Analysis Overview
SHA256
4a50cd06ce90a73d0528477068533f5356a7928bfd14b50180cff9f5c03bc7f3
Threat Level: Known bad
The file 249b22784009266f7d07dd0ee803e6e1_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
ModiLoader, DBatLoader
ModiLoader Second Stage
Modiloader family
ModiLoader Second Stage
Creates new service(s)
UPX packed file
Deletes itself
Launches sc.exe
Unsigned PE
Runs net.exe
Suspicious use of WriteProcessMemory
Discovers systems in the same network
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-04 04:18
Signatures
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modiloader family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-04 04:18
Reported
2024-07-04 04:21
Platform
win7-20240419-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
ModiLoader, DBatLoader
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Creates new service(s)
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
Runs net.exe
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\249b22784009266f7d07dd0ee803e6e1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\249b22784009266f7d07dd0ee803e6e1_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c sc create WinServerView binpath= "c:\ceshi\sys_temtray.exe" type= share start= auto displayname= "systemtray" depend= RPCSS/Tcpip/IPSec
C:\Windows\SysWOW64\sc.exe
sc create WinServerView binpath= "c:\ceshi\sys_temtray.exe" type= share start= auto displayname= "systemtray" depend= RPCSS/Tcpip/IPSec
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net start WinServerView
C:\Windows\SysWOW64\net.exe
net start WinServerView
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start WinServerView
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\del.bat
Network
Files
memory/1576-0-0x0000000000400000-0x0000000000481000-memory.dmp
memory/1576-1-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1576-14-0x0000000000400000-0x0000000000481000-memory.dmp
C:\del.bat
| MD5 | cb536ec70b2337aed312ba94189bbc60 |
| SHA1 | 6610c33899dcc67dabeee99389d58b8ec5ba8d6d |
| SHA256 | 7e09f7a49358822b6fcf46429d33ffc77342a6191e2eee1fb02ace50aff41026 |
| SHA512 | 29b40614dd2885be10e7bf9700ce10b3874363ef113087da2070bc2ffc293f35395b753fc13569577a2859d8ee4767659b43760e9dd7d54f9b05bff60169bff7 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-04 04:18
Reported
2024-07-04 04:21
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
ModiLoader, DBatLoader
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Creates new service(s)
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
Runs net.exe
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\249b22784009266f7d07dd0ee803e6e1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\249b22784009266f7d07dd0ee803e6e1_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c sc create WinServerView binpath= "c:\ceshi\sys_temtray.exe" type= share start= auto displayname= "systemtray" depend= RPCSS/Tcpip/IPSec
C:\Windows\SysWOW64\sc.exe
sc create WinServerView binpath= "c:\ceshi\sys_temtray.exe" type= share start= auto displayname= "systemtray" depend= RPCSS/Tcpip/IPSec
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net start WinServerView
C:\Windows\SysWOW64\net.exe
net start WinServerView
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start WinServerView
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\del.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
Files
memory/4856-0-0x0000000000400000-0x0000000000481000-memory.dmp
memory/4856-1-0x0000000000A80000-0x0000000000A81000-memory.dmp
memory/4856-9-0x0000000000400000-0x0000000000481000-memory.dmp
\??\c:\del.bat
| MD5 | cb536ec70b2337aed312ba94189bbc60 |
| SHA1 | 6610c33899dcc67dabeee99389d58b8ec5ba8d6d |
| SHA256 | 7e09f7a49358822b6fcf46429d33ffc77342a6191e2eee1fb02ace50aff41026 |
| SHA512 | 29b40614dd2885be10e7bf9700ce10b3874363ef113087da2070bc2ffc293f35395b753fc13569577a2859d8ee4767659b43760e9dd7d54f9b05bff60169bff7 |