Malware Analysis Report

2024-10-23 19:31

Sample ID 240620-ypzeqazajm
Target 094c102cfe009d32dcc6472fbdeb13fc_JaffaCakes118
SHA256 9f39836ad42f321fcfdeec74f2f5215dd1ff49f1757a005cfdc291431d71b990
Tags
modiloader persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9f39836ad42f321fcfdeec74f2f5215dd1ff49f1757a005cfdc291431d71b990

Threat Level: Known bad

The file 094c102cfe009d32dcc6472fbdeb13fc_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader persistence trojan

ModiLoader, DBatLoader

ModiLoader Second Stage

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 19:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 19:58

Reported

2024-06-20 20:00

Platform

win7-20240221-en

Max time kernel

133s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\094c102cfe009d32dcc6472fbdeb13fc_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\094c102cfe009d32dcc6472fbdeb13fc_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\FieleWay.txt C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2496 set thread context of 2332 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe C:\program files\internet explorer\IEXPLORE.EXE

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425075370" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{72B582F1-2F3F-11EF-9591-6A83D32C515E} = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU C:\program files\internet explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\program files\internet explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2968 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\094c102cfe009d32dcc6472fbdeb13fc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
PID 2968 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\094c102cfe009d32dcc6472fbdeb13fc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
PID 2968 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\094c102cfe009d32dcc6472fbdeb13fc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
PID 2968 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\094c102cfe009d32dcc6472fbdeb13fc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
PID 2496 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 2496 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 2496 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 2496 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 2496 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 2332 wrote to memory of 2772 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2332 wrote to memory of 2772 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2332 wrote to memory of 2772 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2332 wrote to memory of 2772 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\094c102cfe009d32dcc6472fbdeb13fc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\094c102cfe009d32dcc6472fbdeb13fc_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe

C:\program files\internet explorer\IEXPLORE.EXE

"C:\program files\internet explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2332 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2968-0-0x0000000001000000-0x00000000010F7000-memory.dmp

memory/2968-1-0x00000000001C0000-0x0000000000214000-memory.dmp

memory/2968-2-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2968-32-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-74-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-73-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-72-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-71-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-70-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-69-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-68-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-67-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-66-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-65-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-64-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-63-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-62-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-61-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-60-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-59-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-58-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-57-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-56-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-55-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-54-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-53-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-52-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-51-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-50-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-49-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-48-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-47-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-46-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-45-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-44-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-43-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-42-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-41-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-40-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-39-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-38-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-37-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-36-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-35-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-34-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-33-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-31-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-30-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-29-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-28-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-27-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-26-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-25-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-24-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-23-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-22-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-21-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-20-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-19-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-18-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-17-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2968-16-0x0000000003160000-0x0000000003161000-memory.dmp

memory/2968-15-0x0000000003160000-0x0000000003161000-memory.dmp

memory/2968-14-0x0000000003160000-0x0000000003161000-memory.dmp

memory/2968-13-0x0000000003160000-0x0000000003161000-memory.dmp

memory/2968-12-0x0000000003160000-0x0000000003161000-memory.dmp

memory/2968-11-0x0000000003160000-0x0000000003161000-memory.dmp

memory/2968-10-0x0000000000330000-0x0000000000331000-memory.dmp

memory/2968-9-0x0000000000420000-0x0000000000421000-memory.dmp

memory/2968-8-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2968-7-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2968-6-0x0000000000310000-0x0000000000311000-memory.dmp

memory/2968-5-0x0000000000320000-0x0000000000321000-memory.dmp

memory/2968-4-0x0000000000410000-0x0000000000411000-memory.dmp

memory/2968-3-0x0000000000340000-0x0000000000341000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe

MD5 1cc325a1101ef64554b026a2f9ef24c0
SHA1 9ad930fb4e5641c9147af575c2ac8bd0496ab87c
SHA256 848500536d90cae3b795a1924f08816bc431514e2922a9bc2c3a9373645b2102
SHA512 448c232ed493500ccdc9e66a16357c4502ce76fce51f4ff8f00baf07bd897908aacdb0fe1ffdbeff73eb4e041e98d5aa57cacc073fff9c927718deb934e315d3

