Malware Analysis Report

2024-10-23 19:32

Sample ID 240620-xmxyfaxalm
Target 08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118
SHA256 7659256a8fa1774b74d216bb0f9144ad0d74cdcab9cebcd11175aeb840686570
Tags
modiloader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7659256a8fa1774b74d216bb0f9144ad0d74cdcab9cebcd11175aeb840686570

Threat Level: Known bad

The file 08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader trojan

ModiLoader, DBatLoader

ModiLoader Second Stage

Loads dropped DLL

Deletes itself

Executes dropped EXE

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-20 18:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 18:58

Reported

2024-06-20 19:01

Platform

win7-20240221-en

Max time kernel

142s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2012 set thread context of 1956 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE C:\Windows\SysWOW64\explorer.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat C:\Users\Admin\AppData\Local\Temp\08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE C:\Users\Admin\AppData\Local\Temp\08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE C:\Users\Admin\AppData\Local\Temp\08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\_SVCH0ST.EXE C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE N/A
File opened for modification C:\Windows\_SVCH0ST.EXE C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE
PID 1740 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE
PID 1740 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE
PID 1740 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE
PID 2012 wrote to memory of 1956 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE C:\Windows\SysWOW64\explorer.exe
PID 2012 wrote to memory of 1956 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE C:\Windows\SysWOW64\explorer.exe
PID 2012 wrote to memory of 1956 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE C:\Windows\SysWOW64\explorer.exe
PID 2012 wrote to memory of 1956 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE C:\Windows\SysWOW64\explorer.exe
PID 2012 wrote to memory of 1956 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE C:\Windows\SysWOW64\explorer.exe
PID 2012 wrote to memory of 1956 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE C:\Windows\SysWOW64\explorer.exe
PID 2012 wrote to memory of 2704 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE C:\Windows\SysWOW64\WerFault.exe
PID 2012 wrote to memory of 2704 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE C:\Windows\SysWOW64\WerFault.exe
PID 2012 wrote to memory of 2704 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE C:\Windows\SysWOW64\WerFault.exe
PID 2012 wrote to memory of 2704 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE C:\Windows\SysWOW64\WerFault.exe
PID 1740 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe"

C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE

"C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE"

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\system32\explorer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 280

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat""

Network

N/A

Files

memory/1740-0-0x0000000000400000-0x0000000000503000-memory.dmp

memory/1740-1-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/1740-2-0x0000000000400000-0x0000000000503000-memory.dmp

memory/1740-3-0x00000000002E0000-0x00000000002E1000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\MSInfo\SVCH0ST.EXE

MD5 08df5ac7fd3bd42e22bdf272ae0dc510
SHA1 2308dcf1d2d589bf9f022e032bf9099a22a57733
SHA256 7659256a8fa1774b74d216bb0f9144ad0d74cdcab9cebcd11175aeb840686570
SHA512 9d6b3f34bb0c8178c7a3e68f7d968db089d40856c2dfdd77721e418d9af183f699e1467141492bbce612c3d85398308c58cc9c616b8697429ab2ff420dee6750

memory/1740-13-0x00000000021C0000-0x00000000022C3000-memory.dmp

memory/2012-15-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2012-14-0x0000000000400000-0x0000000000503000-memory.dmp

memory/2012-20-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2012-16-0x0000000000400000-0x0000000000503000-memory.dmp

memory/1956-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1956-25-0x0000000000400000-0x0000000000503000-memory.dmp

memory/1740-32-0x0000000000400000-0x0000000000503000-memory.dmp

memory/2012-33-0x0000000000400000-0x0000000000503000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\MSInfo\SgotoDel.bat

MD5 01f0a9d1f9a695adca7cc5a3aa9162d3
SHA1 6545471dfd642ad486e768f81f9940d2a63f7a92
SHA256 93b3c17070812f7f78774b3f4559569b1d74dbe622db22adbebf05a186c1b52f
SHA512 51d6c1972c7f61907bd4cce13cb1f78a5eea579adc4cfa9cd91a02715bf2b9d7b44844a3ecbb54bd5d92f88cea9b3a062ea65df3cd8f6d7bee7ccbbc61c0b1a9

memory/1740-43-0x0000000000400000-0x0000000000503000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 18:58

