Analysis Overview
SHA256
cdf6f848d8c68b8b521f675a8129292b120d08c8673ebd3619ad230a388a84cb
Threat Level: Known bad
The file 091c5a964683ba62f38ef111aacd1d49_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
ModiLoader Second Stage
Modiloader family
ModiLoader, DBatLoader
ModiLoader Second Stage
Executes dropped EXE
Checks computer location settings
UPX packed file
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-20 19:30
Signatures
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modiloader family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 19:30
Reported
2024-06-20 19:33
Platform
win7-20240611-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
ModiLoader, DBatLoader
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\fin32.exe | N/A |
| N/A | N/A | C:\Windows\fin32.exe | N/A |
| N/A | N/A | C:\Windows\ykl32.exe | N/A |
| N/A | N/A | C:\Windows\ykl32.exe | N/A |
| N/A | N/A | C:\Windows\amr32.exe | N/A |
| N/A | N/A | C:\Windows\amr32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\fin32.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1904 set thread context of 2624 | N/A | C:\Windows\fin32.exe | C:\Windows\fin32.exe |
| PID 2716 set thread context of 2808 | N/A | C:\Windows\ykl32.exe | C:\Windows\ykl32.exe |
| PID 2488 set thread context of 2536 | N/A | C:\Windows\amr32.exe | C:\Windows\amr32.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\ykl32.exe | C:\Users\Admin\AppData\Local\Temp\091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe | N/A |
| File created | C:\Windows\gls.fdn | C:\Windows\ykl32.exe | N/A |
| File created | C:\Windows\amr32.exe | C:\Users\Admin\AppData\Local\Temp\091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe | N/A |
| File created | C:\Windows\hrk.klo | C:\Windows\amr32.exe | N/A |
| File created | C:\Windows\fin32.exe | C:\Users\Admin\AppData\Local\Temp\091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe | N/A |
| File created | C:\Windows\hms.atr | C:\Windows\fin32.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\amr32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe"
C:\Windows\fin32.exe
"C:\Windows\fin32.exe" /stext hms.atr
C:\Windows\fin32.exe
C:\Windows\fin32.exe /stext hms.atr
C:\Windows\ykl32.exe
"C:\Windows\ykl32.exe" /stext gls.fdn
C:\Windows\ykl32.exe
C:\Windows\ykl32.exe /stext gls.fdn
C:\Windows\amr32.exe
"C:\Windows\amr32.exe" /stext hrk.klo
C:\Windows\amr32.exe
C:\Windows\amr32.exe /stext hrk.klo
Network
Files
memory/2852-0-0x0000000000400000-0x000000000047D000-memory.dmp
memory/2852-1-0x0000000000380000-0x0000000000381000-memory.dmp
C:\Windows\fin32.exe
| MD5 | 133c173c5c95ec572e015990029387c3 |
| SHA1 | 3686180e408b7a83f693b4146eed84ae684b03a5 |
| SHA256 | 8a85ab91faf309c8001ee265bc724df1319e58d3af3ed789616b512d6a92eab2 |
| SHA512 | 19d04dde12dada208edc03383ddeaa2e545cd2b430fa1a534d2dd7ac545fedbcdd3e9f240e3228ea3d006e7740e7e301703dc76e8e05f3c59ad23d8271fce412 |
memory/2624-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2624-10-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2624-13-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2624-18-0x0000000000400000-0x0000000000415000-memory.dmp
memory/1904-15-0x0000000032000000-0x0000000032019000-memory.dmp
memory/2624-17-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2624-19-0x0000000000400000-0x0000000000415000-memory.dmp
C:\Windows\ykl32.exe
| MD5 | a32a77d444987c6b39b13d90223b6932 |
| SHA1 | 678257eabad39b317b70d1f91ee67689e20d2729 |
| SHA256 | d1001a99f08c511dd35aab4ad1cfcc3d546ac8d880d66cd2e19d8963e26a10f9 |
| SHA512 | f5248e0877c4ffc87449e14d6e757a86af33ce940b1a3cdbd4e9696072e5cc3ed5c45e9093ce618e7011f6089c86b8ebfa19e15a18fe0b15386a604d27c55378 |
memory/2716-35-0x0000000032000000-0x000000003200F000-memory.dmp
memory/2808-34-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2808-31-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2808-28-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2808-36-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2808-37-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Windows\amr32.exe
| MD5 | e9914753824f503e700ec74e219077f7 |
| SHA1 | de4b97da5f4e6a804398553f33a23d03feee1a42 |
| SHA256 | 91814933cf6d7937616e776ecba937ca6a50d3c2e3fe332df12eb600592111e1 |
| SHA512 | 30cf6d57f2abe05eb38b34156daaae5e8a9a85a91cfaf5b42b9b527c0d942e876e551b86413b1d0394ad73fcc6e6d91236746c81d0adc32f0f3467c42b2c48bc |
memory/2536-46-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2536-52-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2488-51-0x0000000032000000-0x0000000032015000-memory.dmp
memory/2536-49-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Windows\hrk.klo
| MD5 | 42c1b96169d8cd79c7695b9129edd52b |
| SHA1 | a6195eb8b78f870fd3d3cdce3fa7e5d71fe62b1c |