memory/2968-84-0x0000000003150000-0x000000000325F000-memory.dmp

memory/2496-85-0x0000000000400000-0x000000000050F000-memory.dmp

memory/2968-86-0x0000000003150000-0x000000000325F000-memory.dmp

memory/2496-87-0x0000000000400000-0x000000000050F000-memory.dmp

memory/2332-90-0x0000000000060000-0x000000000016F000-memory.dmp

memory/2496-91-0x0000000000400000-0x000000000050F000-memory.dmp

memory/2968-94-0x0000000001000000-0x00000000010F7000-memory.dmp

memory/2968-93-0x00000000001C0000-0x0000000000214000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2B27.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Cab2C15.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar2C29.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 766a82d2e519913081b92d86acb41f0a
SHA1 83a16dd852d5fd9a8db8a13f6c826bf5fa9b668e
SHA256 27c714ea702d7575c0629c9a9d4bfa747b9f553888f08e1ca3bb17a8345d9d12
SHA512 74f61eebc82368459c68dd0d564ba967bd7f911ab9d40a07a7c97e85c499c616e4c920d2745d9e56fd29115554e5fff6b86ccca13e0700daad19aadb27ed5f2a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a825ada9c7e6b331545f10ea8e27e3a
SHA1 e836a6bf9961f03d4dbab63f1c0905802d3c8a25
SHA256 ba91c5c41aa69be491eb4b9bcefa5fb201001ce5a609313da08efa25b03d65c5
SHA512 69efe9211bdb72dc6adf27cf5fba5ca9a5885d7333e0162e118e6c2a521e7eaa881f3af642911a37a619c64ba59eb8f18f0043f0c68bcc3713fea4f3e7c9e692

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 776d7bf71a38a8a117d4bde8762ee89c
SHA1 e7a7b101edc8d4c6cb711e83d5ec7f1f0d4dcb06
SHA256 95eadad044d0de969528c8df80ecf842d18724c34e6eece10fb5cfdc54f823b7
SHA512 2356f30d4816d828977c3dc2dc3143acf1935b13e79baa99e455a1a917edfb9a6ee22a6c440071a015be5496f6fb57b3dd2f335be14b92144b9befd685d3c3ad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff8d0ea5d128c7d374cf2a1bf0b452f6
SHA1 82f2f103b65bb7de9fbfa6098fac918d54804534
SHA256 49ca71d46502229631c45f395123f1aa4582fd443c4ccf8c8737c00d3a128fe1
SHA512 9dc9100e03bc0772fe0f0fbac633771143f06cb4c085438a6f36fb29e97e2e948b0c6d2d1c86e21e8cfafba9caf75d57bbdd3c2c8f1917d62b6e02bafe316589

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eb29ab2f6b735de2419e8fa9c821004b
SHA1 ce144315b196225e8d352d65ceba7fe758e6ec76
SHA256 7be96aec4bebe4fecc930b3a9b859a528c3e1397d9ea936e2e3efb8e0bb0613b
SHA512 1ac146892019c5a9294095ad1683c50fb672a2b0b0533edbbc214d23a6e2b424ab47ad2e896b48d0d59dde92ff04691f51e9bce900bcfbcd3f7d8a770a55769b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ab9ad3d128040f5c27c32f28e0fade3f
SHA1 1c47a23881a300723bd9a3bfc13e9340fbb5a8c6
SHA256 b89ba324fe2a5c0394c98564b44b71c10db6a33ae14208ff06f1d1b7d6f4bd1a
SHA512 128119b10a4da7aeebe0da08b0dedc66592950535fa4c3ece3c5a003d269c0c2993692547d613d70a5f45d55a5cc9341d50ee6c4612392c0eeab9469f7f839cd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a2c0c213a01b7d9c0338213154d5c089
SHA1 ea9dd446a0e8c481fd588328a39eaad3caeafac0
SHA256 54d17f35b9532328bbcf900e8c7f0e89ed520f73253c4738cf04e04c7939ce18
SHA512 ae955b14d6355d63b60a9d296672c0678d0f76f5b4599c35b266eff9cbb50035fb4c78e77a0bae5f0b97da6b8839262060d016de8081b6b8bb6f13b0931a64cd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e737f36d895bb1cab760d8efaaa7a271
SHA1 a8b7786101929b5c06edfd3f151399781492929b
SHA256 cea01fb06ae614843c096d8ff345b0e44b0bd99960ab6ad4553231f6392f6d8d
SHA512 e1bd096f458bcb524f9b6d9be9b463cba685d87758abe1a2fd42eb4b79a708021d7c530582a82f38c5a53c0f44d79e764915011e3c68a7ccd88e315a4b19291a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6a9af7d94bebe826f3049a7b8a27b72a
SHA1 fa9aaaad9a20baaa98e2892c39cc012757682445
SHA256 e177a3b702fe14e82d2efec3ae2181e33aeec47d56f3cca407a496bf01b5e487
SHA512 0f9a68d179ab84ab6b140a1a52f728ddae9ebb8ba5c71590de61f20d77c0fd15dfd7a2fd563f6dd4554e6b99ab8a7d54f13b6cd1c9121a9cd9e142cdd5648498

