Malware Analysis Report

2025-04-13 20:42

Sample ID 240704-fml3haxfkh
Target 24b56317bb0c9e124263e7a6968d8df6_JaffaCakes118
SHA256 6987f83bea3a8767c163dbe51ff09621c8b18355b1223a5d9b4b852340c95587
Tags
persistence modiloader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6987f83bea3a8767c163dbe51ff09621c8b18355b1223a5d9b4b852340c95587

Threat Level: Known bad

The file 24b56317bb0c9e124263e7a6968d8df6_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

persistence modiloader trojan

ModiLoader, DBatLoader

ModiLoader Second Stage

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Program crash

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-04 04:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 04:59

Reported

2024-07-04 05:01

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\24b56317bb0c9e124263e7a6968d8df6_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\24b56317bb0c9e124263e7a6968d8df6_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\24b56317bb0c9e124263e7a6968d8df6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\24b56317bb0c9e124263e7a6968d8df6_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 188

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

MD5 ef8199679933d079b9c0a25d5da4ada5
SHA1 cd152168f0083096d0f3407cbc992fbc2c00bb1f
SHA256 eebb8515f911596835d376d566a9a1fba36d05503b7a730ba6ec60b24152a105
SHA512 e14e03df6895e0e445ecf6b472a4561ee3a7d94d51d0038087698d7cbb37e80187db28d0c72e12e60815cebed2474ccdd5c7a065d38e69b8ce1c467059a846d5

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 04:59

Reported

2024-07-04 05:02

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\24b56317bb0c9e124263e7a6968d8df6_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\X-CRYP~1.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\24b56317bb0c9e124263e7a6968d8df6_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\24b56317bb0c9e124263e7a6968d8df6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\24b56317bb0c9e124263e7a6968d8df6_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 728 -ip 728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 464

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\X-CRYP~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\X-CRYP~1.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

MD5 ef8199679933d079b9c0a25d5da4ada5
SHA1 cd152168f0083096d0f3407cbc992fbc2c00bb1f
SHA256 eebb8515f911596835d376d566a9a1fba36d05503b7a730ba6ec60b24152a105
SHA512 e14e03df6895e0e445ecf6b472a4561ee3a7d94d51d0038087698d7cbb37e80187db28d0c72e12e60815cebed2474ccdd5c7a065d38e69b8ce1c467059a846d5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\X-CRYP~1.EXE

MD5 a3219d3fe98e10cf00905595edfba356
SHA1 3f1261e506e5b1544bafce66783716591338c118
SHA256 17540c2fcaa841404bd5a2a3e08b8f75fdc45176e56f9fe5845c7a60a8814cd0
SHA512 8df626a018ed919c41d78759c4c149a93a68e32ac5e03d99564e0b15007c575c12e2f6aabd25b53a74faa241e39023c4c5fbcf5925cd5978be330fada655cd3f

memory/3484-11-0x0000000002310000-0x0000000002311000-memory.dmp

memory/3484-12-0x0000000000400000-0x000000000048E000-memory.dmp

memory/3484-14-0x0000000002310000-0x0000000002311000-memory.dmp