Malware Analysis Report

2025-08-05 16:53

Sample ID 250127-skypqsvndn
Target JaffaCakes118_40dc55f1536a246b022472f447620235
SHA256 e8ed6adb9f041680de3f74491a5e89bc53cdf872c0eee307fc1ef52ec3118e14
Tags
modiloader discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e8ed6adb9f041680de3f74491a5e89bc53cdf872c0eee307fc1ef52ec3118e14

Threat Level: Known bad

The file JaffaCakes118_40dc55f1536a246b022472f447620235 was found to be: Known bad.

Malicious Activity Summary

modiloader discovery trojan

Modiloader family

ModiLoader, DBatLoader

ModiLoader Second Stage

ModiLoader Second Stage

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-27 15:11

Signatures

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Modiloader family

modiloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-27 15:11

Reported

2025-01-27 15:14

Platform

win7-20241023-en

Max time kernel

119s

Max time network

120s

Command Line

C:\Windows\Explorer.EXE

Signatures

ModiLoader, DBatLoader

trojan modiloader

Modiloader family

modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dc55f1536a246b022472f447620235.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dc55f1536a246b022472f447620235.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dc55f1536a246b022472f447620235.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

Network

N/A

Files

memory/2652-4-0x0000000002390000-0x0000000002399000-memory.dmp

\Users\Admin\AppData\Local\Temp\server.exe

MD5 723fc73467d4c8e79f615bb510d2ce1d
SHA1 19ea3c5221b035643cba3844c2a41edaa03eb87a
SHA256 063481090a49a80feed9c88f8ca62f7f6919fff2adea4309323fdeb3d79f3ddd
SHA512 e0acec47316335264bbf7f020f05784d3ac3cb6765cfda812df0c5a991575a38992333c5e74d43bbb69a0f6275777a9deadbcb4464704b9e6aa1ca39acc03b22

memory/1212-12-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

memory/2532-15-0x0000000010000000-0x0000000010011000-memory.dmp

memory/2652-21-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1212-22-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

memory/2532-34-0x0000000000400000-0x0000000000409000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-27 15:11

Reported

2025-01-28 08:27

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

144s

Command Line

C:\Windows\Explorer.EXE

Signatures

ModiLoader, DBatLoader

trojan modiloader

Modiloader family

modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dc55f1536a246b022472f447620235.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dc55f1536a246b022472f447620235.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dc55f1536a246b022472f447620235.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dc55f1536a246b022472f447620235.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 218.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 7.98.51.23.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 723fc73467d4c8e79f615bb510d2ce1d
SHA1 19ea3c5221b035643cba3844c2a41edaa03eb87a
SHA256 063481090a49a80feed9c88f8ca62f7f6919fff2adea4309323fdeb3d79f3ddd
SHA512 e0acec47316335264bbf7f020f05784d3ac3cb6765cfda812df0c5a991575a38992333c5e74d43bbb69a0f6275777a9deadbcb4464704b9e6aa1ca39acc03b22

memory/1728-14-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.exe

MD5 e278df043a74086cf5b16328f47ab25d
SHA1 e67a644885cbdbb3740956fa2523ac7ef7da8165
SHA256 a3797ecbb2bd4466de8c702f763f1e058303216bcb5135566a90dff6a1d2643a
SHA512 404e1450094e751ad80b9e52d2feccc25fbb045b6bdd50e5438b4c4722fa61f2575703810ea019994ed833c5e09f93e6bd3f533e765a359de7543de5c15a8e89

memory/1728-17-0x0000000010000000-0x0000000010011000-memory.dmp

memory/3420-18-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

memory/1856-20-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3420-22-0x000000007FFC0000-0x000000007FFC6000-memory.dmp

memory/1728-26-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1728-27-0x0000000010000000-0x0000000010011000-memory.dmp