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4db9672e2b05b95a94971daaccf309f8
SHA1 8c4111996496ebe6b34d9c8a77d269983ad20bbc
SHA256 d09ce8c63b5826dd776beb14c7906f5a894844b6f400ad0f82caa2bca54be219
SHA512 feb577e114bbdba12c5d3e718401daaa6980e8a39df6de9a33c09acb01344a49f98ea6c0e7276e94245a968518f9b005eed04444042571b1e7119f969d06407f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e255ab109727d2abcfb3794a602caec9
SHA1 e41e7d6e35482046026ad13478b3497b13c9f669
SHA256 46cd232a296745ea325d637b97437a392a03114df294e2b11481e2fb78000780
SHA512 498b4ac036799d04bad6acfa2500f2ca5195b55192ea2b38bb1329173131a171f04fa7b9dd69ce157da5c90091e408f4b8690c2b65e05544b24becbc32ce7244

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f1c8c5780d64aef981071abf188f8f3
SHA1 c863d8546a5329944a5bbf2fb295774c1f4deee8
SHA256 1e100e7c6082adcefd54bbe544ee58c8ff121df64d66837c88d1d32951ca5c13
SHA512 197c945c2c37b28e2b17cd023d7692521c6091d3e420f76c7dfcdf01a9db0bc172eb9d99801d5bcddf4bac5ddd5c1190df0f2c57ad8d87f6dbe8818ca7db422d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 732c035b7f2d1b32bf7fa9df569e0fe2
SHA1 c2e540b7682e83a92afbfc7895a9f06aa22af183
SHA256 022bf0c9c2ed5f3099ae8a6511ed8d2c4d4e7a7ca7f7c1d59f06ecc49ad24513
SHA512 8a30538f719dc865e00fbaba22736611f36bea45ffe6fffe5f65b1c975ec8706a9322eea1d0d8ddeda393913611a2a1a56907f2ad687b899d7d317305591123c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad0b56413a45e5232c5ad7460b6f9897
SHA1 e06843936d440570689fa9125ee536a916fcc49f
SHA256 3639a75d74b54b429b4ed04edbf036089efd3bb87aa96a62be0475f26d625cfb
SHA512 692081222ce19dcf92bf06f6e709ed1e000d4da227f6d2da2c8d527c9d3f9656374e61e3a82ce81cf05a823cfcf1358d71f3faca12f838b15482c31f2692c622

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b17c488d8cf6fed817cb56fb62c3183
SHA1 0b7bcef9cb8cc821b8ec24240dbd4505d73feaaa
SHA256 02569328c1af58b15715ab27d406098d84acae071f3a9749fc14ec9557a68f2e
SHA512 36ef4f941676846f6251d67d047905308e85c8bd41d53ffbe921880e694673f1fbbfabffbd3fc3b804d61c24619ceee5a6d6b3011d208a7827f9975b120c9ad6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dab770b47fa7451824f3fe7b66898a6b
SHA1 dbbe7624551c1adf197a20eb57aa51a90b98d6e8
SHA256 149a5d896899d54894d0c1716c08a3431ef0a99936f52b214ef11907cec95ba0
SHA512 b2be22dd277d24187cd8d70ff76d8de8ca8b3bbe20bef289186c5928285c1e81a3bb1a5d177dbe724ff3eaacbe6276bb2c2c8996b3db0e9d9d3159d139562a85

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 403bd257fd220884255384568418cd29
SHA1 20f92c2e49739f36b36a127670149c850df1c54f
SHA256 d2b9d931423833f8cc1f9db0f8d5266857ff22844770f918bd445e2a4d3309f3
SHA512 ce70f4efeaedab5ce2bcfeb28b616dae00f53d735cbeaaef4d08f03be2b09ab4108dce7fe01665fc8a1b7921a830f846c909df9d78f0d8e6c4dc9975057dde68

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 de03c7f16c052a124727b3198506fc67
SHA1 89e8f47dc55510f42652f266767eeffdf1ec3061
SHA256 f53fda6ac1639a7a455bb43f03414bfd6ed4561c81470f3698acca11f32dcce8
SHA512 1bc54cb6809c576f3bf18ed89ac42d0c91363e55c1f473f96fa9edce2cab7dc0d58a51351d7531fbcb76c2e52f0e676ac382fc8f48fea9b499a7edf63b0c7725

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9797289c100cc68685cb8b05898aafa4
SHA1 a6c745c63e106e7ca05e48b88d20b48c9d58555f
SHA256 929e33d8c6b30b293f1975c824c271fd4c388ebd9d43a1f810ccbdf029696d3d
SHA512 907bd9e229be71ab8f153cd3f37f6eb4fbd61d5e9d90675c7998ab5281be84cc2677c770d9c597b714d6a7ab56e5831a80733b43b9b7a7a142653f3fdb1063de

