Analysis Overview
SHA256
619e7a2e170e76c205cfef5fb61bda0d410218488b696c341f3c56b8b983dce3
Threat Level: Known bad
The file 093f488640237f8ec39b930759e69ff0_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modiloader family
ModiLoader Second Stage
ModiLoader, DBatLoader
ModiLoader Second Stage
Server Software Component: Terminal Services DLL
Loads dropped DLL
UPX packed file
Deletes itself
ACProtect 1.3x - 1.4x DLL software
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-20 19:51
Signatures
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modiloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 19:51
Reported
2024-06-20 19:54
Platform
win7-20240508-en
Max time kernel
141s
Max time network
148s
Command Line
Signatures
ModiLoader, DBatLoader
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Remote netControl Service\Parameters\ServiceDll = "C:\\Windows\\system32\\pidc.dll" | C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\mon.dll | C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mon.dll | C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\pidc.dll | C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pidc.dll | C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2480 wrote to memory of 2004 | N/A | C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2480 wrote to memory of 2004 | N/A | C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2480 wrote to memory of 2004 | N/A | C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2480 wrote to memory of 2004 | N/A | C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k network
C:\Windows\SysWOW64\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | btdin.vicp.net | udp |
| US | 8.8.8.8:53 | btdin.vicp.net | udp |
| US | 8.8.8.8:53 | btdin.vicp.net | udp |
| US | 8.8.8.8:53 | btdin.vicp.net | udp |
| US | 8.8.8.8:53 | btdin.vicp.net | udp |
| US | 8.8.8.8:53 | btdin.vicp.net | udp |
| US | 8.8.8.8:53 | btdin.vicp.net | udp |
| US | 8.8.8.8:53 | btdin.vicp.net | udp |
| US | 8.8.8.8:53 | btdin.vicp.net | udp |
| US | 8.8.8.8:53 | btdin.vicp.net | udp |
Files
\??\c:\windows\SysWOW64\pidc.dll
| MD5 | 5cd9300f57db8e263f7a7123f6b83fc3 |
| SHA1 | 27299d4ca3fbdd04dc92037f72283de7f5f2563a |
| SHA256 | 2df474ff61de0f178eedbf336a3c55402dbf01712837f41da9fb4f501b4e54a6 |
| SHA512 | dbff530f2082105d20e4b66fd822bb7502eac7a675f8b2b830b4e0bab01cd8ca6fabfe6de2f8079040dea63d5669755f019568cfa5ecbe15d49dbe3ab6156e6d |
memory/2224-6-0x0000000000500000-0x0000000000565000-memory.dmp
memory/2480-7-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2224-8-0x0000000000500000-0x0000000000565000-memory.dmp
memory/2224-10-0x0000000000500000-0x0000000000565000-memory.dmp
memory/2224-11-0x0000000000500000-0x0000000000565000-memory.dmp
memory/2224-13-0x0000000000500000-0x0000000000565000-memory.dmp
memory/2224-14-0x0000000000500000-0x0000000000565000-memory.dmp
memory/2224-15-0x0000000000500000-0x0000000000565000-memory.dmp
memory/2224-17-0x0000000000500000-0x0000000000565000-memory.dmp
memory/2224-18-0x0000000000500000-0x0000000000565000-memory.dmp
memory/2224-20-0x0000000000500000-0x0000000000565000-memory.dmp
memory/2224-21-0x0000000000500000-0x0000000000565000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 19:51
Reported
2024-06-20 19:54
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
154s
Command Line
Signatures
ModiLoader, DBatLoader
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Remote netControl Service\Parameters\ServiceDll = "C:\\Windows\\system32\\pidc.dll" | C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\mon.dll | C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mon.dll | C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\pidc.dll | C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pidc.dll | C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1552 wrote to memory of 1544 | N/A | C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1552 wrote to memory of 1544 | N/A | C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1552 wrote to memory of 1544 | N/A | C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k network
C:\Windows\SysWOW64\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Local\Temp\093f488640237f8ec39b930759e69ff0_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | btdin.vicp.net | udp |
| US | 8.8.8.8:53 | btdin.vicp.net | udp |
| US | 8.8.8.8:53 | btdin.vicp.net | udp |
| US | 8.8.8.8:53 | btdin.vicp.net | udp |
| US | 8.8.8.8:53 | btdin.vicp.net | udp |
| US | 8.8.8.8:53 | btdin.vicp.net | udp |
| US | 8.8.8.8:53 | btdin.vicp.net | udp |
| US | 8.8.8.8:53 | btdin.vicp.net | udp |
| US | 8.8.8.8:53 | btdin.vicp.net | udp |
Files
\??\c:\windows\SysWOW64\pidc.dll
| MD5 | 5cd9300f57db8e263f7a7123f6b83fc3 |
| SHA1 | 27299d4ca3fbdd04dc92037f72283de7f5f2563a |
| SHA256 | 2df474ff61de0f178eedbf336a3c55402dbf01712837f41da9fb4f501b4e54a6 |
| SHA512 | dbff530f2082105d20e4b66fd822bb7502eac7a675f8b2b830b4e0bab01cd8ca6fabfe6de2f8079040dea63d5669755f019568cfa5ecbe15d49dbe3ab6156e6d |
memory/1552-6-0x0000000000400000-0x0000000000432000-memory.dmp
memory/3168-7-0x0000000000400000-0x0000000000465000-memory.dmp
memory/3168-8-0x0000000000400000-0x0000000000465000-memory.dmp
memory/3168-9-0x0000000000400000-0x0000000000465000-memory.dmp
memory/3168-10-0x0000000000400000-0x0000000000465000-memory.dmp
memory/3168-11-0x0000000000400000-0x0000000000465000-memory.dmp
memory/3168-12-0x0000000000400000-0x0000000000465000-memory.dmp
memory/3168-13-0x0000000000400000-0x0000000000465000-memory.dmp
memory/3168-14-0x0000000000400000-0x0000000000465000-memory.dmp
memory/3168-15-0x0000000000400000-0x0000000000465000-memory.dmp
memory/3168-16-0x0000000000400000-0x0000000000465000-memory.dmp
memory/3168-17-0x0000000000400000-0x0000000000465000-memory.dmp
memory/3168-18-0x0000000000400000-0x0000000000465000-memory.dmp
memory/3168-19-0x0000000000400000-0x0000000000465000-memory.dmp
memory/3168-20-0x0000000000400000-0x0000000000465000-memory.dmp
memory/3168-21-0x0000000000400000-0x0000000000465000-memory.dmp