Analysis Overview
SHA256
03691a29229b13311064b1244ed3f15236410d0e073d854bda6e568f74788cd7
Threat Level: Known bad
The file 088f96da0ea3e133d21f7a688343cb55_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
ModiLoader, DBatLoader
ModiLoader Second Stage
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-20 18:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 18:15
Reported
2024-06-20 18:17
Platform
win7-20231129-en
Max time kernel
140s
Max time network
118s
Command Line
Signatures
ModiLoader, DBatLoader
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\61538 PM.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\FieleWay.txt | C:\61538 PM.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\61538 PM.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\61538 PM.exe | N/A |
| N/A | N/A | C:\61538 PM.exe | N/A |
| N/A | N/A | C:\61538 PM.exe | N/A |
| N/A | N/A | C:\61538 PM.exe | N/A |
| N/A | N/A | C:\61538 PM.exe | N/A |
| N/A | N/A | C:\61538 PM.exe | N/A |
| N/A | N/A | C:\61538 PM.exe | N/A |
| N/A | N/A | C:\61538 PM.exe | N/A |
| N/A | N/A | C:\61538 PM.exe | N/A |
| N/A | N/A | C:\61538 PM.exe | N/A |
| N/A | N/A | C:\61538 PM.exe | N/A |
| N/A | N/A | C:\61538 PM.exe | N/A |
| N/A | N/A | C:\61538 PM.exe | N/A |
| N/A | N/A | C:\61538 PM.exe | N/A |
| N/A | N/A | C:\61538 PM.exe | N/A |
| N/A | N/A | C:\61538 PM.exe | N/A |
| N/A | N/A | C:\61538 PM.exe | N/A |
| N/A | N/A | C:\61538 PM.exe | N/A |
| N/A | N/A | C:\61538 PM.exe | N/A |
| N/A | N/A | C:\61538 PM.exe | N/A |
| N/A | N/A | C:\61538 PM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSystemtimePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\088f96da0ea3e133d21f7a688343cb55_JaffaCakes118.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\088f96da0ea3e133d21f7a688343cb55_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\61538 PM.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\61538 PM.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\61538 PM.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\61538 PM.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\61538 PM.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\088f96da0ea3e133d21f7a688343cb55_JaffaCakes118.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\088f96da0ea3e133d21f7a688343cb55_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\088f96da0ea3e133d21f7a688343cb55_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wininit.exe
wininit.exe
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Users\Admin\AppData\Local\Temp\088f96da0ea3e133d21f7a688343cb55_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\088f96da0ea3e133d21f7a688343cb55_JaffaCakes118.exe"
C:\61538 PM.exe
"C:\61538 PM.exe"
Network
Files
C:\61538 PM.exe
| MD5 | f79e3f6362341b72df91556204bf96f4 |
| SHA1 | a685ed0d50e847f0170c6f312c38894695564450 |
| SHA256 | 80420bcb88bf82c7add9e7418662f558d70a090347cc4ad3ab0af5a6f5b3a09c |
| SHA512 | 28b7994a80baa3d03a91002a73ef13ec47f6b4c919a85ba113a524717e0e28af396d1c1f74b14aaf823717539bffb1e09206814b9438ae5313939b9232cf8024 |
memory/1684-8-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1696-11-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/1684-10-0x0000000002AC0000-0x0000000002B82000-memory.dmp
memory/1684-9-0x0000000002AC0000-0x0000000002B82000-memory.dmp
memory/1696-16-0x0000000000330000-0x0000000000331000-memory.dmp
memory/1696-15-0x00000000779EF000-0x00000000779F0000-memory.dmp
memory/1696-14-0x00000000779F0000-0x00000000779F1000-memory.dmp
memory/1696-18-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/1684-21-0x0000000002AC0000-0x0000000002B82000-memory.dmp
memory/1684-29-0x000000007EFA0000-0x000000007EFA7000-memory.dmp
memory/1684-28-0x0000000000400000-0x000000000040A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 18:15
Reported
2024-06-20 18:17
Platform
win10v2004-20240508-en
Max time kernel
93s
Max time network
151s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\088f96da0ea3e133d21f7a688343cb55_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\088f96da0ea3e133d21f7a688343cb55_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |