Malware Analysis Report

2024-10-19 07:00

Sample ID 240620-vxv6gsyfma
Target 082e7df418d0867bbb5f8ed37e1f9b1c_JaffaCakes118
SHA256 dc0e8b5d7ab1dfc366eee9850ca1d0dcc72e08a15cee40393cefd32845fd2c8f
Tags
modiloader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc0e8b5d7ab1dfc366eee9850ca1d0dcc72e08a15cee40393cefd32845fd2c8f

Threat Level: Known bad

The file 082e7df418d0867bbb5f8ed37e1f9b1c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader trojan

Modiloader family

ModiLoader, DBatLoader

ModiLoader Second Stage

ModiLoader Second Stage

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-20 17:22

Signatures

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Modiloader family

modiloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 17:22

Reported

2024-06-20 17:25

Platform

win7-20240508-en

Max time kernel

122s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\082e7df418d0867bbb5f8ed37e1f9b1c_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\YServer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\YServer.exe C:\Users\Admin\AppData\Local\Temp\082e7df418d0867bbb5f8ed37e1f9b1c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\YServer.exe C:\Users\Admin\AppData\Local\Temp\082e7df418d0867bbb5f8ed37e1f9b1c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\YServer.exe_ C:\Windows\SysWOW64\YServer.exe N/A
File opened for modification C:\Windows\SysWOW64\YServer.exe_ C:\Windows\SysWOW64\YServer.exe N/A
File opened for modification C:\Windows\SysWOW64\YServer.exe C:\Windows\SysWOW64\YServer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\082e7df418d0867bbb5f8ed37e1f9b1c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\082e7df418d0867bbb5f8ed37e1f9b1c_JaffaCakes118.exe"

C:\Windows\SysWOW64\YServer.exe

C:\Windows\SysWOW64\YServer.exe -Service

Network

N/A

Files

memory/1612-1-0x00000000004E0000-0x00000000004E1000-memory.dmp

C:\Windows\SysWOW64\YServer.exe

MD5 082e7df418d0867bbb5f8ed37e1f9b1c
SHA1 17230df7e3c2177570724ca1e339121fa244c797
SHA256 dc0e8b5d7ab1dfc366eee9850ca1d0dcc72e08a15cee40393cefd32845fd2c8f
SHA512 0c98edd2fbc4e4cc93ee28ffc8d1f3b46b1dfdeb6cfc339353cbde7c93391ad9581cb1da46c0d56eb8e2d46fecfdeee9a78cc124f968b699972d7de5c2932380

memory/2888-13-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/1612-14-0x0000000000400000-0x00000000004DE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 17:22

Reported

2024-06-20 17:25

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\082e7df418d0867bbb5f8ed37e1f9b1c_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\YServer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\YServer.exe C:\Users\Admin\AppData\Local\Temp\082e7df418d0867bbb5f8ed37e1f9b1c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\YServer.exe C:\Users\Admin\AppData\Local\Temp\082e7df418d0867bbb5f8ed37e1f9b1c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\YServer.exe_ C:\Windows\SysWOW64\YServer.exe N/A
File opened for modification C:\Windows\SysWOW64\YServer.exe_ C:\Windows\SysWOW64\YServer.exe N/A
File opened for modification C:\Windows\SysWOW64\YServer.exe C:\Windows\SysWOW64\YServer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\082e7df418d0867bbb5f8ed37e1f9b1c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\082e7df418d0867bbb5f8ed37e1f9b1c_JaffaCakes118.exe"

C:\Windows\SysWOW64\YServer.exe

C:\Windows\SysWOW64\YServer.exe -Service

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/708-0-0x00000000006A0000-0x00000000006A1000-memory.dmp

C:\Windows\SysWOW64\YServer.exe

MD5 082e7df418d0867bbb5f8ed37e1f9b1c
SHA1 17230df7e3c2177570724ca1e339121fa244c797
SHA256 dc0e8b5d7ab1dfc366eee9850ca1d0dcc72e08a15cee40393cefd32845fd2c8f
SHA512 0c98edd2fbc4e4cc93ee28ffc8d1f3b46b1dfdeb6cfc339353cbde7c93391ad9581cb1da46c0d56eb8e2d46fecfdeee9a78cc124f968b699972d7de5c2932380

memory/2064-9-0x0000000000F00000-0x0000000000F01000-memory.dmp

memory/2064-14-0x0000000000400000-0x00000000004DE000-memory.dmp

memory/708-15-0x0000000000400000-0x00000000004DE000-memory.dmp