Malware Analysis Report

2025-04-13 20:42

Sample ID 240703-3x7hhsvbne
Target 23ea74191f5e100227836af412b9e3e2_JaffaCakes118
SHA256 d33952d9c1ed4a44279ffbf758e3ea59ba298a51439289652b62ad2a2dd835a6
Tags
modiloader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d33952d9c1ed4a44279ffbf758e3ea59ba298a51439289652b62ad2a2dd835a6

Threat Level: Known bad

The file 23ea74191f5e100227836af412b9e3e2_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader trojan

ModiLoader, DBatLoader

ModiLoader Second Stage

Enumerates connected drives

Drops autorun.inf file

Drops file in Program Files directory

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-03 23:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-03 23:54

Reported

2024-07-03 23:57

Platform

win7-20240611-en

Max time kernel

141s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened for modification F:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\paramstr.txt C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe"

C:\program files\internet explorer\IEXPLORE.EXE

"C:\program files\internet explorer\IEXPLORE.EXE"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 316

Network

N/A

Files

memory/2420-0-0x0000000000400000-0x0000000000516000-memory.dmp

memory/2420-1-0x0000000000400000-0x0000000000516000-memory.dmp

memory/2420-2-0x0000000000400000-0x0000000000516000-memory.dmp

memory/2420-3-0x0000000000400000-0x0000000000516000-memory.dmp

memory/2420-22-0x0000000000400000-0x0000000000516000-memory.dmp

C:\AutoRun.inf

MD5 42e6ddc67c0c51a3e39780a99988f551
SHA1 3422a8dde772d662217339179f81ccb3686780d4
SHA256 f9c0462fff3f51f85aa116b2d0f38fd2a8e7263284a3bb1cde9b87a92abfaf01
SHA512 e1a316110a286ce72a8948e67b1c38e29cec73720780886873f00f0082ddee21557d8c7eb8106531f4cf0d3bf5b7945b60fe11f792e3ba70879e6a7063acea5b

memory/2420-24-0x0000000000400000-0x0000000000516000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-03 23:54

Reported

2024-07-03 23:57

Platform

win10v2004-20240508-en

Max time kernel

41s

Max time network

47s

Command Line

"C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A
File opened for modification F:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\paramstr.txt C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\23ea74191f5e100227836af412b9e3e2_JaffaCakes118.exe"

C:\program files\internet explorer\IEXPLORE.EXE

"C:\program files\internet explorer\IEXPLORE.EXE"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4804 -ip 4804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 696

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4804-0-0x0000000000400000-0x0000000000516000-memory.dmp

memory/4804-1-0x0000000002200000-0x0000000002254000-memory.dmp

memory/4804-13-0x0000000003480000-0x0000000003481000-memory.dmp

memory/4804-12-0x0000000003380000-0x0000000003383000-memory.dmp

memory/4804-11-0x0000000003390000-0x0000000003391000-memory.dmp

memory/4804-10-0x00000000023B0000-0x00000000023B1000-memory.dmp

memory/4804-9-0x0000000002420000-0x0000000002421000-memory.dmp

memory/4804-8-0x00000000023F0000-0x00000000023F1000-memory.dmp

memory/4804-7-0x0000000002400000-0x0000000002401000-memory.dmp

memory/4804-6-0x0000000002390000-0x0000000002391000-memory.dmp

memory/4804-5-0x00000000023A0000-0x00000000023A1000-memory.dmp

memory/4804-4-0x0000000002410000-0x0000000002411000-memory.dmp

memory/4804-3-0x00000000023C0000-0x00000000023C1000-memory.dmp

memory/4804-2-0x00000000023E0000-0x00000000023E1000-memory.dmp

memory/4804-14-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/4804-16-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/4804-19-0x0000000003410000-0x0000000003411000-memory.dmp

memory/4804-18-0x00000000033A0000-0x00000000033A1000-memory.dmp

memory/4804-15-0x00000000007B0000-0x00000000007B1000-memory.dmp

memory/4804-17-0x00000000033B0000-0x00000000033B1000-memory.dmp

C:\AutoRun.inf

MD5 42e6ddc67c0c51a3e39780a99988f551
SHA1 3422a8dde772d662217339179f81ccb3686780d4
SHA256 f9c0462fff3f51f85aa116b2d0f38fd2a8e7263284a3bb1cde9b87a92abfaf01
SHA512 e1a316110a286ce72a8948e67b1c38e29cec73720780886873f00f0082ddee21557d8c7eb8106531f4cf0d3bf5b7945b60fe11f792e3ba70879e6a7063acea5b

memory/4804-20-0x00000000025A0000-0x00000000025A1000-memory.dmp

memory/4804-40-0x0000000000400000-0x0000000000516000-memory.dmp

memory/4804-41-0x0000000002200000-0x0000000002254000-memory.dmp