee9850ca1d0dcc72e08a15cee40393cefd32845fd2c8f
Threat Level: Known bad
The file 082e7df418d0867bbb5f8ed37e1f9b1c_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modiloader family
ModiLoader, DBatLoader
ModiLoader Second Stage
ModiLoader Second Stage
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-20 17:22
Signatures
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modiloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 17:22
Reported
2024-06-20 17:25
Platform
win7-20240508-en
Max time kernel
122s
Max time network
122s
Command Line
Signatures
ModiLoader, DBatLoader
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\YServer.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\YServer.exe | C:\Users\Admin\AppData\Local\Temp\082e7df418d0867bbb5f8ed37e1f9b1c_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\YServer.exe | C:\Users\Admin\AppData\Local\Temp\082e7df418d0867bbb5f8ed37e1f9b1c_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\YServer.exe_ | C:\Windows\SysWOW64\YServer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\YServer.exe_ | C:\Windows\SysWOW64\YServer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\YServer.exe | C:\Windows\SysWOW64\YServer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\082e7df418d0867bbb5f8ed37e1f9b1c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\082e7df418d0867bbb5f8ed37e1f9b1c_JaffaCakes118.exe"
C:\Windows\SysWOW64\YServer.exe
C:\Windows\SysWOW64\YServer.exe -Service
Network
Files
memory/1612-1-0x00000000004E0000-0x00000000004E1000-memory.dmp
C:\Windows\SysWOW64\YServer.exe
| MD5 | 082e7df418d0867bbb5f8ed37e1f9b1c |
| SHA1 | 17230df7e3c2177570724ca1e339121fa244c797 |
| SHA256 | dc0e8b5d7ab1dfc366eee9850ca1d0dcc72e08a15cee40393cefd32845fd2c8f |
| SHA512 | 0c98edd2fbc4e4cc93ee28ffc8d1f3b46b1dfdeb6cfc339353cbde7c93391ad9581cb1da46c0d56eb8e2d46fecfdeee9a78cc124f968b699972d7de5c2932380 |
memory/2888-13-0x0000000000400000-0x00000000004DE000-memory.dmp
memory/1612-14-0x0000000000400000-0x00000000004DE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 17:22
Reported
2024-06-20 17:25
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
ModiLoader, DBatLoader
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\YServer.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\YServer.exe | C:\Users\Admin\AppData\Local\Temp\082e7df418d0867bbb5f8ed37e1f9b1c_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\YServer.exe | C:\Users\Admin\AppData\Local\Temp\082e7df418d0867bbb5f8ed37e1f9b1c_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\YServer.exe_ | C:\Windows\SysWOW64\YServer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\YServer.exe_ | C:\Windows\SysWOW64\YServer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\YServer.exe | C:\Windows\SysWOW64\YServer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\082e7df418d0867bbb5f8ed37e1f9b1c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\082e7df418d0867bbb5f8ed37e1f9b1c_JaffaCakes118.exe"
C:\Windows\SysWOW64\YServer.exe
C:\Windows\SysWOW64\YServer.exe -Service
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/708-0-0x00000000006A0000-0x00000000006A1000-memory.dmp
C:\Windows\SysWOW64\YServer.exe
| MD5 | 082e7df418d0867bbb5f8ed37e1f9b1c |
| SHA1 | 17230df7e3c2177570724ca1e339121fa244c797 |
| SHA256 | dc0e8b5d7ab1dfc366eee9850ca1d0dcc72e08a15cee40393cefd32845fd2c8f |
| SHA512 | 0c98edd2fbc4e4cc93ee28ffc8d1f3b46b1dfdeb6cfc339353cbde7c93391ad9581cb1da46c0d56eb8e2d46fecfdeee9a78cc124f968b699972d7de5c2932380 |
memory/2064-9-0x0000000000F00000-0x0000000000F01000-memory.dmp
memory/2064-14-0x0000000000400000-0x00000000004DE000-memory.dmp
memory/708-15-0x0000000000400000-0x00000000004DE000-memory.dmp