Malware Analysis Report

2024-10-23 19:32

Sample ID 240620-yl9fhsygnq
Target 09422e47a95b1c2fad54d948843b9f0c_JaffaCakes118
SHA256 139cff125dc1eac257e9a7b5dd3971f7c0d924e4a6f469b18c2f08637a5f4c2e
Tags
upx modiloader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

139cff125dc1eac257e9a7b5dd3971f7c0d924e4a6f469b18c2f08637a5f4c2e

Threat Level: Known bad

The file 09422e47a95b1c2fad54d948843b9f0c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

upx modiloader trojan

ModiLoader, DBatLoader

ModiLoader Second Stage

UPX packed file

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 19:53

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 19:53

Reported

2024-06-20 19:56

Platform

win7-20240508-en

Max time kernel

133s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\09422e47a95b1c2fad54d948843b9f0c_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\FieleWay.txt C:\Users\Admin\AppData\Local\Temp\09422e47a95b1c2fad54d948843b9f0c_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1644 set thread context of 1988 N/A C:\Users\Admin\AppData\Local\Temp\09422e47a95b1c2fad54d948843b9f0c_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C9602D41-2F3E-11EF-A1DE-66A5A0AB388F} = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425075086" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\program files\internet explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\program files\internet explorer\IEXPLORE.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\09422e47a95b1c2fad54d948843b9f0c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\09422e47a95b1c2fad54d948843b9f0c_JaffaCakes118.exe"

C:\program files\internet explorer\IEXPLORE.EXE

"C:\program files\internet explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1988 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1644-0-0x0000000000400000-0x00000000004CA000-memory.dmp

memory/1644-1-0x0000000000260000-0x0000000000261000-memory.dmp

memory/1988-3-0x0000000000060000-0x000000000012A000-memory.dmp

memory/1644-5-0x0000000000415000-0x0000000000416000-memory.dmp

memory/1644-6-0x0000000000400000-0x00000000004CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab49C0.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar4A44.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ce37956f9811ca3aef43f8a2247fd76
SHA1 4dbb60379fd3baa4de08e3e938478d36f9dba311
SHA256 dd15d3201484d2a164f4dbf7ff915098e29ffbc9d046bafd6e48979c18770ccf
SHA512 eb4c8122b4c239d0d459aacf91756fda9ef3cd8565546f1d1209cf597b094564e9a57c17e31cbf8aada11ab38d0ee190459ac6022504a1d128b580b3daad5154

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7a33f713906c3ff09ab49f72c5badb9d
SHA1 e1515c48fa5a417a8d7428d298e1d14214d75c40
SHA256 10c21e0891ed9ff45be258aeecfe90c40bac19f3790a54871c9ae62d6abdca14
SHA512 53d8a939ce2b343bed9f6ac7b6796d71927c1eb9e1ef5cd58505a9bf23add57852756166d8090a50fd8a917ae35ec8ae661cf1660d1d46aac92e4c5053207dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0a98c7f0eb7208fa9216be158ed4dcca
SHA1 3b25bc7b5366780c3ec44a57c023af9acfff98ec
SHA256 0b96156cacac92f1726ffb96a9c2708869a2c8144c3c49d82870e4fa8a0c7a2e
SHA512 a84cbdf4f0a3ed7e44992e68aade8b7a5c404824ba4e1ff6c9627c701467b1444cfc69ce8077be25b4bbfcd9808f9dd5bd4ba13ac8af683b50ede476f3ba0cbd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4d1e4b9b1f22798c78371def6a954090
SHA1 6e2c8555197104a5cf5b5c9415a961e190b534f7
SHA256 fb88308080f181ce468801e15cc164b1769e7968a143bf8e1a5239458573857b
SHA512 15b9a0abbd8a066737b3a3b5354071294724c522fe9655fc036b1d97257005e0993c4b5026f0df3be2c4691e65c03e16e9f8cfb93e5b68186eee2f882fd7c38c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 972eeb82e02b37a9e486b034fecf7174
SHA1 0a0dbefe2ef58c951a3790993306171692dc8132
SHA256 e7dbbdb88f135fb4ebbdc509b6587d16784f800cc649f616a669272df224827b
SHA512 bcbddf0f003c41326ca77628447901dd05bd988782ec4953d02a3225656303f74a7d288559872ac27ffedd64efd81977caf83e6ec88338c9b60e446f5d21cd4e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ce6cbf4080ab0616cff13728628923af
SHA1 b1586a4241676d011cc30c61edf14ec0bc29881b
SHA256 caa0a4db53563354d8bddcfad703090783806dde075ba5ed0fce3faad587baf7
SHA512 468114bacf7892f0445e8561248aec0fab2a6183c129aa92be4e5f0a4dac4e8a36010fc389772ec0636a1b83a4549286ac83514a27bd089415fc616455843bd2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 637780b38e1fcae2bb698060ddbc720f
SHA1 ba2f48157140664de595be7e985a308b48c02f03
SHA256 7118fc87a7ac9b0595a8255ae11dd97085865765f0176b81e68eb74d34948e4a
SHA512 2f58d12e9871eacc828e2c4c7d979defe0a72243028f4a9702faa080faa04480a9761b27145e285300d7d13e815b0d8d4c480ebba92405fdab456ba10f93b34a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eb07d28ba768a048bc0c6abdb1482dbe
SHA1 3bf164c493c506a23d6ce64621e2c40cfd6f9098
SHA256 733858d55ebc9916b6e0408a2db96e94616276151ba6c2e1a6ce4f9728fa58d6
SHA512 1c0e5e3f6dea0a35df025a6a145fc7bfe9739e070eea236adb12a9567c66fd00cf0f99012858993d45d006593a4448200e1218acc7af49d572ceb136507451dd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 519083825c4e2e5c3924b0ef1646f5e0
SHA1 886d2bad1d2115dabaa2d6067f6c40fce058afc2
SHA256 75b0380f2c32f922804a05da5a03b6b224a7480165715b40c79720be509d554b
SHA512 7bf18e391b473a263a39fc69ba8cdbfadc1b2ea206a9e245795de8d8198fca8dbdb987afd72d04fd6a6e57c5d0a495344753d2030f6436e4eb1e11d5d722eb32

