Malware Analysis Report

2024-10-23 19:32

Sample ID 240620-ylaxysyfrr
Target 093f488640237f8ec39b930759e69ff0_JaffaCakes118
SHA256 619e7a2e170e76c205cfef5fb61bda0d410218488b696c341f3c56b8b983dce3
Tags
modiloader persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

619e7a2e170e76c205cfef5fb61bda0d410218488b696c341f3c56b8b983dce3

Threat Level: Known bad

The file 093f488640237f8ec39b930759e69ff0_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader persistence trojan upx

Modiloader family

ModiLoader Second Stage

ModiLoader, DBatLoader

ModiLoader Second Stage

Server Software Component: Terminal Services DLL

Loads dropped DLL

UPX packed file

Deletes itself

ACProtect 1.3x - 1.4x DLL software

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 19:51

Signatures

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Modiloader family

modiloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 19:51

Reported

2024-06-20 19:54

Platform

win7-20240508-en

Max time kernel

141s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Remote netControl Service\Parameters\ServiceDll = "C:\\Windows\\system32\\pidc.dll" C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\mon.dll C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\mon.dll C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\pidc.dll C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\pidc.dll C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k network

C:\Windows\SysWOW64\cmd.exe

cmd /c del "C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 btdin.vicp.net udp
US 8.8.8.8:53 btdin.vicp.net udp
US 8.8.8.8:53 btdin.vicp.net udp
US 8.8.8.8:53 btdin.vicp.net udp
US 8.8.8.8:53 btdin.vicp.net udp
US 8.8.8.8:53 btdin.vicp.net udp
US 8.8.8.8:53 btdin.vicp.net udp
US 8.8.8.8:53 btdin.vicp.net udp
US 8.8.8.8:53 btdin.vicp.net udp
US 8.8.8.8:53 btdin.vicp.net udp

Files

\??\c:\windows\SysWOW64\pidc.dll

MD5 5cd9300f57db8e263f7a7123f6b83fc3
SHA1 27299d4ca3fbdd04dc92037f72283de7f5f2563a
SHA256 2df474ff61de0f178eedbf336a3c55402dbf01712837f41da9fb4f501b4e54a6
SHA512 dbff530f2082105d20e4b66fd822bb7502eac7a675f8b2b830b4e0bab01cd8ca6fabfe6de2f8079040dea63d5669755f019568cfa5ecbe15d49dbe3ab6156e6d

memory/2224-6-0x0000000000500000-0x0000000000565000-memory.dmp

memory/2480-7-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2224-8-0x0000000000500000-0x0000000000565000-memory.dmp

memory/2224-10-0x0000000000500000-0x0000000000565000-memory.dmp

memory/2224-11-0x0000000000500000-0x0000000000565000-memory.dmp

memory/2224-13-0x0000000000500000-0x0000000000565000-memory.dmp

memory/2224-14-0x0000000000500000-0x0000000000565000-memory.dmp

memory/2224-15-0x0000000000500000-0x0000000000565000-memory.dmp

memory/2224-17-0x0000000000500000-0x0000000000565000-memory.dmp

memory/2224-18-0x0000000000500000-0x0000000000565000-memory.dmp

memory/2224-20-0x0000000000500000-0x0000000000565000-memory.dmp

memory/2224-21-0x0000000000500000-0x0000000000565000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 19:51

Reported

2024-06-20 19:54

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Remote netControl Service\Parameters\ServiceDll = "C:\\Windows\\system32\\pidc.dll" C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\mon.dll C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\mon.dll C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\pidc.dll C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\pidc.dll C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k network

C:\Windows\SysWOW64\cmd.exe

cmd /c del "C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 btdin.vicp.net udp
US 8.8.8.8:53 btdin.vicp.net udp
US 8.8.8.8:53 btdin.vicp.net udp
US 8.8.8.8:53 btdin.vicp.net udp
US 8.8.8.8:53 btdin.vicp.net udp
US 8.8.8.8:53 btdin.vicp.net udp
US 8.8.8.8:53 btdin.vicp.net udp
US 8.8.8.8:53 btdin.vicp.net udp
US 8.8.8.8:53 btdin.vicp.net udp

Files

\??\c:\windows\SysWOW64\pidc.dll

MD5 5cd9300f57db8e263f7a7123f6b83fc3
SHA1 27299d4ca3fbdd04dc92037f72283de7f5f2563a
SHA256 2df474ff61de0f178eedbf336a3c55402dbf01712837f41da9fb4f501b4e54a6
SHA512 dbff530f2082105d20e4b66fd822bb7502eac7a675f8b2b830b4e0bab01cd8ca6fabfe6de2f8079040dea63d5669755f019568cfa5ecbe15d49dbe3ab6156e6d

memory/1552-6-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3168-7-0x0000000000400000-0x0000000000465000-memory.dmp

memory/3168-8-0x0000000000400000-0x0000000000465000-memory.dmp

memory/3168-9-0x0000000000400000-0x0000000000465000-memory.dmp

memory/3168-10-0x0000000000400000-0x0000000000465000-memory.dmp

memory/3168-11-0x0000000000400000-0x0000000000465000-memory.dmp

memory/3168-12-0x0000000000400000-0x0000000000465000-memory.dmp

memory/3168-13-0x0000000000400000-0x0000000000465000-memory.dmp

memory/3168-14-0x0000000000400000-0x0000000000465000-memory.dmp

memory/3168-15-0x0000000000400000-0x0000000000465000-memory.dmp

memory/3168-16-0x0000000000400000-0x0000000000465000-memory.dmp

memory/3168-17-0x0000000000400000-0x0000000000465000-memory.dmp

memory/3168-18-0x0000000000400000-0x0000000000465000-memory.dmp

memory/3168-19-0x0000000000400000-0x0000000000465000-memory.dmp

memory/3168-20-0x0000000000400000-0x0000000000465000-memory.dmp

memory/3168-21-0x0000000000400000-0x0000000000465000-memory.dmp