Analysis Overview
SHA256
16e422f3893d4d5eb913d89e4de87a17eb61b291f0ca13664abef851b93751c1
Threat Level: Known bad
The file 095174c6e40909234aa8db843084b302_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
ModiLoader, DBatLoader
ModiLoader Second Stage
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-20 20:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 20:01
Reported
2024-06-20 20:04
Platform
win7-20240220-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
ModiLoader, DBatLoader
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\temp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tcpip.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\tcpip.exe | C:\Users\Admin\AppData\Local\Temp\temp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tcpip.exe | C:\Users\Admin\AppData\Local\Temp\temp.exe | N/A |
| File created | C:\Windows\SysWOW64\mmmmmmmm.bat | C:\Users\Admin\AppData\Local\Temp\temp.exe | N/A |
| File created | C:\Windows\SysWOW64\msiupdata.dll | C:\Windows\SysWOW64\tcpip.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\temp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tcpip.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\095174c6e40909234aa8db843084b302_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\095174c6e40909234aa8db843084b302_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\temp.exe
C:\Users\Admin\AppData\Local\Temp\temp.exe
C:\Users\Admin\AppData\Local\Temp\temp.exe
C:\Windows\SysWOW64\tcpip.exe
C:\Windows\SysWOW64\tcpip.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\mmmmmmmm.bat
Network
Files
memory/1688-1-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1688-2-0x000000000041E000-0x000000000041F000-memory.dmp
memory/1688-4-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\temp.exe
| MD5 | 5ec85a8cc55180c83a471e423fa582fc |
| SHA1 | b5819903dc81e8e37682566c49fc42072b4b5dfa |
| SHA256 | eef41e54a59d4bd70ccfcced60f10a58c75ee13827f629fb566eef2ce43c7af0 |
| SHA512 | 78f952ad04c1c5dca792a87deb9ed20a292364d8ffaf395cec95e0555c2c699dbd65af1e125b498f7cf35bbd796be69b74a87f7f56cc6973f1012cadf9a93c17 |
C:\Windows\SysWOW64\mmmmmmmm.bat
| MD5 | bbb1363ff9d91459fafad63764db72a0 |
| SHA1 | 39363d056769002ec16b5bd869d9a3548d5d131b |
| SHA256 | 4313d66d27196d0fc03c77e21f2b6020adf3f8cf4b7ca6895151c92cf0136bb9 |
| SHA512 | 41bcbaefc2d018f93253202b5fe8864e28b232c3c9a7e7237d74b3a3078dec824fad25045dafc44d3a3faafc0a9bbf3d2d62df08628443a8a1a2fa375974b59a |
memory/1200-20-0x0000000002D20000-0x0000000002D21000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 20:01
Reported
2024-06-20 20:04
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
53s
Command Line
Signatures
ModiLoader, DBatLoader
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\temp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tcpip.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\mmmmmmmm.bat | C:\Users\Admin\AppData\Local\Temp\temp.exe | N/A |
| File created | C:\Windows\SysWOW64\msiupdata.dll | C:\Windows\SysWOW64\tcpip.exe | N/A |
| File created | C:\Windows\SysWOW64\tcpip.exe | C:\Users\Admin\AppData\Local\Temp\temp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tcpip.exe | C:\Users\Admin\AppData\Local\Temp\temp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\temp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tcpip.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\095174c6e40909234aa8db843084b302_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\095174c6e40909234aa8db843084b302_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\temp.exe
C:\Users\Admin\AppData\Local\Temp\temp.exe
C:\Users\Admin\AppData\Local\Temp\temp.exe
C:\Windows\SysWOW64\tcpip.exe
C:\Windows\SysWOW64\tcpip.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\mmmmmmmm.bat
Network
Files
memory/3168-0-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3168-2-0x000000000041E000-0x000000000041F000-memory.dmp
memory/3168-3-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\temp.exe
| MD5 | 5ec85a8cc55180c83a471e423fa582fc |
| SHA1 | b5819903dc81e8e37682566c49fc42072b4b5dfa |
| SHA256 | eef41e54a59d4bd70ccfcced60f10a58c75ee13827f629fb566eef2ce43c7af0 |
| SHA512 | 78f952ad04c1c5dca792a87deb9ed20a292364d8ffaf395cec95e0555c2c699dbd65af1e125b498f7cf35bbd796be69b74a87f7f56cc6973f1012cadf9a93c17 |
C:\Windows\SysWOW64\mmmmmmmm.bat
| MD5 | bbb1363ff9d91459fafad63764db72a0 |
| SHA1 | 39363d056769002ec16b5bd869d9a3548d5d131b |
| SHA256 | 4313d66d27196d0fc03c77e21f2b6020adf3f8cf4b7ca6895151c92cf0136bb9 |
| SHA512 | 41bcbaefc2d018f93253202b5fe8864e28b232c3c9a7e7237d74b3a3078dec824fad25045dafc44d3a3faafc0a9bbf3d2d62df08628443a8a1a2fa375974b59a |