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 48d337f82be0e70ecbcce84eb9c07c91
SHA1 6f0921043e53584eb280df4b5c53a4969d5b4f65
SHA256 70b68ba249cf195cd4d761cafd3c3d60d2cd867ce812425e645041093d4915f6
SHA512 42d9b3aa25cf00c60759fe73620086be8de1def846bdfe35b156f8353e0ad1f656a025df561ba38f003d965fe39a91a079b05c636953366a85243ba3e4802f7d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8b93d77959f143dfe798eea07e58ea50
SHA1 4d14145e9c7bcca0ae7606e1e48e2a0324b1aadf
SHA256 52a318a434693e58ac8dc69dc9bfaf08a989d8a38d2b84692a2cd64523dcf0f6
SHA512 a203004baa884dea87f307173f6ff68897b18c74e743930cacc3dd62207b70f9b4fd28b33d94500475e58d360dc07da8ff8aaf795a53647c87e8c90fa3c3051c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e56ed9131098fea3fc2a20e4915e11df
SHA1 d0b88fbd87450bbe3cb52f76c0085c4e93bf3b33
SHA256 eed36fc275d9a3e63bbaf3897d05d900c672e7fb0f0b438e3b7b849cc0ad1808
SHA512 9152841c995c03b0bd42a93eb466c710ff953d602a6b16089123af922dd8d88386a66f7fd40c71cc26bcbf6fa80d67e180d21ba017dad948cc3b22719c8b5455

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 da12bfea8a8226bf21ed3318b2f152e2
SHA1 1e9d0ce475d703914012798da888e4f65ff6a1e6
SHA256 aed96a380952d281afee326da7cabb77611c85abeb28cc799d26647694a9967a
SHA512 2f92125b9ca93ea3c05a7ed96479915a660da67420b250b121d1d940cb058ef8d07a9a298038f02135609ecb1be0896954ca1df42bd3e3eef2d873bc4d918faf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 24916f718a666fd88343f9145bfeaaff
SHA1 fde758110838f9fdf918577212abeaf97f754612
SHA256 c56d4cdb224292ed25d4e418f9e3c3169da5c0a6fd75387e9242df690cdcbdcd
SHA512 6c4263bf85cd02e3471c27d634bafb7ae1025ed8c2bbc9a298bed77883ccc11d2b3bdb62202cf44806ac53996893cdc219a451f2968878e8df17eff99396eaf3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22267602bab1d3c2707e66121c1688a4
SHA1 a800236c06c2ea8f72ea7335ca69c052d478e81e
SHA256 c9795a4339b04b57140e7ac1cf58865aa77ca830754b40aac405057b5722a725
SHA512 e18dfe4a087e99fe7ee1d3d90d6a380f63cf16a9ed16ea34db76df4a67458ad307c0d268d50d1afc8ca58e9be0d81c7826ae1b7c4d6a23dd59f790260ebd0f65

