Malware Analysis Report

2024-10-23 19:32

Sample ID 240620-x2jz5axfnq
Target 090bf041fbb31425823c2e199f3159b7_JaffaCakes118
SHA256 6dc6a809f9a9a218145caf8831f92852c57cba114ba5f3ad0ae65c3328aec76f
Tags
modiloader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6dc6a809f9a9a218145caf8831f92852c57cba114ba5f3ad0ae65c3328aec76f

Threat Level: Known bad

The file 090bf041fbb31425823c2e199f3159b7_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader trojan

ModiLoader Second Stage

Modiloader family

ModiLoader, DBatLoader

ModiLoader Second Stage

Loads dropped DLL

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-20 19:20

Signatures

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Modiloader family

modiloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 19:20

Reported

2024-06-20 19:23

Platform

win7-20231129-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\kacir.dll

MD5 65b9130324abd8c5a802f5422fa60e88
SHA1 ca6590f37882e0752544cd2e7160d0c968fb9935
SHA256 b36c754d154ba74bafa17ae971010cd1b0eb979a1a766333776c05b5920eb95f
SHA512 7fefe2f732bb64a956508e5b94ac88cb86ac37bfb9f7d2b21bbd9e5a924a3455afd7e2405c9d7a8531ee1517272a93ca54334c02f66a8935a9edc9a5133c1359

memory/2384-3-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2896-8-0x0000000010000000-0x000000001002B000-memory.dmp

memory/2384-10-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2384-7-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2384-5-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2384-13-0x0000000000400000-0x000000000041D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 19:20

Reported

2024-06-20 19:23

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\090bf041fbb31425823c2e199f3159b7_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\kacir.dll

MD5 65b9130324abd8c5a802f5422fa60e88
SHA1 ca6590f37882e0752544cd2e7160d0c968fb9935
SHA256 b36c754d154ba74bafa17ae971010cd1b0eb979a1a766333776c05b5920eb95f
SHA512 7fefe2f732bb64a956508e5b94ac88cb86ac37bfb9f7d2b21bbd9e5a924a3455afd7e2405c9d7a8531ee1517272a93ca54334c02f66a8935a9edc9a5133c1359

memory/1472-6-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1576-8-0x0000000010000000-0x000000001002B000-memory.dmp

memory/1472-9-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1472-12-0x0000000000400000-0x000000000041D000-memory.dmp