Malware Analysis Report

2024-10-23 19:32

Sample ID 240620-yq42lavgmc
Target 094f78636280694676dee27f7511d3ed_JaffaCakes118
SHA256 503215e27d9d00f9e337464dbeb09afa25c45fd40e1ea55bd59d3066f8cd7cb4
Tags
modiloader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

503215e27d9d00f9e337464dbeb09afa25c45fd40e1ea55bd59d3066f8cd7cb4

Threat Level: Known bad

The file 094f78636280694676dee27f7511d3ed_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader trojan

ModiLoader, DBatLoader

ModiLoader Second Stage

Modiloader family

ModiLoader Second Stage

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-20 20:00

Signatures

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Modiloader family

modiloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 20:00

Reported

2024-06-20 20:02

Platform

win7-20231129-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\094f78636280694676dee27f7511d3ed_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\wmsj.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\video.dll C:\Windows\wmsj.exe N/A
File created C:\Windows\wmsj.exe C:\Windows\wmsj.exe N/A
File created C:\Windows\video.dll C:\Users\Admin\AppData\Local\Temp\094f78636280694676dee27f7511d3ed_JaffaCakes118.exe N/A
File created C:\Windows\wmsj.exe C:\Users\Admin\AppData\Local\Temp\094f78636280694676dee27f7511d3ed_JaffaCakes118.exe N/A
File opened for modification C:\Windows\wmsj.exe C:\Users\Admin\AppData\Local\Temp\094f78636280694676dee27f7511d3ed_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\094f78636280694676dee27f7511d3ed_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\094f78636280694676dee27f7511d3ed_JaffaCakes118.exe"

C:\Windows\wmsj.exe

C:\Windows\wmsj.exe

Network

N/A

Files

memory/1068-0-0x0000000000400000-0x0000000000427000-memory.dmp

C:\Windows\wmsj.exe

MD5 094f78636280694676dee27f7511d3ed
SHA1 d0b41105434bfb4a09e01d23970b04b80b622b54
SHA256 503215e27d9d00f9e337464dbeb09afa25c45fd40e1ea55bd59d3066f8cd7cb4
SHA512 c2543b7abf9af467eadca2857b3476b1af371db0f476d16ffab3e59de1e9c1e9021f29d13da622cfffcb1b293c1d51ff33cb7bf9be7b94f7a8815742c5b2615c

memory/1068-7-0x00000000001B0000-0x00000000001D7000-memory.dmp

memory/2212-11-0x0000000000400000-0x0000000000427000-memory.dmp

C:\Windows\video.dll

MD5 38935bc4246f150a4647a22ba5b23d1c
SHA1 f79a26c9de641cff25eb7958eaa063b7aa431ed5
SHA256 db7a8dd9934af10c9f7362c1bb17c0e3442cfd125c1a800443421a1f9d6dd5d5
SHA512 42a4d4dcf7e346752af9d93950f3c8f682a679613a4750586bcdfe39ceb6d7f37df6fa604564252c4efb5da18dc88efc1f92e161981b9a9baddc07357982e722

memory/1068-12-0x0000000000400000-0x0000000000427000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 20:00

Reported

2024-06-20 20:02

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\094f78636280694676dee27f7511d3ed_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\wmsj.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\wmsj.exe N/A
N/A N/A C:\Windows\wmsj.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\wmsj.exe C:\Users\Admin\AppData\Local\Temp\094f78636280694676dee27f7511d3ed_JaffaCakes118.exe N/A
File created C:\Windows\video.dll C:\Windows\wmsj.exe N/A
File created C:\Windows\wmsj.exe C:\Windows\wmsj.exe N/A
File created C:\Windows\video.dll C:\Users\Admin\AppData\Local\Temp\094f78636280694676dee27f7511d3ed_JaffaCakes118.exe N/A
File created C:\Windows\wmsj.exe C:\Users\Admin\AppData\Local\Temp\094f78636280694676dee27f7511d3ed_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\wmsj.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\094f78636280694676dee27f7511d3ed_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\094f78636280694676dee27f7511d3ed_JaffaCakes118.exe"

C:\Windows\wmsj.exe

C:\Windows\wmsj.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/1564-2-0x0000000000400000-0x0000000000427000-memory.dmp

C:\Windows\wmsj.exe

MD5 094f78636280694676dee27f7511d3ed
SHA1 d0b41105434bfb4a09e01d23970b04b80b622b54
SHA256 503215e27d9d00f9e337464dbeb09afa25c45fd40e1ea55bd59d3066f8cd7cb4
SHA512 c2543b7abf9af467eadca2857b3476b1af371db0f476d16ffab3e59de1e9c1e9021f29d13da622cfffcb1b293c1d51ff33cb7bf9be7b94f7a8815742c5b2615c

memory/4724-5-0x0000000000400000-0x0000000000427000-memory.dmp

C:\Windows\video.dll

MD5 38935bc4246f150a4647a22ba5b23d1c
SHA1 f79a26c9de641cff25eb7958eaa063b7aa431ed5
SHA256 db7a8dd9934af10c9f7362c1bb17c0e3442cfd125c1a800443421a1f9d6dd5d5
SHA512 42a4d4dcf7e346752af9d93950f3c8f682a679613a4750586bcdfe39ceb6d7f37df6fa604564252c4efb5da18dc88efc1f92e161981b9a9baddc07357982e722

memory/4724-12-0x0000000000580000-0x000000000058F000-memory.dmp

memory/1564-15-0x0000000000400000-0x0000000000427000-memory.dmp

memory/4724-16-0x0000000000580000-0x000000000058F000-memory.dmp

memory/4724-18-0x0000000000400000-0x0000000000427000-memory.dmp