| SHA256 | 43ec39067fe86e4a4dd31a11038325899d97cfc7287153a7d39851df29e14580 |
| SHA512 | 1ca280355f6d7c782d0b57a3c6ee2b515959cea720b1a1771e699250184637c8369c165300e9b33676f18bff852bdf6aced1c564aff41c4965428a2e9136a202 |
memory/2852-56-0x0000000000400000-0x000000000047D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 19:30
Reported
2024-06-20 19:33
Platform
win10v2004-20240611-en
Max time kernel
139s
Max time network
123s
Command Line
Signatures
ModiLoader, DBatLoader
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\fin32.exe | N/A |
| N/A | N/A | C:\Windows\fin32.exe | N/A |
| N/A | N/A | C:\Windows\ykl32.exe | N/A |
| N/A | N/A | C:\Windows\ykl32.exe | N/A |
| N/A | N/A | C:\Windows\amr32.exe | N/A |
| N/A | N/A | C:\Windows\amr32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\fin32.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2552 set thread context of 6012 | N/A | C:\Windows\fin32.exe | C:\Windows\fin32.exe |
| PID 4216 set thread context of 3888 | N/A | C:\Windows\ykl32.exe | C:\Windows\ykl32.exe |
| PID 1772 set thread context of 5724 | N/A | C:\Windows\amr32.exe | C:\Windows\amr32.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\ykl32.exe | C:\Users\Admin\AppData\Local\Temp\091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe | N/A |
| File created | C:\Windows\gls.fdn | C:\Windows\ykl32.exe | N/A |
| File created | C:\Windows\amr32.exe | C:\Users\Admin\AppData\Local\Temp\091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe | N/A |
| File created | C:\Windows\hrk.klo | C:\Windows\amr32.exe | N/A |
| File created | C:\Windows\fin32.exe | C:\Users\Admin\AppData\Local\Temp\091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe | N/A |
| File created | C:\Windows\hms.atr | C:\Windows\fin32.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\amr32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\091c5a964683ba62f38ef111aacd1d49_JaffaCakes118.exe"
C:\Windows\fin32.exe
"C:\Windows\fin32.exe" /stext hms.atr
C:\Windows\fin32.exe
C:\Windows\fin32.exe /stext hms.atr
C:\Windows\ykl32.exe
"C:\Windows\ykl32.exe" /stext gls.fdn
C:\Windows\ykl32.exe
C:\Windows\ykl32.exe /stext gls.fdn
C:\Windows\amr32.exe
"C:\Windows\amr32.exe" /stext hrk.klo
C:\Windows\amr32.exe
C:\Windows\amr32.exe /stext hrk.klo
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 186.77.117.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.77.117.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/5532-0-0x0000000000400000-0x000000000047D000-memory.dmp
memory/5532-1-0x00000000005F0000-0x00000000005F1000-memory.dmp
C:\Windows\fin32.exe
| MD5 | 133c173c5c95ec572e015990029387c3 |
| SHA1 | 3686180e408b7a83f693b4146eed84ae684b03a5 |
| SHA256 | 8a85ab91faf309c8001ee265bc724df1319e58d3af3ed789616b512d6a92eab2 |
| SHA512 | 19d04dde12dada208edc03383ddeaa2e545cd2b430fa1a534d2dd7ac545fedbcdd3e9f240e3228ea3d006e7740e7e301703dc76e8e05f3c59ad23d8271fce412 |
memory/2552-14-0x0000000032000000-0x0000000032019000-memory.dmp
memory/6012-13-0x0000000000400000-0x0000000000415000-memory.dmp
memory/6012-10-0x0000000000400000-0x0000000000415000-memory.dmp
memory/6012-15-0x0000000000400000-0x0000000000415000-memory.dmp
C:\Windows\ykl32.exe
| MD5 | a32a77d444987c6b39b13d90223b6932 |
| SHA1 | 678257eabad39b317b70d1f91ee67689e20d2729 |
| SHA256 | d1001a99f08c511dd35aab4ad1cfcc3d546ac8d880d66cd2e19d8963e26a10f9 |
| SHA512 | f5248e0877c4ffc87449e14d6e757a86af33ce940b1a3cdbd4e9696072e5cc3ed5c45e9093ce618e7011f6089c86b8ebfa19e15a18fe0b15386a604d27c55378 |
memory/3888-24-0x0000000000400000-0x000000000040C000-memory.dmp
memory/4216-25-0x0000000032000000-0x000000003200F000-memory.dmp
memory/3888-28-0x0000000000400000-0x000000000040C000-memory.dmp
memory/3888-29-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Windows\amr32.exe
| MD5 | e9914753824f503e700ec74e219077f7 |
| SHA1 | de4b97da5f4e6a804398553f33a23d03feee1a42 |
| SHA256 | 91814933cf6d7937616e776ecba937ca6a50d3c2e3fe332df12eb600592111e1 |
| SHA512 | 30cf6d57f2abe05eb38b34156daaae5e8a9a85a91cfaf5b42b9b527c0d942e876e551b86413b1d0394ad73fcc6e6d91236746c81d0adc32f0f3467c42b2c48bc |
memory/5724-38-0x0000000000400000-0x0000000000410000-memory.dmp
memory/1772-40-0x0000000032000000-0x0000000032015000-memory.dmp
memory/5724-42-0x0000000000400000-0x0000000000410000-memory.dmp
memory/5724-43-0x0000000000400000-0x0000000000410000-memory.dmp
memory/5724-45-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Windows\hrk.klo
| MD5 | a81b01be24a2782876a193c0e63c7f12 |
| SHA1 | a626a5b87b24a956dbd99977795995b6bbb88d74 |
| SHA256 | 7724a27024ecaf8e7fea4e1e3fb54902d87e4c4af5395fb9836433d596f4f41a |
| SHA512 | ea2bffb38c29806182ab24a7d8b55270fcc68a729e44b0767f6bd3dd8823bb8b7767561873c49b5eaab5446f63e7081e9525f6388f8b525c3aed04b6154f53bd |
memory/5532-49-0x0000000000400000-0x000000000047D000-memory.dmp