Reported

2024-06-20 19:01

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 372 set thread context of 3548 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE C:\Windows\SysWOW64\explorer.exe
PID 372 set thread context of 3776 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE C:\Windows\SysWOW64\svchost.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat C:\Users\Admin\AppData\Local\Temp\08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE C:\Users\Admin\AppData\Local\Temp\08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE C:\Users\Admin\AppData\Local\Temp\08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\_SVCH0ST.EXE C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE N/A
File opened for modification C:\Windows\_SVCH0ST.EXE C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5000 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE
PID 5000 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE
PID 5000 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE
PID 372 wrote to memory of 3548 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE C:\Windows\SysWOW64\explorer.exe
PID 372 wrote to memory of 3548 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE C:\Windows\SysWOW64\explorer.exe
PID 372 wrote to memory of 3548 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE C:\Windows\SysWOW64\explorer.exe
PID 372 wrote to memory of 3548 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE C:\Windows\SysWOW64\explorer.exe
PID 372 wrote to memory of 3548 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE C:\Windows\SysWOW64\explorer.exe
PID 372 wrote to memory of 3776 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE C:\Windows\SysWOW64\svchost.exe
PID 372 wrote to memory of 3776 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE C:\Windows\SysWOW64\svchost.exe
PID 372 wrote to memory of 3776 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE C:\Windows\SysWOW64\svchost.exe
PID 372 wrote to memory of 3776 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE C:\Windows\SysWOW64\svchost.exe
PID 372 wrote to memory of 3776 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE C:\Windows\SysWOW64\svchost.exe
PID 5000 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 5000 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 5000 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\08df5ac7fd3bd42e22bdf272ae0dc510_JaffaCakes118.exe"

C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE

"C:\Program Files\Common Files\Microsoft Shared\MSINFO\SVCH0ST.EXE"

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\system32\explorer.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Windows\system32\svchost.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat""

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3776 -ip 3776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3548 -ip 3548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 12

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 12

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/5000-0-0x0000000000400000-0x0000000000503000-memory.dmp

memory/5000-1-0x00000000006D0000-0x00000000006D1000-memory.dmp

memory/5000-2-0x0000000000400000-0x0000000000503000-memory.dmp

memory/5000-3-0x00000000022B0000-0x00000000022B1000-memory.dmp

C:\Program Files\Common Files\microsoft shared\MSInfo\SVCH0ST.EXE

MD5 08df5ac7fd3bd42e22bdf272ae0dc510
SHA1 2308dcf1d2d589bf9f022e032bf9099a22a57733
SHA256 7659256a8fa1774b74d216bb0f9144ad0d74cdcab9cebcd11175aeb840686570
SHA512 9d6b3f34bb0c8178c7a3e68f7d968db089d40856c2dfdd77721e418d9af183f699e1467141492bbce612c3d85398308c58cc9c616b8697429ab2ff420dee6750

memory/372-10-0x0000000002270000-0x0000000002271000-memory.dmp

memory/372-9-0x0000000000400000-0x0000000000503000-memory.dmp

memory/372-11-0x0000000000400000-0x0000000000503000-memory.dmp

memory/372-12-0x00000000022B0000-0x00000000022B1000-memory.dmp

memory/3548-15-0x0000000000400000-0x0000000000503000-memory.dmp

memory/3776-17-0x0000000000600000-0x0000000000703000-memory.dmp

memory/372-20-0x0000000000400000-0x0000000000503000-memory.dmp

memory/5000-22-0x0000000000400000-0x0000000000503000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat

MD5 01f0a9d1f9a695adca7cc5a3aa9162d3
SHA1 6545471dfd642ad486e768f81f9940d2a63f7a92
SHA256 93b3c17070812f7f78774b3f4559569b1d74dbe622db22adbebf05a186c1b52f
SHA512 51d6c1972c7f61907bd4cce13cb1f78a5eea579adc4cfa9cd91a02715bf2b9d7b44844a3ecbb54bd5d92f88cea9b3a062ea65df3cd8f6d7bee7ccbbc61c0b1a9