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 19:58

Reported

2024-06-20 20:00

Platform

win10v2004-20240508-en

Max time kernel

78s

Max time network

87s

Command Line

"C:\Users\Admin\AppData\Local\Temp\094c102cfe009d32dcc6472fbdeb13fc_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\094c102cfe009d32dcc6472fbdeb13fc_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\FieleWay.txt C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2500 set thread context of 1552 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe C:\program files\internet explorer\IEXPLORE.EXE

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{73696E78-2F3F-11EF-BCA5-6E6D447F5FDC} = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425075382" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\program files\internet explorer\IEXPLORE.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\094c102cfe009d32dcc6472fbdeb13fc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\094c102cfe009d32dcc6472fbdeb13fc_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe

C:\program files\internet explorer\IEXPLORE.EXE

"C:\program files\internet explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1552 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp

Files

memory/1224-0-0x0000000001000000-0x00000000010F7000-memory.dmp

memory/1224-1-0x0000000000650000-0x00000000006A4000-memory.dmp

memory/1224-2-0x0000000000C50000-0x0000000000C51000-memory.dmp

memory/1224-35-0x00000000030F0000-0x00000000030F1000-memory.dmp

memory/1224-34-0x00000000030F0000-0x00000000030F1000-memory.dmp

memory/1224-33-0x00000000030F0000-0x00000000030F1000-memory.dmp

memory/1224-32-0x00000000030F0000-0x00000000030F1000-memory.dmp

memory/1224-6-0x0000000000C00000-0x0000000000C01000-memory.dmp

memory/1224-31-0x00000000030F0000-0x00000000030F1000-memory.dmp

memory/1224-30-0x00000000030F0000-0x00000000030F1000-memory.dmp

memory/1224-29-0x00000000030F0000-0x00000000030F1000-memory.dmp

memory/1224-28-0x00000000030F0000-0x00000000030F1000-memory.dmp

memory/1224-27-0x00000000030F0000-0x00000000030F1000-memory.dmp

memory/1224-26-0x00000000030F0000-0x00000000030F1000-memory.dmp

memory/1224-25-0x00000000030F0000-0x00000000030F1000-memory.dmp

memory/1224-24-0x00000000030F0000-0x00000000030F1000-memory.dmp

memory/1224-23-0x00000000030F0000-0x00000000030F1000-memory.dmp

memory/1224-22-0x00000000030F0000-0x00000000030F1000-memory.dmp

memory/1224-21-0x00000000030F0000-0x00000000030F1000-memory.dmp

memory/1224-20-0x00000000030F0000-0x00000000030F1000-memory.dmp

memory/1224-19-0x00000000030F0000-0x00000000030F1000-memory.dmp

memory/1224-18-0x00000000030F0000-0x00000000030F1000-memory.dmp

memory/1224-17-0x00000000030F0000-0x00000000030F1000-memory.dmp

memory/1224-16-0x0000000003100000-0x0000000003101000-memory.dmp

memory/1224-15-0x0000000003100000-0x0000000003101000-memory.dmp

memory/1224-14-0x0000000003100000-0x0000000003101000-memory.dmp

memory/1224-13-0x0000000003100000-0x0000000003101000-memory.dmp

memory/1224-12-0x0000000003100000-0x0000000003101000-memory.dmp

memory/1224-11-0x0000000003100000-0x0000000003101000-memory.dmp

memory/1224-10-0x0000000000C20000-0x0000000000C21000-memory.dmp

memory/1224-9-0x0000000000C90000-0x0000000000C91000-memory.dmp

memory/1224-8-0x0000000000C60000-0x0000000000C61000-memory.dmp

memory/1224-7-0x0000000000C70000-0x0000000000C71000-memory.dmp

memory/1224-5-0x0000000000C10000-0x0000000000C11000-memory.dmp

memory/1224-4-0x0000000000C80000-0x0000000000C81000-memory.dmp

memory/1224-3-0x0000000000C30000-0x0000000000C31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe

MD5 1cc325a1101ef64554b026a2f9ef24c0
SHA1 9ad930fb4e5641c9147af575c2ac8bd0496ab87c
SHA256 848500536d90cae3b795a1924f08816bc431514e2922a9bc2c3a9373645b2102
SHA512 448c232ed493500ccdc9e66a16357c4502ce76fce51f4ff8f00baf07bd897908aacdb0fe1ffdbeff73eb4e041e98d5aa57cacc073fff9c927718deb934e315d3

memory/2500-41-0x0000000000400000-0x000000000050F000-memory.dmp

memory/2500-42-0x0000000000400000-0x000000000050F000-memory.dmp

memory/1552-44-0x00000000004E0000-0x00000000005EF000-memory.dmp

memory/1224-47-0x0000000000650000-0x00000000006A4000-memory.dmp

memory/1224-48-0x0000000001000000-0x00000000010F7000-memory.dmp

memory/2500-45-0x0000000000400000-0x000000000050F000-memory.dmp