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0544c491589f369d51a87f9e3a4b4d1
SHA1 b07008258d0f1bd24b0bd4d11e6cd36895ad8a3f
SHA256 080966dee1faa1eedc8c78b9f18fd01f53cf4abcedb7540f42f548cf5d9ef709
SHA512 bc6a822c6fea31cdd4c5dcc84cfdabf2804bd7f5996d8b608199ec857d7c16ebd70b7cef1942e1fcbc61bfb83574e8195241bb02682a1dff63e32ef6d5cbb59d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2215cdf848f2b4dd9a8ec49d4ca9b48a
SHA1 4942e72f30beb842033748cb9101b03169f6c133
SHA256 941bb9206d807cf35ca59b23a77b81295c709cf2bac4f50bb9cb3cd273efa13c
SHA512 d741cfba74abf3629769f24d951ceabd744acbe4e972b373ea4c15620bfe5dcd85e253d3de3727a358adddeec79e4c0aea8d3cbdd571c09e17252e879b8d820f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee8f55b3449163a05a49e2d22da6ca63
SHA1 353fcc77416d6d94df62c3e14bb34406f7c3c062
SHA256 1d1b18f4c98c76d17860b018c6a6236e20dbef90c28b9cf015bf804def3e9e4d
SHA512 86fbd263b77dac38a7cc814a43d99885fa282ee23be2df1062dfed252d5869d1a41c8f991f61bd8b5d794c44ad14189734453daa7a7cfbe7037e3df81f75e75d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 28ebffff3194c53cdcefb19a46bac451
SHA1 a534540108a26bdbad05dceade169d65c793859e
SHA256 68e920da5fe85a62e50ced117ef320970b6a2fcf73df474aea628d92dd808cac
SHA512 d7a4efe14d9ad78bdda691ac88933b56d4711033e59d783e1528245db19d19b2242a48a6869f6bd2b7d3372997ee28972903b0a93b326afa36ccf6ed4c9ea76b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c6de8d0b4cd7c624ab660235dbee88bc
SHA1 2804c1442e977925adef8357f51bb380e906ad9f
SHA256 b5bc60aac35e93f71c2b07ea0c87fa3ea3a77615e42af0a92434bfa2716edbaf
SHA512 377a6e471a9c037637010c536c2f9e53ebc04dc4c5a0260ecc6991099b153a61f0603591cb1388be622f6a5ac74114590589e139dd19496f86b5c45f4635ff9b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 19:53

Reported

2024-06-20 19:56

Platform

win10v2004-20240508-en

Max time kernel

124s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\09422e47a95b1c2fad54d948843b9f0c_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\FieleWay.txt C:\Users\Admin\AppData\Local\Temp\09422e47a95b1c2fad54d948843b9f0c_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3260 set thread context of 1440 N/A C:\Users\Admin\AppData\Local\Temp\09422e47a95b1c2fad54d948843b9f0c_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2666081793" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CA82056D-2F3E-11EF-B8C0-6E6D447F5FDC} = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2668581895" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425678195" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31114059" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\VersionManager C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2666081793" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31114059" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31114059" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\program files\internet explorer\IEXPLORE.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\09422e47a95b1c2fad54d948843b9f0c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\09422e47a95b1c2fad54d948843b9f0c_JaffaCakes118.exe"

C:\program files\internet explorer\IEXPLORE.EXE

"C:\program files\internet explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1440 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4196,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=4156 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 81.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 79.239.69.13.in-addr.arpa udp

Files

memory/3260-0-0x0000000000400000-0x00000000004CA000-memory.dmp

memory/3260-2-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

memory/1440-3-0x0000000000F50000-0x000000000101A000-memory.dmp

memory/3260-4-0x0000000000415000-0x0000000000416000-memory.dmp

memory/3260-6-0x0000000000400000-0x00000000004CA000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 7d3b85dddbdd4fdb82ea4c9e4eb4b386
SHA1 ec55434869bf1ce79d37ebc36af1cea98309ca89
SHA256 9ff2020f99ff7cefa80d5551715f465a89592320ea24e72c001e11a216445cb1
SHA512 0d595242ed30e20906f2f50fd4fe454a963498bb07a34b2b892d9fe5a2cb7b76d195ac766342034b422e3d3705c7760ebaa5fdc4a9076f60dfa7c61336d51d03

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 4707841573ea707ba69428754276c2ae
SHA1 e7a42682d63a0dd0c807025291973bce6e94a8ed
SHA256 c161f936bcd18e40d1f31e2bce27808fc8974c252fced914e51bb7e7b7e426cf
SHA512 994514a9a6fd9b5c0f1365928e64c17cdcefff7d65522ab4392192898dac3463c432476c2cc7ce47f6ac24734c931a8ee51c08b2c0448d20df2dbe06748870a3

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\44ZGVQ6R\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee